-
Notifications
You must be signed in to change notification settings - Fork 10.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add AuthN/AuthZ metrics #59557
base: main
Are you sure you want to change the base?
Add AuthN/AuthZ metrics #59557
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copilot reviewed 5 out of 16 changed files in this pull request and generated 1 comment.
Files not reviewed (11)
- src/Http/Authentication.Core/src/Microsoft.AspNetCore.Authentication.Core.csproj: Language not supported
- src/Http/Authentication.Core/src/PublicAPI.Unshipped.txt: Language not supported
- src/Security/Authentication/test/Microsoft.AspNetCore.Authentication.Test.csproj: Language not supported
- src/Security/Authorization/Core/src/Microsoft.AspNetCore.Authorization.csproj: Language not supported
- src/Security/Authorization/Core/src/PublicAPI/net10.0/PublicAPI.Unshipped.txt: Language not supported
- src/Security/Authorization/Core/src/PublicAPI/net462/PublicAPI.Unshipped.txt: Language not supported
- src/Security/Authorization/Core/src/PublicAPI/netstandard2.0/PublicAPI.Unshipped.txt: Language not supported
- src/Security/Authorization/test/Microsoft.AspNetCore.Authorization.Test.csproj: Language not supported
- src/Http/Authentication.Core/src/AuthenticationCoreServiceCollectionExtensions.cs: Evaluated as low risk
- src/Http/Authentication.Core/src/AuthenticationMetrics.cs: Evaluated as low risk
- src/Http/Authentication.Core/src/AuthenticationService.cs: Evaluated as low risk
src/Security/Authorization/Core/src/DefaultAuthorizationService.cs
Outdated
Show resolved
Hide resolved
Looking at this PR from a higher level, what are the main scenarios that people will use these? A bad outcome would be us going through the motions of adding metrics so we can say they're there. We should think about scenarios and make the metrics as useful as possible in real world scenarios. For example, will people use authn/authz metrics to:
I'm not an auth expert so I'd to hear from the folks who work with auth most often. Debugging auth that isn't working, including exceptions, seems like it is the most valable scenario. It would be useful to collect metrics on an app that runs into some of the most common errors that people have with auth and see what can be done to make the output useful for them. For example, in Kestrel from a developer's perspective it's hard to know why a connection was closed. The server knows why, so we have a set of known reasons for closing a connection. When Kestrel records that a connection is closed non-gracefully it includes that known reason as the Applying that idea to authn/authz: common reasons for errors could be included as the
Surfacing up known error reasons from auth handlers might also be useful. For example, would it be valuable for the cookie auth handler to add metadata to a metric that it wasn't able to authenticate the HTTP request because it couldn't decrypt the cookie payload? |
This is good feedback for I don't think histograms are as valuable for challenge, forbid, sign-in and sign-out though. Generally speaking, this are simply setting headers for things like redirects.
I think it's worth differentiating expected error cases like connection closed reasons in Kestrel vs. issues caused by misconfiguration. I consider things like scheme not found and policy name not found to be misconfiguration. If someone were to run into such an error, that should be able to provide repro steps that would allow a developer to try the scenario themselves why the crank up the logging to see what's going on. I don't think we need metrics for these. On the other hand, it would be interesting to have metrics for errors originating from calls to identity providers via the Both of these are specific to remote authentication handlers, so I think it could be addressed in a follow up PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a few minor naming suggestions. James share the key point in the comments - these metrics should probably be histograms. Even if it does not make sense, and some should remain counters, the counters should be reported after operation completes and should include the error.type
attribute in case exception has happened.
{ | ||
if (_authorizeCount.Enabled) | ||
{ | ||
var resultTagValue = result.Succeeded ? "success" : "failure"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is it always a boolean flag? E.g. could we add a error.type
or some status differentiating failures?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There could be multiple reasons for a given failure, and each reason is an arbitrary string, so unfortunately I'm not sure we can create distinct categories for failures.
private readonly Counter<long> _signInCount; | ||
private readonly Counter<long> _signOutCount; | ||
|
||
public AuthenticationMetrics(IMeterFactory meterFactory) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it would be great to have a doc describing the meaning and format of each metric and hopefully add them to https://github.com/open-telemetry/semantic-conventions/blob/main/docs/dotnet/dotnet-aspnetcore-metrics.md. Happy to help if necessary.
Thanks for all the feedback, everyone! We had a discussion offline about how to address the feedback here, and this is what we've landed on:
The latest revisions of this PR include these changes.
The current implementation just adds an |
The exception name in Including known errors is what makes something like Metrics are useful when providing an aggregate system view of operations in the app. Telling people to look at the logs to get more information is a solution to someone who needs to debug an error at a particular time, but dev ops folks lose visibility of what the overall cause of errors in auth when looking at thousands of aggreated metrics. Put yourself in their shoes and think about how errors and failures can be categorized, grouped and reported. Because so much of the cause of auth failure is in the handler, I wonder if handler's need an API to specify tags that are then reported on. The higher level AuthenticationService then uses that API to add tags to the metric. If it turns out that categorizing and reporting known failure reasons is more work than we want to invest now then that's fine. But before we decide that we should see what kind of information we could provide, come up with a design and estimate the work it involved. |
We discussed this offline and decided that the current implementation wouldn't block us from adding more detailed error reporting in the future. The authentication handlers provided by ASP.NET Core already have a set of well-known failure reasons (see 1, 2, 3, for example). From these, we could define a set of values for a new
(This is just an example. We would inevitably change or shorten this list in an API review.) We could specify the failure reason either on the We could also consider providing a way to allow handlers to add arbitrary attributes to report, but this may require a more elaborate design (e.g., handlers would need a way of determining whether metrics are enabled before generating custom attributes). Anyway, the conclusion was that we could go ahead with the PR as it stands and address these further items in a follow-up. |
/azp run |
Azure Pipelines successfully started running 3 pipeline(s). |
Looks like this PR hasn't been active for some time and the codebase could have been changed in the meantime. |
Add AuthN/AuthZ metrics
Adds ASP.NET Core authentication and authorization metrics.
Description
This PR adds the following metrics:
Ready to be reviewed, but the counter names, descriptions, and tags need to go through API review before this merges.
Fixes #47603