Skip to content
Duende Software Docs
Introducing the next era of Duende IdentityServer. Read our CEO’s announcement

Logging

Duende User Management uses the standard logging facilities provided by ASP.NET Core (Microsoft.Extensions.Logging). You don’t need any extra configuration to get rich logging out of the box.

For general information on setting up logging, configuring Serilog, and understanding log levels across all Duende products, see the Logging Fundamentals guide.

Configuration

Section titled “Configuration”

User Management writes logs under the Duende.UserManagement category. More specific sub-categories exist for individual features:

FeatureLog category
Authentication (general)Duende.UserManagement.Authentication.Internal
PasswordsDuende.UserManagement.Authentication.Passwords.Internal
PasskeysDuende.UserManagement.Authentication.Passkeys.Internal
One-Time Passwords (OTP)Duende.UserManagement.Authentication.Otp.Internal
TOTPDuende.UserManagement.Authentication.Totp.Internal
Recovery codesDuende.UserManagement.Authentication.RecoveryCodes.Internal
User profilesDuende.UserManagement.Profiles.Internal
Membership (groups/roles)Duende.UserManagement.Membership.Internal
User importDuende.UserManagement.Import.Internal

To enable detailed logging for all User Management components, set the Duende.UserManagement namespace to Debug in your appsettings.json:

appsettings.json
{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Duende.UserManagement": "Debug"
    }
  }
}

If you only want to troubleshoot a specific area (for example, passkey authentication), you can target that sub-category:

appsettings.json
{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Duende.UserManagement.Authentication.Passkeys.Internal": "Debug"
    }
  }
}

Log Levels

Section titled “Log Levels”

User Management follows the standard Microsoft guidelines for log levels:

  • Information — General flow events like authentication attempts starting, succeeding, or failing. Also covers user profile operations, group/role management, and import progress.
  • Warning — Unexpected situations that don’t stop the application but may need investigation. For example, failing to clean up a consumed passkey challenge, or authentication throttling kicking in.
  • Error — Failures that could not be handled gracefully. For example, a passkey registration that failed to persist, or an optimistic concurrency conflict that could not be resolved on retry.

What Gets Logged

Section titled “What Gets Logged”

Here is an overview of the key events that User Management logs, grouped by feature area.

Password Authentication

Section titled “Password Authentication”
  • Authentication attempt started, succeeded, or failed
  • User not found (timing-safe dummy authentication is still performed)
  • Throttling applied by the attempt policy
  • Password re-hashed to a newer algorithm after successful authentication

Passkey Authentication and Registration

Section titled “Passkey Authentication and Registration”
  • Begin/complete ceremony started, succeeded, or failed
  • Challenge expired or not found
  • Credential not found, user mismatch, or sign count update failures
  • Registration rejected (unauthenticated, duplicate credential, persist failure)

OTP (One-Time Password)

Section titled “OTP (One-Time Password)”
  • OTP send started, succeeded, or blocked by rate limiting
  • OTP authentication started, succeeded, or failed (workflow not found, expired, verification failed)
  • Email send success or failure
  • No sender registered for a given address type

TOTP (Time-Based One-Time Password)

Section titled “TOTP (Time-Based One-Time Password)”
  • Authentication attempt started, succeeded, or failed
  • User not found (dummy authentication performed)
  • Throttling applied

Recovery Codes

Section titled “Recovery Codes”
  • Authentication attempt started, succeeded, or failed
  • User not found or throttled

User Profiles

Section titled “User Profiles”
  • Profile created, found, updated, or not found
  • Profile registration (self-service) succeeded or failed
  • Schema attribute/group added, removed, or reordered

Membership (Groups and Roles)

Section titled “Membership (Groups and Roles)”
  • Group/role created, updated, deleted, or not found
  • Role/group assigned to or removed from a user or group
  • Version conflicts on updates

User Import

Section titled “User Import”
  • Batch import started and completed (with counts of created, updated, skipped, and failed records)
  • Validation failures and conflict detection
  • Retry attempts

Optimistic Concurrency

Section titled “Optimistic Concurrency”

Several authentication flows log when an optimistic concurrency conflict occurs during failed-attempt recording. These are typically at Information level for the first retry and Error if the retry also fails.

Structured Log Properties

Section titled “Structured Log Properties”

Log messages include structured properties that you can use for filtering and correlation in your log sink:

  • subjectId — The user’s subject identifier
  • userName — The username (password authentication)
  • groupId — Group identifier (membership operations)
  • roleId — Role identifier (membership operations)
  • error — Error details for failed ceremonies

These properties appear in the log scope, so structured logging sinks like Seq or Elasticsearch let you filter and search by them.