Key login metrics
Here are six key OpenID Connect and user session metrics which can be obtained from the monitoring endpoint of the Connect2id server.
authzSessionStore.numSessions
This gauge shows the number of users who are currently being authenticated or asked for consent, that is, from the time an OpenID authentication request is received until a response (success or error) is returned to the client app (or until the configured timeout, if the user doesn’t follow through the login or consent screens).
Example:
{
"version" : "3.0.0",
"gauges" : { "authzSessionStore.numSessions" : { "value" : 1500 },
...
},
...
}
This gauge applies to the entire Connect2id server cluster.
sessionStore.numSessions
Shows the current number of user sessions. Note that a user may have multiple sessions across their devices and browsers.
Example:
{
"version" : "3.0.0",
"gauges" : { "sessionStore.numSessions" : { "value" : 45000 },
...
},
...
}
This gauge applies to the entire Connect2id server cluster.
op.idTokenIssues
Meters the issue of ID tokens. This includes ID tokens issued in response to
regular OpenID authentication requests (including prompt=none
) as well as any
ID tokens returned for a password or JWT / SAML 2.0 assertion grant.
Example:
{
"version" : "3.0.0",
"meters" : { "op.idTokenIssues" : { "count" : 2,
"m15_rate" : 0.00220381749348163,
"m1_rate" : 0.029527305437977176,
"m5_rate" : 0.006503044431934881,
"mean_rate" : 4.2031348626575445E-4,
"units" : "events/second"
},
...
},
...
}
This meter applies to a single Connect2id server node. To track the cluster-wide total you need to aggregate the metered data from all nodes.
authzEndpoint.successfulRequests
Meters successful OpenID authentication requests (including prompt=none
).
Example:
{
"version" : "3.0.0",
"meters" : { "authzEndpoint.successfulRequests" : { "count" : 2,
"m15_rate" : 0.00220381749348163,
"m1_rate" : 0.029527305437977176,
"m5_rate" : 0.006503044431934881,
"mean_rate" : 4.2031348626575445E-4,
"units" : "events/second"
},
...
},
...
}
This meter applies to a single Connect2id server node. To track the cluster-wide total you need to sum the data from all nodes.
authzEndpoint.failedSubjectAuthentications
Meters the OpenID authentication requests that failed due to the user entering invalid credentials (e.g. username / password). Keep an eye on this meter as it may reveal attacks to brute force passwords. To protect against such attacks it’s good practice to provision a captcha test, a rate limiter and / or second factor for authentication.
This meter applies to a single Connect2id server node. To track the cluster-wide total you need to aggregate the metered data from all nodes.
Example:
{
"version" : "3.0.0",
"meters" : { "authzEndpoint.failedSubjectAuthentications" : { "count" : 2,
"m15_rate" : 0.00220381749348163,
"m1_rate" : 0.029527305437977176,
"m5_rate" : 0.006503044431934881,
"mean_rate" : 4.2031348626575445E-4,
"units" : "events/second"
},
...
},
...
}
authzEndpoint.consentDenials
Meters the OpenID authentication requests that failed due to denied user consent.
Example:
{
"version" : "3.0.0",
"meters" : { "authzEndpoint.consentDenials" : { "count" : 2,
"m15_rate" : 0.00220381749348163,
"m1_rate" : 0.029527305437977176,
"m5_rate" : 0.006503044431934881,
"mean_rate" : 4.2031348626575445E-4,
"units" : "events/second"
},
...
},
...
}
This meter applies to a single Connect2id server node. To track the cluster-wide total you need to aggregate the metered data from all nodes.