config: add idp qps config

config/options.go

@@ -139,6 +139,7 @@ type Options struct {
 	// Identity provider refresh directory interval/timeout settings.
 	RefreshDirectoryTimeout  time.Duration `mapstructure:"idp_refresh_directory_timeout" yaml:"idp_refresh_directory_timeout,omitempty"`
 	RefreshDirectoryInterval time.Duration `mapstructure:"idp_refresh_directory_interval" yaml:"idp_refresh_directory_interval,omitempty"`
+	QPS                      float64       `mapstructure:"idp_qps" yaml:"idp_qps"`
 
 	// RequestParams are custom request params added to the signin request as
 	// part of an Oauth2 code flow.
@@ -299,6 +300,7 @@ var defaultOptions = Options{
 	TracingSampleRate:               0.0001,
 	RefreshDirectoryInterval:        10 * time.Minute,
 	RefreshDirectoryTimeout:         1 * time.Minute,
+	QPS:                             1.0,
 
 	AutocertOptions: AutocertOptions{
 		Folder: dataDir(),
@@ -667,6 +669,9 @@ func (o *Options) Validate() error {
 	default:
 	}
 
+	if o.QPS < 1.0 {
+		o.QPS = 1.0
+	}
 	return nil
 }
 

config/options_test.go

@@ -242,6 +242,7 @@ func TestOptionsFromViper(t *testing.T) {
 				},
 				RefreshDirectoryTimeout:  1 * time.Minute,
 				RefreshDirectoryInterval: 10 * time.Minute,
+				QPS:                      1.0,
 				DataBrokerStorageType:    "memory",
 			},
 			false},
@@ -259,6 +260,7 @@ func TestOptionsFromViper(t *testing.T) {
 				Headers:                         map[string]string{},
 				RefreshDirectoryTimeout:         1 * time.Minute,
 				RefreshDirectoryInterval:        10 * time.Minute,
+				QPS:                             1.0,
 				DataBrokerStorageType:           "memory",
 			},
 			false},

docs/reference/readme.md

@@ -699,10 +699,23 @@ Refresh directory interval is the time that pomerium will sync your IDP diretory
 
 :::warning
 
-Use it at your ownn risk, if you set a too low value, you may reach IDP API rate limit.
+Use it at your own risk, if you set a too low value, you may reach IDP API rate limit.
 
 :::
 
+### Identity Provider API Query Per Second
+
+- Environmental Variables: `IDP_QPS`
+- Config File Key: `idp_qps`
+- Type: `float64`
+- Example: `IDP_QPS=1.8`
+- Defaults: `IDP_QPS=1.0`
+
+Limit number of API requests per second to identity provider server. The lowest value is `1.0`, any value less than `1.0`
+has no effect.
+
+Currently, only applying for [okta].
+
 ## Proxy Service
 
 ### Authenticate Service URL
@@ -1258,6 +1271,7 @@ If no certificate is specified, one will be generated and the base64'd public ke
 [base64 encoded]: https://en.wikipedia.org/wiki/Base64
 [environmental variables]: https://en.wikipedia.org/wiki/Environment_variable
 [identity provider]: ../docs/identity-providers/
+[okta]: ../docs/identity-providers/okta.md
 [json]: https://en.wikipedia.org/wiki/JSON
 [letsencrypt]: https://letsencrypt.org/
 [oidc rfc]: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest