(added in v7.0)
OpenTelemetry metrics are run-time measurements that are are intended to provide an indication of overall health and are typically used to show graphs on a dashboard or to set up monitoring rules. When that monitoring reveals issues, traces and logs are used to investigate further. Open Telemetry monitoring tools often provide features to find the traces and logs corresponding to certain metrics.
IdentityServer emits metrics from the IdentityServer middleware and services. Our quick start for the UI also contains metrics that can be used as a starting point for monitoring UI events. The metric counters that IdentityServer emits are designed to not contain any sensitive information. They often are tagged to indicate the source of the events.
These metrics are instrumented by the IdentityServer middleware and services and are intended to describe the overall usage and health of the system. They could provide the starting point for building a metrics dashboard. The high level metrics are created by the the meter named “Duende.IdentityServer”, which is the value of the Duende.IdentityServer.Telemetry.ServiceName constant.
Counter name: tokenservice.operation
Aggregated counter of failed and successful operations. The result tag indicates if an operation succeeded, failed, or caused an internal error. It is expected to have some failures during normal operations. In contrast, operations tagged with a result of internal_error are abnormal and indicate an unhandled exception. The error/success ratio can be used as a very high level health metric.
| Tag | Description |
|---|---|
| error | Error label on errors |
| result | Success, error or internal_error |
| client | Id of client requesting the operation. May be empty. |
Counter name: active_requests
Gauge/up-down counter that shows current active requests that are processed by any IdentityServer endpoint. Note that the pages in the user interface are not IdentityServer endpoints and are not included in this count.
| Tag | Description |
|---|---|
| endpoint | The type name for the endpoint processor |
| path | The path of the request |
These detailed metrics are instrumented by the IdentityServer middleware and services and track usage of specific flows and features. These metrics are created by the meter named “Duende.IdentityServer.Experimental”, which is the value of the Duende.IdentityServer.Telemetry.ServiceName.Experimental constant. The definition and tags of these counters may be changed between releases. Once the counters and tags are considered stable they will be moved to the Duende.IdentityServer.Telemetry.ServiceName meter.
Counter name: tokenservice.api.secret_validation
Number of successful/failed validations of API Secrets.
| Tag | Description |
|---|---|
| api | The Api Id |
| auth_method | Authentication method used |
| error | Error label on errors |
Counter name: tokenservice.backchannel_authentication
Number of successful/failed back channel authentications (CIBA).
| Tag | Description |
|---|---|
| client | The client Id |
| error | Error label on errors |
Counter name: tokenservice.client.config_validation
Number of successful/failed client validations.
| Tag | Description |
|---|---|
| client | The client Id |
| error | Error label on errors |
Counter name: tokenservice.client.secret_validation
Number of successful/failed client secret validations.
| Tag | Description |
|---|---|
| client | The client Id |
| auth_method | The authentication method on success |
| error | Error label on errors |
Counter name: tokenservice.device_authentication
Number of successful/failed device authentications.
| Tag | Description |
|---|---|
| client | The client Id |
| error | Error label on errors |
Counter name: tokenservice.dynamic_identityprovider.validation
Number of successful/failed validations of dynamic identity providers.
| Tag | Description |
|---|---|
| scheme | The scheme name of the provider |
| error | Error label on errors |
Counter name: tokenservice.introspection
Number of successful/failed token introspections.
| Tag | Description |
|---|---|
| caller | The caller of the endpoint, a client id or api id. |
| active | Was the token active? Only sent on success |
| error | Error label on errors |
Counter name: tokenservice.pushed_authorization_request
Number of successful/failed pushed authorization requests.
| Tag | Description |
|---|---|
| client | The client Id |
| error | Error label on errors |
Counter name: tokenservice.resourceowner_authentication
Number of successful/failed resource owner authentications.
| Tag | Description |
|---|---|
| client | The client Id |
| error | Error label on errors |
Counter name: tokenservice.revocation
Number of successful/failed token revocations.
| Tag | Description |
|---|---|
| client | The client Id |
| error | Error label on errors |
Counter name: tokenservice.token_issued
Number of successful/failed token issuance attempts. Note that a token issuance might include multiple actual tokens (id_token, access token, refresh token).
| Tag | Description |
|---|---|
| client | The client Id |
| grant_type | The grant type used |
| authorize_request_type | The authorize request type, if information about it is available |
| error | Error label on errors |
The UI in your IdentityServer host can instrument these events to measure activities that occur during interactive flows, such as user login and logout. These events are not instrumented by the IdentityServer middleware or services because they are the responsibility of the UI. Our templated UI does instrument these events, and you can alter and add metrics as needed to the UI in your context.
Counter name: tokenservice.consent
Consent requests granted or denied. The counters are per scope, so if a user consents to multiple scopes, the counter is increased multiple times, one for each scope. This allows the scope name to be included as a tag without causing an explosion of combination of tags.
| Tag | Description |
|---|---|
| client | The client Id |
| scope | The scope names |
| consent | granted or denied |
Counter name: tokenservice.grants_revoked
Revocation of grants.
| Tag | Description |
|---|---|
| client | The client Id, if grants are revoked only for one client. If not set, the revocation was for all clients. |
Counter names: tokenservice.user_login
Successful and failed user logins.
| Tag | Description |
|---|---|
| client | The client Id, if the login was caused by a request from a client |
| idp | The idp (Asp.Net Core Scheme name) used to log in |
| error | Error label on errors |
Counter name: user_logout
User logout. Note that this is only raised on explicit user logout, not if the session times out. The number of logouts will typically be lower than the number of logins.
| Tag | Description |
|---|---|
| idp | The idp (ASP.NET scheme name) logging out from |