Find IdentityServer4 errors in Application Insights

Question

I have the following setup:

• ASP.NET Core 3.1 application, deployed to an Azure App Service
• Uses IDS4 via the IdentityServer4.AspNetIdentity package, version 3.1.0
• In Program.cs it calls .UseApplicationInsights() from Microsoft.ApplicationInsights.AspNetCore version 2.5.1
• The Default LogLevel is set to Warning
• My Error.cshtml shows Activity.Current?.Id ?? HttpContext.TraceIdentifier

This properly logs several things from the app service, but I cannot find any errors reported by IDS4 that were on the OpenID/OAuth2 protocol level (e.g. invalid scopes requested and such). For example, I can find stuff like this:

requests
| where cloud_RoleName == 'my-identity-server-4-role'
| order by timestamp desc
| where url contains 'errorId'
| limit 100

And this makes sense because I have some (other) issue with logins, where an implicit flow silent refresh fails and redirects to a problem url a la https://my-identity-domain.example.org/home/error?errorId=some-long-string-here. That page shows me an error page that explains I could turn on DeveloperExceptionPage features on my machine, or I could use:

Request ID: |123aaac2c1cccf4eb3333411aaa183da7e.bba43cca1_

Now I try to find the requests entryin AppInsights by

• | where id contains "123aaac2c" or
• | where operation_Id contains "123aaac2c" or
• | where operation_ParentId contains "123aaac2c" or
• | where session_Id contains "123aaac2c" or
• | where itemId contains "123aaac2c"
• | where problemId contains "123aaac2c"

And similar for exceptions where any of the id fields contains part of my id. But I can't seem to find the results.

What am I doing wrong? Am I still looking in the wrong places? Or should I increase log levels somehow? Or do I need to add code somewhere to configure IdentityServer4 to log this stuff?

---

Note: if I run my application locally from the console, I do see output stream by for errors. For example, I've added _logger.LogError("test error") inside startup, and configured my SPA to use my local IDS but with improper scope, and I see this output:

fail: MyApp.Identity.Startup[0]
      test error
Hosting environment: Development
Content root path: C:\git\my-app\MyApp.Identity
Now listening on: https://localhost:5001
Now listening on: http://localhost:5000
Application started. Press Ctrl+C to shut down.
fail: IdentityServer4.Validation.ScopeValidator[0]
      Invalid scope: triggererroridwithinvalidscope
fail: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
      Request validation failed

The first error was just to check how normal errors are logged, and the second error was to simulate my actual issue (that triggers an errorId page as mentioned earlier in my question).

In short, I do see things logged on the console via ASP.NET Core logging, but I can not find them in AppInsights.

---

Note: I further researched how IdentityServer4 does its logging, and as documented it logs using the ASP.NET Core default logging system, by injecting e.g. an ILogger<T> from Microsoft's Abstractions, and then using a few helper methods to call (for example):

var details = new TokenRequestValidationLog(_validatedRequest);
// abbreviated snippet
_logger.Log(LogLevel.Error, "Some message" + ", details: {@details}", details);

Maybe this doesn't show up in AppInsights because there is no good place for it? It's not a Trace, it's not a Request, and it has no real Exception either?

Answer 1

If you need to find correlated log entries to an error in Application Insights, you can search for the Request ID that is shown on the IdentityServer error page. The Request ID comes from the System.Diagnostics.Activity.Current.Id property and should be automatically attached to the log event. You can query it like this:

traces
| where customDimensions["RequestId"] == "80006a82-0000-e800-b63f-84710c7967bb"
| order by timestamp desc
| limit 50

Regarding the identity server events not showing up at all in Insights, could you try to add this to your Startup class?

services.AddIdentityServer(options => {
    options.Events.RaiseErrorEvents = true;
    options.Events.RaiseInformationEvents = true;
    options.Events.RaiseFailureEvents = true;
    options.Events.RaiseSuccessEvents = true;
})

Also note that it can take some time until the log events actually show up in the Application Insights log viewer. To exclude this as a problem source, I'd wait a few minutes before running your query.