Rock Solid Knowledge

Welcome to the blog of identityserver.com hosted by Rock Solid Knowledge, the IdentityServer European Partners, offering commercial support, consultancy and training for IdentityServer 3 & 4, and all things authentication, backed by the creators of IdentityServer themselves.

AdminUI Audit Event Sink

Today we are pleased to announce the release of the AdminUI Event Sink for IdentityServer.

AdminUI Audit Event Sink
Christopher Myhill Thursday, 07 February, 2019

Today we are pleased to announce the release of the AdminUI Event Sink for IdentityServer.

Following from the success of the new Audit feature available for AdminUI we are providing you with the ability to create audit records from your IdentityServer instance.

Auditing Screen

IdentityServer Events

In addition to the logging system within IdentityServer, there are also a number of predefined events.  Events provide a higher level of information beyond that of log output.  The information raised from events provide structured information about success and failures in a way that allows enhanced querying, this is were the Audit feature in AdminUI comes to help.

How do I get this?

To start feeding the events raised from your IdentityServer into the Audit process within AdminUI all you need to do is add a reference to the AdminUI Audit Provider for EF and the AdminUI Audit Sink.  You can find these packages at;

RSK.Audit.EF

RSK.IdentityServer4.AuditEventSink

As I said earlier IdentityServer has a number of events built into it however they are not automatically surfaced. To enable them you need to add the following options in the Startup file;

services.AddIdentityServer(options => {
options.Events.RaiseSuccessEvents = true;
options.Events.RaiseFailureEvents = true;
options.Events.RaiseErrorEvents = true; });

Now you can use the event sink structure within IdentityServer and funnel the events into the AdminUI Audit process.  We do this in the following way;

var dbContextOptionsBuilder = new DbContextOptionsBuilder<AuditDatabaseContext>();
RSK.Audit.AuditProviderFactory auditFactory = new AuditProviderFactory(dbContextOptionsBuilder.UseSqlServer(connectionString).Options);
var auditRecorder = auditFactory.CreateAuditSource("IdentityServer");
services.AddSingleton<IEventSink>(provider => new AuditSink(auditRecorder));

Let's review what the code actually does.  The initial section of code sets up the AdminUI Audit recorder, this acts as our funnel, and it directs the events into the audit tables used by AdminUI.

The AuditSink acts as our conduit between the two by, accepting the events raised by IdentityServer and funnelling them over to the AdminUI Audit process through the AdminUI Audit recorder.

Event Sink Aggregator

One of the small things missing from the event sink process within IdentityServer is the ability to use more than one sink.  As we always like to go that little further we have also created a sink aggregator, which you can use in the following way;

services.AddSingleton<IEventSink>(provider => new EventSinkAggregator(_loggerFactory.CreateLogger("EventSinkAggregator"))  
{
EventSinks = new List<IEventSink>()
{
new AuditSink(auditRecorder),
new MySecondSink()
}
});

As you can see from this code our EventSinkAggreator allows you to have more than one event sink, we also separate them to ensure that one cannot affect the others.  So, if for any reason, an event sink raises and exception we log that information and ensure the remaining event sinks in the aggregator still get notified of the IdentityServer events.

AuditSink Events

When you review the documentation for the existing events raised by IdentityServer (here) you will see that there are a number of useful events which are a great addition to the AdminUI Audit records, however there are a few which don’t fit in the audit process.  The AuditSink will only handle the following events;

  • TokenIssuedSuccessEvent and TokenIssuedFailureEvent
  • UserLoginSuccessEvent and UserLoginFailureEvent
  • UserLogoutSuccessEvent
  • ConsentGrantedEvent and ConsentDeniedEvent
  • GrantsRevokedEvent

If you need to ensure that all events are handled, then we have already seen how easy it is to use the EventSinkAggregator

IdentityServer Blog

Welcome to the blog of identityserver.com hosted by Rock Solid Knowledge, the IdentityServer European Partners, offering commercial support, consultancy and training for IdentityServer 3 & 4, and all things authentication, backed by the creators of IdentityServer themselves.