Skip to content

Feature: connector health and status endpoint for production observability #4841

Description

@cschanhniem

Summary

Add a endpoint that reports the operational status, last successful authentication timestamp, error rate, and configuration checksum of each configured connector — giving operators visibility into upstream identity provider health.

Motivation

Dex is used as a critical authentication gateway in production environments (Kubernetes clusters, SaaS platforms, enterprises). When an upstream IdP goes down or misbehaves, the failure mode is often silent: users see login errors but operators have no way to distinguish "dex is down" from "the LDAP server is unreachable" from "the GitHub API rate-limited us."

Dex has 11 connector types spanning LDAP, SAML, GitHub, Google, OIDC, and others (see README connector table). Each has different failure modes and connectivity semantics. A centralized health endpoint would dramatically improve operational debuggability.

Proposed Design

New endpoint:

Returns a JSON response:

{
  "status": "degraded",
  "connectors": [
    {
      "id": "ldap-main",
      "type": "ldap",
      "enabled": true,
      "health": "healthy",
      "last_auth_success": "2026-06-19T14:30:00Z",
      "last_auth_failure": null,
      "failure_count_1h": 0,
      "config_checksum": "a1b2c3d4",
      "latency_ms": 12
    },
    {
      "id": "github-org",
      "type": "github",
      "enabled": true,
      "health": "degraded",
      "last_auth_success": "2026-06-19T12:00:00Z",
      "last_auth_failure": "2026-06-19T12:05:00Z",
      "failure_count_1h": 15,
      "config_checksum": "e5f6g7h8",
      "error": "API rate limit exceeded (remaining: 0, resets: 2026-06-19T13:00:00Z)"
    }
  ]
}

How each connector reports health

Connector Health check mechanism
LDAP TCP dial + anonymous bind (if allowed) or last successful bind latency
GitHub API probe using stored token; check rate limit headers
OIDC with timeout
SAML Metadata endpoint reachability + certificate expiry check
Google Token introspection endpoint probe
Microsoft Tenant discovery endpoint probe
AuthProxy N/A — passive; mark as

What operators gain

  • Prometheus metrics exported alongside the endpoint: , , by connector_id and type
  • Config drift detection: changes signal that a connector was reconfigured without a dex restart
  • Alert routing: a state can be routed to PagerDuty/Opsgenie via existing Prometheus + Alertmanager pipelines

Prior art

  • Envoy's for upstream clusters
  • Keycloak's health check SPI and endpoint
  • OAuth2-Proxy's

Implementation notes

  • The health endpoint itself should require no authentication or a lightweight shared-secret header; it must work when dex is in a degraded state
  • Health checks should be async and cached (configurable TTL, default 30s) to avoid thundering herd on upstream IdPs
  • Connectors that are disabled or misconfigured should still appear in the response with and an explanatory message

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions