Key login and session metrics

Here are six key OpenID Connect and user session metrics which can be obtained from the monitoring endpoint of the Connect2id server.

authzSessionStore.numSessions

This gauge shows the number of users who are currently being authenticated or asked for consent, that is, from the time an OpenID authentication request is received until a response (success or error) is returned to the client app (or until the configured timeout, if the user doesn’t follow through the login or consent screens).

Example:

{ 
  "version" : "3.0.0",
  "gauges"  : { "authzSessionStore.numSessions" : { "value" : 1500 },
                ...
              },
  ...
}

This gauge applies to the entire Connect2id server cluster.

sessionStore.numSessions

Shows the current number of user sessions. Note that a user may have multiple sessions across their devices and browsers.

Example:

{ 
  "version" : "3.0.0",
  "gauges"  : { "sessionStore.numSessions" : { "value" : 45000 },
                ...
              },
  ...
}

This gauge applies to the entire Connect2id server cluster.

op.idTokenIssues

Meters the issue of ID tokens. This includes ID tokens issued in response to regular OpenID authentication requests (including prompt=none) as well as any ID tokens returned for a password or JWT / SAML 2.0 assertion grant.

Example:

{ 
  "version" : "3.0.0",
  "meters"  : { "op.idTokenIssues" : { "count"     : 2,
                                       "m15_rate"  : 0.00220381749348163,
                                       "m1_rate"   : 0.029527305437977176,
                                       "m5_rate"   : 0.006503044431934881,
                                       "mean_rate" : 4.2031348626575445E-4,
                                       "units"     : "events/second"
                                      },
                ...
              },
  ...
}

This meter applies to a single Connect2id server node. To track the cluster-wide total you need to aggregate the metered data from all nodes.

authzEndpoint.successfulRequests

Meters successful OpenID authentication requests (including prompt=none).

Example:

{ 
  "version" : "3.0.0",
  "meters"  : { "authzEndpoint.successfulRequests" : { "count"     : 2,
                                                       "m15_rate"  : 0.00220381749348163,
                                                       "m1_rate"   : 0.029527305437977176,
                                                       "m5_rate"   : 0.006503044431934881,
                                                       "mean_rate" : 4.2031348626575445E-4,
                                                       "units"     : "events/second"
                                                     },
                ...
              },
  ...
}

This meter applies to a single Connect2id server node. To track the cluster-wide total you need to sum the data from all nodes.

authzEndpoint.failedSubjectAuthentications

Meters the OpenID authentication requests that failed due to the user entering invalid credentials (e.g. username / password). Keep an eye on this meter as it may reveal attacks to brute force passwords. To protect against such attacks it’s good practice to provision a captcha test, a rate limiter and / or second factor for authentication.

This meter applies to a single Connect2id server node. To track the cluster-wide total you need to aggregate the metered data from all nodes.

Example:

{ 
  "version" : "3.0.0",
  "meters"  : { "authzEndpoint.failedSubjectAuthentications" : { "count"     : 2,
                                                                 "m15_rate"  : 0.00220381749348163,
                                                                 "m1_rate"   : 0.029527305437977176,
                                                                 "m5_rate"   : 0.006503044431934881,
                                                                 "mean_rate" : 4.2031348626575445E-4,
                                                                 "units"     : "events/second"
                                                               },
                ...
              },
  ...
}

authzEndpoint.consentDenials

Meters the OpenID authentication requests that failed due to denied user consent.

Example:

{ 
  "version" : "3.0.0",
  "meters"  : { "authzEndpoint.consentDenials" : { "count"     : 2,
                                                   "m15_rate"  : 0.00220381749348163,
                                                   "m1_rate"   : 0.029527305437977176,
                                                   "m5_rate"   : 0.006503044431934881,
                                                   "mean_rate" : 4.2031348626575445E-4,
                                                   "units"     : "events/second"
                                                 },
                ...
              },
  ...
}

This meter applies to a single Connect2id server node. To track the cluster-wide total you need to aggregate the metered data from all nodes.