Add AuthN/AuthZ metrics (#59557)

Author: MackinnonBuck

src/Http/Authentication.Core/src/AuthenticationCoreServiceCollectionExtensions.cs

@@ -20,10 +20,12 @@ public static IServiceCollection AddAuthenticationCore(this IServiceCollection s
     {
         ArgumentNullException.ThrowIfNull(services);
 
-        services.TryAddScoped<IAuthenticationService, AuthenticationService>();
+        services.AddMetrics();
+        services.TryAddScoped<IAuthenticationService, AuthenticationServiceImpl>();
         services.TryAddSingleton<IClaimsTransformation, NoopClaimsTransformation>(); // Can be replaced with scoped ones that use DbContext
         services.TryAddScoped<IAuthenticationHandlerProvider, AuthenticationHandlerProvider>();
         services.TryAddSingleton<IAuthenticationSchemeProvider, AuthenticationSchemeProvider>();
+        services.TryAddSingleton<AuthenticationMetrics>();
         return services;
     }
 

src/Http/Authentication.Core/src/AuthenticationMetrics.cs

@@ -0,0 +1,204 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Diagnostics;
+using System.Diagnostics.Metrics;
+using System.Runtime.CompilerServices;
+using Microsoft.AspNetCore.Http;
+
+namespace Microsoft.AspNetCore.Authentication;
+
+internal sealed class AuthenticationMetrics
+{
+    public const string MeterName = "Microsoft.AspNetCore.Authentication";
+
+    private readonly Meter _meter;
+    private readonly Histogram<double> _authenticatedRequestDuration;
+    private readonly Counter<long> _challengeCount;
+    private readonly Counter<long> _forbidCount;
+    private readonly Counter<long> _signInCount;
+    private readonly Counter<long> _signOutCount;
+
+    public AuthenticationMetrics(IMeterFactory meterFactory)
+    {
+        _meter = meterFactory.Create(MeterName);
+
+        _authenticatedRequestDuration = _meter.CreateHistogram<double>(
+            "aspnetcore.authentication.authenticate.duration",
+            unit: "s",
+            description: "The authentication duration for a request.",
+            advice: new() { HistogramBucketBoundaries = MetricsConstants.ShortSecondsBucketBoundaries });
+
+        _challengeCount = _meter.CreateCounter<long>(
+            "aspnetcore.authentication.challenges",
+            unit: "{request}",
+            description: "The total number of times a scheme is challenged.");
+
+        _forbidCount = _meter.CreateCounter<long>(
+            "aspnetcore.authentication.forbids",
+            unit: "{request}",
+            description: "The total number of times an authenticated user attempts to access a resource they are not permitted to access.");
+
+        _signInCount = _meter.CreateCounter<long>(
+            "aspnetcore.authentication.sign_ins",
+            unit: "{request}",
+            description: "The total number of times a principal is signed in.");
+
+        _signOutCount = _meter.CreateCounter<long>(
+            "aspnetcore.authentication.sign_outs",
+            unit: "{request}",
+            description: "The total number of times a scheme is signed out.");
+    }
+
+    public void AuthenticatedRequestCompleted(string? scheme, AuthenticateResult? result, Exception? exception, long startTimestamp, long currentTimestamp)
+    {
+        if (_authenticatedRequestDuration.Enabled)
+        {
+            AuthenticatedRequestCompletedCore(scheme, result, exception, startTimestamp, currentTimestamp);
+        }
+    }
+
+    [MethodImpl(MethodImplOptions.NoInlining)]
+    private void AuthenticatedRequestCompletedCore(string? scheme, AuthenticateResult? result, Exception? exception, long startTimestamp, long currentTimestamp)
+    {
+        var tags = new TagList();
+
+        if (scheme is not null)
+        {
+            AddSchemeTag(ref tags, scheme);
+        }
+
+        if (result is not null)
+        {
+            tags.Add("aspnetcore.authentication.result", result switch
+            {
+                { None: true } => "none",
+                { Succeeded: true } => "success",
+                { Failure: not null } => "failure",
+                _ => "_OTHER", // _OTHER is commonly used fallback for an extra or unexpected value. Shouldn't reach here.
+            });
+        }
+
+        if (exception is not null)
+        {
+            AddErrorTag(ref tags, exception);
+        }
+
+        var duration = Stopwatch.GetElapsedTime(startTimestamp, currentTimestamp);
+        _authenticatedRequestDuration.Record(duration.TotalSeconds, tags);
+    }
+
+    public void ChallengeCompleted(string? scheme, Exception? exception)
+    {
+        if (_challengeCount.Enabled)
+        {
+            ChallengeCompletedCore(scheme, exception);
+        }
+    }
+
+    [MethodImpl(MethodImplOptions.NoInlining)]
+    private void ChallengeCompletedCore(string? scheme, Exception? exception)
+    {
+        var tags = new TagList();
+
+        if (scheme is not null)
+        {
+            AddSchemeTag(ref tags, scheme);
+        }
+
+        if (exception is not null)
+        {
+            AddErrorTag(ref tags, exception);
+        }
+
+        _challengeCount.Add(1, tags);
+    }
+
+    public void ForbidCompleted(string? scheme, Exception? exception)
+    {
+        if (_forbidCount.Enabled)
+        {
+            ForbidCompletedCore(scheme, exception);
+        }
+    }
+
+    [MethodImpl(MethodImplOptions.NoInlining)]
+    private void ForbidCompletedCore(string? scheme, Exception? exception)
+    {
+        var tags = new TagList();
+
+        if (scheme is not null)
+        {
+            AddSchemeTag(ref tags, scheme);
+        }
+
+        if (exception is not null)
+        {
+            AddErrorTag(ref tags, exception);
+        }
+
+        _forbidCount.Add(1, tags);
+    }
+
+    public void SignInCompleted(string? scheme, Exception? exception)
+    {
+        if (_signInCount.Enabled)
+        {
+            SignInCompletedCore(scheme, exception);
+        }
+    }
+
+    [MethodImpl(MethodImplOptions.NoInlining)]
+    private void SignInCompletedCore(string? scheme, Exception? exception)
+    {
+        var tags = new TagList();
+
+        if (scheme is not null)
+        {
+            AddSchemeTag(ref tags, scheme);
+        }
+
+        if (exception is not null)
+        {
+            AddErrorTag(ref tags, exception);
+        }
+
+        _signInCount.Add(1, tags);
+    }
+
+    public void SignOutCompleted(string? scheme, Exception? exception)
+    {
+        if (_signOutCount.Enabled)
+        {
+            SignOutCompletedCore(scheme, exception);
+        }
+    }
+
+    [MethodImpl(MethodImplOptions.NoInlining)]
+    private void SignOutCompletedCore(string? scheme, Exception? exception)
+    {
+        var tags = new TagList();
+
+        if (scheme is not null)
+        {
+            AddSchemeTag(ref tags, scheme);
+        }
+
+        if (exception is not null)
+        {
+            AddErrorTag(ref tags, exception);
+        }
+
+        _signOutCount.Add(1, tags);
+    }
+
+    private static void AddSchemeTag(ref TagList tags, string scheme)
+    {
+        tags.Add("aspnetcore.authentication.scheme", scheme);
+    }
+
+    private static void AddErrorTag(ref TagList tags, Exception exception)
+    {
+        tags.Add("error.type", exception.GetType().FullName);
+    }
+}

src/Http/Authentication.Core/src/AuthenticationService.cs

@@ -22,7 +22,11 @@ public class AuthenticationService : IAuthenticationService
     /// <param name="handlers">The <see cref="IAuthenticationHandlerProvider"/>.</param>
     /// <param name="transform">The <see cref="IClaimsTransformation"/>.</param>
     /// <param name="options">The <see cref="AuthenticationOptions"/>.</param>
-    public AuthenticationService(IAuthenticationSchemeProvider schemes, IAuthenticationHandlerProvider handlers, IClaimsTransformation transform, IOptions<AuthenticationOptions> options)
+    public AuthenticationService(
+        IAuthenticationSchemeProvider schemes,
+        IAuthenticationHandlerProvider handlers,
+        IClaimsTransformation transform,
+        IOptions<AuthenticationOptions> options)
     {
         Schemes = schemes;
         Handlers = handlers;
@@ -68,11 +72,7 @@ public virtual async Task<AuthenticateResult> AuthenticateAsync(HttpContext cont
             }
         }
 
-        var handler = await Handlers.GetHandlerAsync(context, scheme);
-        if (handler == null)
-        {
-            throw await CreateMissingHandlerException(scheme);
-        }
+        var handler = await Handlers.GetHandlerAsync(context, scheme) ?? throw await CreateMissingHandlerException(scheme);
 
         // Handlers should not return null, but we'll be tolerant of null values for legacy reasons.
         var result = (await handler.AuthenticateAsync()) ?? AuthenticateResult.NoResult();
@@ -81,7 +81,7 @@ public virtual async Task<AuthenticateResult> AuthenticateAsync(HttpContext cont
         {
             var principal = result.Principal!;
             var doTransform = true;
-            _transformCache ??= new HashSet<ClaimsPrincipal>();
+            _transformCache ??= [];
             if (_transformCache.Contains(principal))
             {
                 doTransform = false;
@@ -94,6 +94,7 @@ public virtual async Task<AuthenticateResult> AuthenticateAsync(HttpContext cont
             }
             return AuthenticateResult.Success(new AuthenticationTicket(principal, result.Properties, result.Ticket!.AuthenticationScheme));
         }
+
         return result;
     }
 
@@ -116,12 +117,7 @@ public virtual async Task ChallengeAsync(HttpContext context, string? scheme, Au
             }
         }
 
-        var handler = await Handlers.GetHandlerAsync(context, scheme);
-        if (handler == null)
-        {
-            throw await CreateMissingHandlerException(scheme);
-        }
-
+        var handler = await Handlers.GetHandlerAsync(context, scheme) ?? throw await CreateMissingHandlerException(scheme);
         await handler.ChallengeAsync(properties);
     }
 
@@ -144,12 +140,7 @@ public virtual async Task ForbidAsync(HttpContext context, string? scheme, Authe
             }
         }
 
-        var handler = await Handlers.GetHandlerAsync(context, scheme);
-        if (handler == null)
-        {
-            throw await CreateMissingHandlerException(scheme);
-        }
-
+        var handler = await Handlers.GetHandlerAsync(context, scheme) ?? throw await CreateMissingHandlerException(scheme);
         await handler.ForbidAsync(properties);
     }
 
@@ -187,14 +178,8 @@ public virtual async Task SignInAsync(HttpContext context, string? scheme, Claim
             }
         }
 
-        var handler = await Handlers.GetHandlerAsync(context, scheme);
-        if (handler == null)
-        {
-            throw await CreateMissingSignInHandlerException(scheme);
-        }
-
-        var signInHandler = handler as IAuthenticationSignInHandler;
-        if (signInHandler == null)
+        var handler = await Handlers.GetHandlerAsync(context, scheme) ?? throw await CreateMissingSignInHandlerException(scheme);
+        if (handler is not IAuthenticationSignInHandler signInHandler)
         {
             throw await CreateMismatchedSignInHandlerException(scheme, handler);
         }
@@ -221,14 +206,8 @@ public virtual async Task SignOutAsync(HttpContext context, string? scheme, Auth
             }
         }
 
-        var handler = await Handlers.GetHandlerAsync(context, scheme);
-        if (handler == null)
-        {
-            throw await CreateMissingSignOutHandlerException(scheme);
-        }
-
-        var signOutHandler = handler as IAuthenticationSignOutHandler;
-        if (signOutHandler == null)
+        var handler = await Handlers.GetHandlerAsync(context, scheme) ?? throw await CreateMissingSignOutHandlerException(scheme);
+        if (handler is not IAuthenticationSignOutHandler signOutHandler)
         {
             throw await CreateMismatchedSignOutHandlerException(scheme, handler);
         }