search

aerogear / keycloak-metrics-spi

Adds a Metrics Endpoint to Keycloak
Apache License 2.0
523 stars 151 forks source link

Cardinality issue with non-existent client #197

Open rekup opened 3 months ago

rekup commented 3 months ago

Description

This extension exposes several metrics about attempted logins to non-existent clients:

The problem is that if some script kiddie scans keycloak they might use any data as client id which will cause a huge number metrics:

image

Expected Behavior

I would expect that this extension only creates metrics for existing clients and maybe exposes one metric which records all the events for non-existent clients.

Environment

Steps to reproduce

  1. Start keycloak with the keycloak-metrics-spi extension
  2. Make a auth request to a non-existent client: https://sso.example.org/auth/realms/my-realm/protocol/openid-connect/auth?client_id=foo&redirect_uri=https%3A%2F%2Ffoo.example.org&response_type=code&state=1234
  3. Check the generated metrics using promql: sum by(__name__, client_id) ({client_id="foo1"})
tolleiv commented 1 month ago

@pb82 @aerogear are you open for contributions for this one?