Add OpenTelemetry diagnostics and metrics

Author: pwelter34

Directory.Packages.props

@@ -7,11 +7,12 @@
     <PackageVersion Include="AssemblyMetadata.Generators" Version="2.2.0" />
     <PackageVersion Include="Bogus" Version="35.6.5" />
     <PackageVersion Include="coverlet.collector" Version="10.0.0" />
-    <PackageVersion Include="Microsoft.AspNetCore.OpenApi" Version="10.0.3" />
+    <PackageVersion Include="Microsoft.AspNetCore.OpenApi" Version="10.0.7" />
     <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="18.5.1" />
     <PackageVersion Include="MinVer" Version="7.0.0" />
     <PackageVersion Include="Scalar.AspNetCore" Version="2.14.9" />
     <PackageVersion Include="Swashbuckle.AspNetCore" Version="10.1.7" />
+    <PackageVersion Include="System.Diagnostics.DiagnosticSource" Version="10.0.7" />
     <PackageVersion Include="xunit" Version="2.9.3" />
     <PackageVersion Include="XUnit.Hosting" Version="4.0.0" />
     <PackageVersion Include="xunit.runner.visualstudio" Version="3.1.5" />

README.md

@@ -19,6 +19,7 @@ A flexible and lightweight API key authentication library for ASP.NET Core appli
 - [Usage Patterns](#usage-patterns)
 - [Advanced Customization](#advanced-customization)
 - [OpenAPI/Swagger Integration](#openapiswagger-integration)
+- [OpenTelemetry Support](#opentelemetry-support)
 - [Best Practices](#best-practices)
 - [Troubleshooting](#troubleshooting)
 - [Examples Repository](#examples-repository)
@@ -29,14 +30,15 @@ A flexible and lightweight API key authentication library for ASP.NET Core appli
 
 AspNetCore.SecurityKey provides a complete API key authentication solution for ASP.NET Core applications with support for modern development patterns and best practices.
 
-**Key Features:**
+**Feature List:**
 
 - **Multiple Input Sources** - API keys via headers, query parameters, or cookies
 - **Flexible Authentication** - Works with ASP.NET Core's built-in authentication or as standalone middleware
 - **IP Address Whitelisting** - Restrict API access by IP addresses and network ranges (IPv4 and IPv6)
 - **Extensible Design** - Custom validation and extraction logic support
 - **Rich Integration** - Controller attributes, middleware, and minimal API support
 - **OpenAPI Support** - Automatic Swagger/OpenAPI documentation generation (.NET 9+)
+- **OpenTelemetry Support** - Built-in activities, metrics, tags, and exception events for authentication diagnostics
 - **High Performance** - Minimal overhead with optional caching and timing-attack protection
 - **Multiple Deployment Patterns** - Attribute-based, middleware, or endpoint filters
 
@@ -248,6 +250,7 @@ IP whitelisting is configured using the enhanced configuration format in `appset
 ### Common Use Cases
 
 #### Development Environment
+
 Allow only local development machines:
 
 ```json
@@ -266,6 +269,7 @@ Allow only local development machines:
 ```
 
 #### Corporate Environment
+
 Allow only internal corporate networks:
 
 ```json
@@ -281,7 +285,6 @@ Allow only internal corporate networks:
 }
 ```
 
-
 ### Reverse Proxy Considerations
 
 When running behind a reverse proxy (like nginx, IIS, or cloud load balancers), ensure proper configuration to get the real client IP:
@@ -310,7 +313,6 @@ app.UseSecurityKey();
 4. **Proxy Headers**: Validate that your reverse proxy configuration correctly forwards real client IPs
 5. **Logging**: Monitor failed authentication attempts to detect potential security issues
 
-
 ## Usage Patterns
 
 AspNetCore.SecurityKey supports multiple integration patterns to fit different application architectures and security requirements.
@@ -698,6 +700,62 @@ builder.Services.AddSwaggerGen(options =>
 
 The `SecurityKeyDocumentTransformer` automatically configures the OpenAPI specification to include API key authentication requirements, making it easy for developers to understand and test your API.
 
+## OpenTelemetry Support
+
+AspNetCore.SecurityKey emits tracing and metrics using the built-in .NET diagnostics APIs, so applications can export authentication telemetry with OpenTelemetry without adding a separate instrumentation package.
+
+### Instrumentation Names
+
+Use these stable names when configuring OpenTelemetry:
+
+- **ActivitySource**: `AspNetCore.SecurityKey`
+- **Meter**: `AspNetCore.SecurityKey`
+
+### Telemetry Features
+
+- **Authentication traces** for middleware, endpoint filter, MVC filter, and authentication handler flows
+- **Success and failure result tags** for each authentication attempt
+- **Failure reason tags** for invalid API keys and authentication errors
+- **Hashed API key tags** for tracking key usage without exposing raw keys
+- **Exception events** added to activities when unexpected authentication errors occur
+- **Request counter** for total SecurityKey authentication attempts
+- **Failure counter** for failed SecurityKey authentication attempts
+- **Duration histogram** for authentication latency in milliseconds
+
+### Metrics
+
+| Metric                                | Unit       | Description                                            |
+| ------------------------------------- | ---------- | ------------------------------------------------------ |
+| `securitykey.authentication.requests` | `requests` | Number of SecurityKey authentication requests handled. |
+| `securitykey.authentication.failures` | `failures` | Number of failed SecurityKey authentication requests.  |
+| `securitykey.authentication.duration` | `ms`       | Duration of SecurityKey authentication attempts.       |
+
+### Tags
+
+| Tag                               | Description                                                                    |
+| --------------------------------- | ------------------------------------------------------------------------------ |
+| `securitykey.auth.scheme`         | Authentication scheme name when using the authentication handler.              |
+| `securitykey.auth.result`         | Authentication result, such as `success` or `failure`.                         |
+| `securitykey.auth.failure_reason` | Failure reason, such as `invalid_client` or `authentication_error`.            |
+| `securitykey.auth.pattern`        | Integration pattern, such as `middleware`, `endpoint_filter`, or `mvc_filter`. |
+| `securitykey.api_key.hash`        | SHA-256 hash of the API key for tracking usage without exposing the raw key.   |
+
+### OpenTelemetry Configuration Example
+
+```csharp
+builder.Services.AddOpenTelemetry()
+    .WithTracing(tracing => tracing
+        .AddSource("AspNetCore.SecurityKey")
+        .AddAspNetCoreInstrumentation()
+        .AddOtlpExporter())
+    .WithMetrics(metrics => metrics
+        .AddMeter("AspNetCore.SecurityKey")
+        .AddAspNetCoreInstrumentation()
+        .AddOtlpExporter());
+```
+
+> The example assumes your application already references the OpenTelemetry packages required by the exporters and instrumentation you choose.
+
 ## Best Practices
 
 ### Security Considerations
@@ -708,6 +766,7 @@ The `SecurityKeyDocumentTransformer` automatically configures the OpenAPI specif
 4. **Rate Limiting**: Implement rate limiting to prevent abuse
 5. **IP Whitelisting**: Use IP restrictions for additional security when possible
 6. **Timing Attack Protection**: The library uses cryptographic operations to prevent timing attacks
+7. **Telemetry Hygiene**: Avoid recording raw API keys in custom telemetry tags or logs
 
 ### Configuration Best Practices
 
@@ -721,6 +780,7 @@ The `SecurityKeyDocumentTransformer` automatically configures the OpenAPI specif
 1. **Caching**: Enable caching for authentication results when using custom validators
 2. **Connection Pooling**: Use connection pooling for database-backed validators
 3. **Async Operations**: Leverage async/await patterns for I/O operations
+4. **Observability**: Export SecurityKey traces and metrics with OpenTelemetry to monitor authentication latency and failures
 
 ## Troubleshooting
 

src/AspNetCore.SecurityKey/AspNetCore.SecurityKey.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
     <TargetFrameworks>net8.0;net9.0;net10.0</TargetFrameworks>
@@ -10,6 +10,10 @@
     <FrameworkReference Include="Microsoft.AspNetCore.App" />
   </ItemGroup>
 
+  <ItemGroup Condition="'$(TargetFramework)' == 'net8.0'">
+    <PackageReference Include="System.Diagnostics.DiagnosticSource" />
+  </ItemGroup>
+
   <ItemGroup Condition="'$(TargetFramework)' == 'net10.0'">
     <PackageReference Include="Microsoft.AspNetCore.OpenApi" />
   </ItemGroup>

src/AspNetCore.SecurityKey/SecurityKeyAuthenticationHandler.cs

@@ -1,3 +1,4 @@
+using System.Diagnostics;
 using System.Security.Claims;
 using System.Text.Encodings.Web;
 
@@ -38,37 +39,108 @@ public SecurityKeyAuthenticationHandler(
     /// </returns>
     protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
     {
-        // Resolve provider when configured; otherwise use the default registration.
-        var keyExtractor = string.IsNullOrEmpty(Options.ProviderServiceKey)
-            ? Context.RequestServices.GetRequiredService<ISecurityKeyExtractor>()
-            : Context.RequestServices.GetRequiredKeyedService<ISecurityKeyExtractor>(Options.ProviderServiceKey);
+        var startTimestamp = 0L;
+        Activity? activity = null;
 
-        // Extract the security key from the request using the configured extractor
-        var securityKey = keyExtractor.GetKey(Context);
+        try
+        {
+            // Resolve provider when configured; otherwise use the default registration.
+            var keyExtractor = string.IsNullOrEmpty(Options.ProviderServiceKey)
+                ? Context.RequestServices.GetRequiredService<ISecurityKeyExtractor>()
+                : Context.RequestServices.GetRequiredKeyedService<ISecurityKeyExtractor>(Options.ProviderServiceKey);
+
+            // Extract the security key from the request using the configured extractor
+            var securityKey = keyExtractor.GetKey(Context);
+
+            // If no security key is provided, return no result
+            if (string.IsNullOrEmpty(securityKey))
+                return AuthenticateResult.NoResult();
+
+            startTimestamp = Stopwatch.GetTimestamp();
+            activity = SecurityKeyDiagnostics.ActivitySource.StartActivity(SecurityKeyDiagnostics.AuthenticationActivityName, ActivityKind.Server);
+
+            activity?.SetTag(SecurityKeyDiagnostics.AuthenticationSchemeTagName, Scheme.Name);
+
+            var ipAddress = keyExtractor.GetRemoteAddress(Context);
+
+            // Resolve provider when configured; otherwise use the default registration.
+            var keyValidator = string.IsNullOrEmpty(Options.ProviderServiceKey)
+                ? Context.RequestServices.GetRequiredService<ISecurityKeyValidator>()
+                : Context.RequestServices.GetRequiredKeyedService<ISecurityKeyValidator>(Options.ProviderServiceKey);
+
+            // Authenticate the security key and get the claims identity
+            var identity = await keyValidator.Authenticate(securityKey, ipAddress, Scheme.Name, Context.RequestAborted);
+            var securityKeyHash = SecurityKeyDiagnostics.ComputeSecurityKeyHash(securityKey);
+
+            if (!identity.IsAuthenticated)
+            {
+                Logger.LogWarning("Invalid security key {SecurityKey} from IP {IPAddress}", securityKey, ipAddress);
+
+                return CompleteAuthentication(
+                    result: InvalidSecurityKey,
+                    activity: activity,
+                    startTimestamp: startTimestamp,
+                    authenticationResult: SecurityKeyDiagnostics.AuthenticationResultFailure,
+                    securityKeyHash: securityKeyHash,
+                    failureReason: SecurityKeyDiagnostics.InvalidSecurityKeyFailureReason);
+            }
 
-        // If no security key is provided, return no result
-        if (string.IsNullOrEmpty(securityKey))
-            return AuthenticateResult.NoResult();
+            // create a user claim for the security key
+            var principal = new ClaimsPrincipal(identity);
+            var ticket = new AuthenticationTicket(principal, Scheme.Name);
 
-        var ipAddress = keyExtractor.GetRemoteAddress(Context);
+            return CompleteAuthentication(
+                result: AuthenticateResult.Success(ticket),
+                activity: activity,
+                startTimestamp: startTimestamp,
+                authenticationResult: SecurityKeyDiagnostics.AuthenticationResultSuccess,
+                securityKeyHash: securityKeyHash);
 
-        // Resolve provider when configured; otherwise use the default registration.
-        var keyValidator = string.IsNullOrEmpty(Options.ProviderServiceKey)
-            ? Context.RequestServices.GetRequiredService<ISecurityKeyValidator>()
-            : Context.RequestServices.GetRequiredKeyedService<ISecurityKeyValidator>(Options.ProviderServiceKey);
+        }
+        catch (Exception ex) when (ex is not OperationCanceledException)
+        {
+            activity?.AddException(ex);
+
+            CompleteAuthentication(
+                result: AuthenticateResult.Fail(ex),
+                activity: activity,
+                startTimestamp: startTimestamp,
+                authenticationResult: SecurityKeyDiagnostics.AuthenticationResultFailure,
+                failureReason: SecurityKeyDiagnostics.AuthenticationErrorFailureReason);
 
-        // Authenticate the security key and get the claims identity
-        var identity = await keyValidator.Authenticate(securityKey, ipAddress, Scheme.Name, Context.RequestAborted);
-        if (!identity.IsAuthenticated)
+            throw;
+        }
+        finally
         {
-            Logger.LogWarning("Invalid security key {SecurityKey} from IP {IPAddress}", securityKey, ipAddress);
-            return InvalidSecurityKey;
+            activity?.Dispose();
         }
+    }
+
+    private static AuthenticateResult CompleteAuthentication(
+        AuthenticateResult result,
+        Activity? activity,
+        long startTimestamp,
+        string authenticationResult,
+        string? securityKeyHash = null,
+        string? failureReason = null)
+    {
+        activity?.SetTag(SecurityKeyDiagnostics.AuthenticationResultTagName, authenticationResult);
+
+        if (securityKeyHash is not null)
+            activity?.SetTag(SecurityKeyDiagnostics.SecurityKeyHashTagName, securityKeyHash);
+
+        if (failureReason is not null)
+            activity?.SetTag(SecurityKeyDiagnostics.AuthenticationFailureReasonTagName, failureReason);
+
+        if (authenticationResult == SecurityKeyDiagnostics.AuthenticationResultFailure)
+            activity?.SetStatus(ActivityStatusCode.Error, failureReason);
 
-        // create a user claim for the security key
-        var principal = new ClaimsPrincipal(identity);
-        var ticket = new AuthenticationTicket(principal, Scheme.Name);
+        SecurityKeyDiagnostics.RecordAuthenticationMetrics(
+            startTimestamp: startTimestamp,
+            authenticationResult: authenticationResult,
+            failureReason: failureReason,
+            securityKeyHash: securityKeyHash);
 
-        return AuthenticateResult.Success(ticket);
+        return result;
     }
 }

src/AspNetCore.SecurityKey/SecurityKeyAuthorizationFilter.cs

@@ -1,3 +1,5 @@
+using System.Diagnostics;
+
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Filters;
 using Microsoft.Extensions.Logging;
@@ -48,12 +50,44 @@ public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
     {
         ArgumentNullException.ThrowIfNull(context);
 
-        var securityKey = _securityKeyExtractor.GetKey(context.HttpContext);
-        var ipAddress = _securityKeyExtractor.GetRemoteAddress(context.HttpContext);
+        using var activity = SecurityKeyDiagnostics.StartAuthenticationActivity(SecurityKeyDiagnostics.MvcFilterAuthenticationPattern);
+        var startTimestamp = Stopwatch.GetTimestamp();
+
+        try
+        {
+            var securityKey = _securityKeyExtractor.GetKey(context.HttpContext);
+            var ipAddress = _securityKeyExtractor.GetRemoteAddress(context.HttpContext);
+
+            if (await _securityKeyValidator.Validate(securityKey, ipAddress))
+            {
+                SecurityKeyDiagnostics.CompleteAuthentication(
+                    activity: activity,
+                    startTimestamp: startTimestamp,
+                    authenticationResult: SecurityKeyDiagnostics.AuthenticationResultSuccess,
+                    securityKey: securityKey);
+
+                return;
+            }
+
+            _logger.LogWarning("Invalid security key {SecurityKey} from IP {IPAddress}", securityKey, ipAddress);
+
+            SecurityKeyDiagnostics.CompleteAuthentication(
+                activity: activity,
+                startTimestamp: startTimestamp,
+                authenticationResult: SecurityKeyDiagnostics.AuthenticationResultFailure,
+                securityKey: securityKey,
+                failureReason: SecurityKeyDiagnostics.InvalidSecurityKeyFailureReason);
 
-        if (await _securityKeyValidator.Validate(securityKey, ipAddress))
-            return;
+            context.Result = new UnauthorizedResult();
+        }
+        catch (Exception ex) when (ex is not OperationCanceledException)
+        {
+            SecurityKeyDiagnostics.RecordAuthenticationException(
+                activity: activity,
+                startTimestamp: startTimestamp,
+                exception: ex);
 
-        context.Result = new UnauthorizedResult();
+            throw;
+        }
     }
 }