Key login and session metrics

The RESTful monitoring endpoint of the Connect2id server provides several key metrics for user login activity and sessions.

Here are the six most important meters for OpenID Connect sign-on:

authzSessionStore.numSessions

This gauge shows the number of users who are currently being authenticated or asked for consent, that is, from the time an OpenID authentication request is received until a response (success or error) is returned to the client app (or until the configured timeout, if the user doesn’t follow through the login or consent screens).

Example:

{ 
  "version" : "3.0.0",
  "gauges"  : { { "authzSessionStore.numSessions" : { "value" : 1500 },
              ...
              },
  ...
}

This gauge is for the entire Connect2id server cluster.

sessionStore.numSessions

Shows the current number of user sessions. Note that a user may have multiple sessions across their devices and browsers.

Example:

{ 
  "version" : "3.0.0",
  "gauges"  : { { "sessionStore.numSessions" : { "value" : 45000 },
              ...
              },
  ...
}

This gauge is for the entire Connect2id server cluster.

op.idTokenIssues

Meters the issue of ID tokens. This includes ID tokens for OpenID authentication requests (including prompt=none) as well as ID tokens returned for a password or JWT / SAML assertion grant (in case ID tokens are provided for these grant types).

Example:

{ 
  "version" : "3.0.0",
  "meters"  : { { "op.idTokenIssues" : { "count"     : 2,
                                         "m15_rate"  : 0.00220381749348163,
                                         "m1_rate"   : 0.029527305437977176,
                                         "m5_rate"   : 0.006503044431934881,
                                         "mean_rate" : 4.2031348626575445E-4,
                                         "units"     : "events/second"
                                       },
              ...
              },
  ...
}

This meter applies to a single Connect2id server node. To track the cluster-wide total you need to sum the data from all nodes.

authzEndpoint.successfulRequests

Meters successful OpenID authentication requests (including prompt=none).

Example:

{ 
  "version" : "3.0.0",
  "meters"  : { { "authzEndpoint.successfulRequests" : { "count"     : 2,
                                                         "m15_rate"  : 0.00220381749348163,
                                                         "m1_rate"   : 0.029527305437977176,
                                                         "m5_rate"   : 0.006503044431934881,
                                                         "mean_rate" : 4.2031348626575445E-4,
                                                         "units"     : "events/second"
                                                       },
              ...
              },
  ...
}

This meter applies to a single Connect2id server node. To track the cluster-wide total you need to sum the data from all nodes.

authzEndpoint.failedSubjectAuthentications

Meters OpenID authentication requests that failed due to the user entering invalid credentials (e.g. username / password). Keep an eye on this meter as it may reveal attacks to brute force passwords. To protect against such attacks it’s good practice to provision a captcha test, a rate limiter and / or two-factor authentication.

This meter applies to a single Connect2id server node. To track the cluster-wide total you need to sum the data from all nodes.

Example:

{ 
  "version" : "3.0.0",
  "meters"  : { { "authzEndpoint.failedSubjectAuthentications" : { "count"     : 2,
                                                                   "m15_rate"  : 0.00220381749348163,
                                                                   "m1_rate"   : 0.029527305437977176,
                                                                   "m5_rate"   : 0.006503044431934881,
                                                                   "mean_rate" : 4.2031348626575445E-4,
                                                                   "units"     : "events/second"
                                                                 },
              ...
              },
  ...
}

authzEndpoint.consentDenials

Meters OpenID authentication requests that failed due to denied user consent.

Example:

{ 
  "version" : "3.0.0",
  "meters"  : { { "authzEndpoint.consentDenials" : { "count"     : 2,
                                                     "m15_rate"  : 0.00220381749348163,
                                                     "m1_rate"   : 0.029527305437977176,
                                                     "m5_rate"   : 0.006503044431934881,
                                                     "mean_rate" : 4.2031348626575445E-4,
                                                     "units"     : "events/second"
                                                   },
              ...
              },
  ...
}

This meter applies to a single Connect2id server node. To track the cluster-wide total you need to sum the data from all nodes.