Added diagnostic entry for token issue counts

bhazen · bhazen · commit 4f59161d1827 · 2025-05-27T12:01:04.000-05:00
diff --git a/identity-server/src/IdentityServer/Configuration/DependencyInjection/BuilderExtensions/Core.cs b/identity-server/src/IdentityServer/Configuration/DependencyInjection/BuilderExtensions/Core.cs
@@ -217,6 +217,7 @@ public static IIdentityServerBuilder AddCoreServices(this IIdentityServerBuilder
         builder.Services.AddSingleton<IDiagnosticEntry, RegisteredImplementationsDiagnosticEntry>();
         builder.Services.AddSingleton<IDiagnosticEntry, IdentityServerOptionsDiagnosticEntry>();
         builder.Services.AddSingleton<IDiagnosticEntry, DataProtectionDiagnosticEntry>();
+        builder.Services.AddSingleton<IDiagnosticEntry, TokenIssueCountDiagnosticEntry>();
         builder.Services.AddSingleton<DiagnosticSummary>();
         builder.Services.AddHostedService<DiagnosticHostedService>();
 
diff --git a/identity-server/src/IdentityServer/Licensing/V2/AtomicCounter.cs b/identity-server/src/IdentityServer/Licensing/V2/AtomicCounter.cs
@@ -0,0 +1,11 @@
+// Copyright (c) Duende Software. All rights reserved.
+// See LICENSE in the project root for license information.
+
+namespace Duende.IdentityServer.Licensing.V2;
+
+internal class AtomicCounter
+{
+    private long _count;
+    public void Increment() => Interlocked.Increment(ref _count);
+    public long Count => _count;
+}
diff --git a/identity-server/src/IdentityServer/Licensing/V2/Diagnostics/DiagnosticEntries/TokenIssueCountDiagnosticEntry.cs b/identity-server/src/IdentityServer/Licensing/V2/Diagnostics/DiagnosticEntries/TokenIssueCountDiagnosticEntry.cs
@@ -0,0 +1,135 @@
+// Copyright (c) Duende Software. All rights reserved.
+// See LICENSE in the project root for license information.
+
+#nullable enable
+using System.Collections.Concurrent;
+using System.Diagnostics.Metrics;
+using System.Text.Json;
+using Duende.IdentityServer.Models;
+
+namespace Duende.IdentityServer.Licensing.V2.Diagnostics.DiagnosticEntries;
+
+internal class TokenIssueCountDiagnosticEntry : IDiagnosticEntry
+{
+    private readonly ConcurrentDictionary<string, AtomicCounter> _tokenCounts;
+    private readonly MeterListener _meterListener;
+
+    public TokenIssueCountDiagnosticEntry()
+    {
+        _tokenCounts = new ConcurrentDictionary<string, AtomicCounter>([
+            new("Jwt", new AtomicCounter()),
+            new ("Reference", new AtomicCounter()),
+            new ("Refresh", new AtomicCounter()),
+            new("JwtPoPDPoP", new AtomicCounter()),
+            new("ReferencePoPDPoP", new AtomicCounter()),
+            new("JwtPoPmTLS", new AtomicCounter()),
+            new("ReferencePoPmTLS", new AtomicCounter()),
+            new("Id", new AtomicCounter())
+        ]);
+        _meterListener = new MeterListener();
+
+        _meterListener.InstrumentPublished += (instrument, listener) =>
+        {
+            if (instrument.Name == Telemetry.Metrics.Counters.TokenIssued)
+            {
+                listener.EnableMeasurementEvents(instrument);
+            }
+        };
+
+        _meterListener.SetMeasurementEventCallback<long>(HandleLongMeasurementRecorded);
+
+        _meterListener.Start();
+    }
+
+    public Task WriteAsync(Utf8JsonWriter writer)
+    {
+        writer.WritePropertyName("TokenIssueCounts");
+        writer.WriteStartObject();
+
+        foreach (var (tokenType, counter) in _tokenCounts)
+        {
+            writer.WriteNumber(tokenType, counter.Count);
+        }
+
+        writer.WriteEndObject();
+
+        return Task.CompletedTask;
+    }
+
+    private void HandleLongMeasurementRecorded(Instrument instrument, long value, ReadOnlySpan<KeyValuePair<string, object?>> tags, object? state)
+    {
+        if (instrument.Name != Telemetry.Metrics.Counters.TokenIssued)
+        {
+            return;
+        }
+
+        var accessTokenIssued = false;
+        var accessTokenType = AccessTokenType.Jwt;
+        var refreshTokenIssued = false;
+        var proofType = ProofType.None;
+        var identityTokenIssued = false;
+
+        foreach (var tag in tags)
+        {
+            switch (tag.Key)
+            {
+                case Telemetry.Metrics.Tags.AccessTokenType:
+                    if (!Enum.TryParse(tag.Value?.ToString(), out accessTokenType))
+                    {
+                        accessTokenType = AccessTokenType.Jwt;
+                    }
+                    break;
+                case Telemetry.Metrics.Tags.RefreshTokenIssued:
+                    bool.TryParse(tag.Value?.ToString(), out refreshTokenIssued);
+                    break;
+                case Telemetry.Metrics.Tags.ProofType:
+                    if (!Enum.TryParse(tag.Value?.ToString(), out proofType))
+                    {
+                        proofType = ProofType.None;
+                    }
+                    break;
+                case Telemetry.Metrics.Tags.AccessTokenIssued:
+                    bool.TryParse(tag.Value?.ToString(), out accessTokenIssued);
+                    break;
+                case Telemetry.Metrics.Tags.IdTokenIssued:
+                    bool.TryParse(tag.Value?.ToString(), out identityTokenIssued);
+                    break;
+            }
+        }
+
+        if (accessTokenIssued)
+        {
+            switch (proofType)
+            {
+                case ProofType.None when accessTokenType == AccessTokenType.Jwt:
+                    _tokenCounts["Jwt"].Increment();
+                    break;
+                case ProofType.None when accessTokenType == AccessTokenType.Reference:
+                    _tokenCounts["Reference"].Increment();
+                    break;
+                case ProofType.DPoP when accessTokenType == AccessTokenType.Jwt:
+                    _tokenCounts["JwtPoPDPoP"].Increment();
+                    break;
+                case ProofType.DPoP when accessTokenType == AccessTokenType.Reference:
+                    _tokenCounts["ReferencePoPDPoP"].Increment();
+                    break;
+                case ProofType.ClientCertificate when accessTokenType == AccessTokenType.Jwt:
+                    _tokenCounts["JwtPoPmTLS"].Increment();
+                    break;
+                case ProofType.ClientCertificate when accessTokenType == AccessTokenType.Reference:
+                    _tokenCounts["ReferencePoPmTLS"].Increment();
+                    break;
+            }
+        }
+
+        if (refreshTokenIssued)
+        {
+            _tokenCounts["Refresh"].Increment();
+        }
+
+        if (identityTokenIssued)
+        {
+            _tokenCounts["Id"].Increment();
+        }
+    }
+}
diff --git a/identity-server/test/IdentityServer.UnitTests/Licensing/v2/DiagnosticEntries/TokenIssueCountDiagnosticEntryTests.cs b/identity-server/test/IdentityServer.UnitTests/Licensing/v2/DiagnosticEntries/TokenIssueCountDiagnosticEntryTests.cs
@@ -0,0 +1,127 @@
+// Copyright (c) Duende Software. All rights reserved.
+// See LICENSE in the project root for license information.
+
+using Duende.IdentityServer.Licensing.V2.Diagnostics.DiagnosticEntries;
+using Duende.IdentityServer.Models;
+
+namespace IdentityServer.UnitTests.Licensing.V2.DiagnosticEntries;
+
+public class TokenIssueCountDiagnosticEntryTests
+{
+    private readonly TokenIssueCountDiagnosticEntry _subject = new();
+
+    [Fact]
+    public async Task Should_Count_JwtAccessToken()
+    {
+        IssueToken(true, AccessTokenType.Jwt, false, ProofType.None, false);
+
+        var result = await DiagnosticEntryTestHelper.WriteEntryToJson(_subject);
+
+        result.RootElement.GetProperty("TokenIssueCounts").GetProperty("Jwt").GetInt64().ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task Should_Count_JwtReferenceToken()
+    {
+        IssueToken(true, AccessTokenType.Reference, false, ProofType.None, false);
+
+        var result = await DiagnosticEntryTestHelper.WriteEntryToJson(_subject);
+
+        result.RootElement.GetProperty("TokenIssueCounts").GetProperty("Reference").GetInt64().ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task Should_Count_JwtDPoPToken()
+    {
+        IssueToken(true, AccessTokenType.Jwt, false, ProofType.DPoP, false);
+
+        var result = await DiagnosticEntryTestHelper.WriteEntryToJson(_subject);
+
+        result.RootElement.GetProperty("TokenIssueCounts").GetProperty("JwtPoPDPoP").GetInt64().ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task Should_Count_ReferenceDPoPToken()
+    {
+        IssueToken(true, AccessTokenType.Reference, false, ProofType.DPoP, false);
+
+        var result = await DiagnosticEntryTestHelper.WriteEntryToJson(_subject);
+
+        result.RootElement.GetProperty("TokenIssueCounts").GetProperty("ReferencePoPDPoP").GetInt64().ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task Should_Count_JwtMTlsToken()
+    {
+        IssueToken(true, AccessTokenType.Jwt, false, ProofType.ClientCertificate, false);
+
+        var result = await DiagnosticEntryTestHelper.WriteEntryToJson(_subject);
+
+        result.RootElement.GetProperty("TokenIssueCounts").GetProperty("JwtPoPmTLS").GetInt64().ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task Should_Count_ReferenceMTlsToken()
+    {
+        IssueToken(true, AccessTokenType.Reference, false, ProofType.ClientCertificate, false);
+
+        var result = await DiagnosticEntryTestHelper.WriteEntryToJson(_subject);
+
+        result.RootElement.GetProperty("TokenIssueCounts").GetProperty("ReferencePoPmTLS").GetInt64().ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task Should_Count_RefreshToken()
+    {
+        IssueToken(false, AccessTokenType.Jwt, true, ProofType.None, false);
+
+        var result = await DiagnosticEntryTestHelper.WriteEntryToJson(_subject);
+
+        result.RootElement.GetProperty("TokenIssueCounts").GetProperty("Refresh").GetInt64().ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task Should_Count_IdToken()
+    {
+        IssueToken(false, AccessTokenType.Jwt, false, ProofType.None, true);
+
+        var result = await DiagnosticEntryTestHelper.WriteEntryToJson(_subject);
+
+        result.RootElement.GetProperty("TokenIssueCounts").GetProperty("Id").GetInt64().ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task Should_Handle_Multiple_Token_Types()
+    {
+        IssueToken(true, AccessTokenType.Jwt, true, ProofType.None, false);
+        IssueToken(true, AccessTokenType.Jwt, false, ProofType.DPoP, false);
+
+        var result = await DiagnosticEntryTestHelper.WriteEntryToJson(_subject);
+
+        var tokenIssueCounts = result.RootElement.GetProperty("TokenIssueCounts");
+        tokenIssueCounts.GetProperty("Jwt").GetInt64().ShouldBe(1);
+        tokenIssueCounts.GetProperty("JwtPoPDPoP").GetInt64().ShouldBe(1);
+        tokenIssueCounts.GetProperty("Refresh").GetInt64().ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task Should_Ignore_Non_TokenIssued_Instruments()
+    {
+        Duende.IdentityServer.Telemetry.Metrics.TokenIssuedFailure("ClientId", "GrantType", null, "error");
+
+        var result = await DiagnosticEntryTestHelper.WriteEntryToJson(_subject);
+
+        var tokenIssueCounts = result.RootElement.GetProperty("TokenIssueCounts");
+        tokenIssueCounts.GetProperty("Jwt").GetInt64().ShouldBe(0);
+        tokenIssueCounts.GetProperty("Reference").GetInt64().ShouldBe(0);
+        tokenIssueCounts.GetProperty("JwtPoPDPoP").GetInt64().ShouldBe(0);
+        tokenIssueCounts.GetProperty("JwtPoPmTLS").GetInt64().ShouldBe(0);
+        tokenIssueCounts.GetProperty("ReferencePoPDPoP").GetInt64().ShouldBe(0);
+        tokenIssueCounts.GetProperty("ReferencePoPmTLS").GetInt64().ShouldBe(0);
+        tokenIssueCounts.GetProperty("Refresh").GetInt64().ShouldBe(0);
+    }
+
+    private void IssueToken(bool accessTokenIssued, AccessTokenType accessTokenType, bool refreshTokenIssued,
+        ProofType proofType, bool idTokenIssued) =>
+        Duende.IdentityServer.Telemetry.Metrics.TokenIssued("ClientId", "GrantType", null, accessTokenIssued, accessTokenType, refreshTokenIssued, proofType, idTokenIssued);
+}
