Key login and session metrics
The RESTful monitoring endpoint of the Connect2id server provides several key metrics for user login activity and sessions.
Here are the six most important meters for OpenID Connect sign-on:
authzSessionStore.numSessions
This gauge shows the number of users who are currently being authenticated or asked for consent, that is, from the time an OpenID authentication request is received until a response (success or error) is returned to the client app (or until the configured timeout, if the user doesn't follow through the login or consent screens).
Example:
{
"version" : "3.0.0",
"gauges" : { { "authzSessionStore.numSessions" : { "value" : 1500 },
...
},
...
}
This gauge is for the entire Connect2id server cluster.
sessionStore.numSessions
Shows the current number of user sessions. Note that a user may have multiple sessions across their devices and browsers.
Example:
{
"version" : "3.0.0",
"gauges" : { { "sessionStore.numSessions" : { "value" : 45000 },
...
},
...
}
This gauge is for the entire Connect2id server cluster.
op.idTokenIssues
Meters the issue of ID tokens. This includes ID tokens for OpenID
authentication requests (including prompt=none) as well as ID tokens returned
for a password or JWT / SAML assertion grant (in case ID tokens are provided
for these grant types).
Example:
{
"version" : "3.0.0",
"meters" : { { "op.idTokenIssues" : { "count" : 2,
"m15_rate" : 0.00220381749348163,
"m1_rate" : 0.029527305437977176,
"m5_rate" : 0.006503044431934881,
"mean_rate" : 4.2031348626575445E-4,
"units" : "events/second"
},
...
},
...
}
This meter applies to a single Connect2id server node. To track the cluster-wide total you need to sum the data from all nodes.
authzEndpoint.successfulRequests
Meters successful OpenID authentication requests (including prompt=none).
Example:
{
"version" : "3.0.0",
"meters" : { { "authzEndpoint.successfulRequests" : { "count" : 2,
"m15_rate" : 0.00220381749348163,
"m1_rate" : 0.029527305437977176,
"m5_rate" : 0.006503044431934881,
"mean_rate" : 4.2031348626575445E-4,
"units" : "events/second"
},
...
},
...
}
This meter applies to a single Connect2id server node. To track the cluster-wide total you need to sum the data from all nodes.
authzEndpoint.failedSubjectAuthentications
Meters OpenID authentication requests that failed due to the user entering invalid credentials (e.g. username / password). Keep an eye on this meter as it may reveal attacks to brute force passwords. To protect against such attacks it's good practice to provision a captcha test, a rate limiter and / or two-factor authentication.
This meter applies to a single Connect2id server node. To track the cluster-wide total you need to sum the data from all nodes.
Example:
{
"version" : "3.0.0",
"meters" : { { "authzEndpoint.failedSubjectAuthentications" : { "count" : 2,
"m15_rate" : 0.00220381749348163,
"m1_rate" : 0.029527305437977176,
"m5_rate" : 0.006503044431934881,
"mean_rate" : 4.2031348626575445E-4,
"units" : "events/second"
},
...
},
...
}
authzEndpoint.consentDenials
Meters OpenID authentication requests that failed due to denied user consent.
Example:
{
"version" : "3.0.0",
"meters" : { { "authzEndpoint.consentDenials" : { "count" : 2,
"m15_rate" : 0.00220381749348163,
"m1_rate" : 0.029527305437977176,
"m5_rate" : 0.006503044431934881,
"mean_rate" : 4.2031348626575445E-4,
"units" : "events/second"
},
...
},
...
}
This meter applies to a single Connect2id server node. To track the cluster-wide total you need to sum the data from all nodes.