When setting the maximum number of tokens per client as documented in :
- Set the Maximum Token Count section
More than 5 tokens can be requested while the "max_oauth_token_count" is set to 5 and "max_oauth_token_behaviour" is set to error
Under which circumstances is this count applied? Is it per OTK session or per issued token?
All supported versions of the OTK
The max token count applies to the combination of the resource owner and client credentials. The client_credentials grant type does not require a resource owner as it acts on its own behalf. This means to get a token, you only need to provide client credentials knowing the ID and the Secret.
The max token value only works for the combination of the resource owner + client credentials, therefore, it does not work with the client credential authentication flow.