Summary
Add a endpoint that reports the operational status, last successful authentication timestamp, error rate, and configuration checksum of each configured connector — giving operators visibility into upstream identity provider health.
Motivation
Dex is used as a critical authentication gateway in production environments (Kubernetes clusters, SaaS platforms, enterprises). When an upstream IdP goes down or misbehaves, the failure mode is often silent: users see login errors but operators have no way to distinguish "dex is down" from "the LDAP server is unreachable" from "the GitHub API rate-limited us."
Dex has 11 connector types spanning LDAP, SAML, GitHub, Google, OIDC, and others (see README connector table). Each has different failure modes and connectivity semantics. A centralized health endpoint would dramatically improve operational debuggability.
Proposed Design
New endpoint:
Returns a JSON response:
{
"status": "degraded",
"connectors": [
{
"id": "ldap-main",
"type": "ldap",
"enabled": true,
"health": "healthy",
"last_auth_success": "2026-06-19T14:30:00Z",
"last_auth_failure": null,
"failure_count_1h": 0,
"config_checksum": "a1b2c3d4",
"latency_ms": 12
},
{
"id": "github-org",
"type": "github",
"enabled": true,
"health": "degraded",
"last_auth_success": "2026-06-19T12:00:00Z",
"last_auth_failure": "2026-06-19T12:05:00Z",
"failure_count_1h": 15,
"config_checksum": "e5f6g7h8",
"error": "API rate limit exceeded (remaining: 0, resets: 2026-06-19T13:00:00Z)"
}
]
}
How each connector reports health
| Connector |
Health check mechanism |
| LDAP |
TCP dial + anonymous bind (if allowed) or last successful bind latency |
| GitHub |
API probe using stored token; check rate limit headers |
| OIDC |
with timeout |
| SAML |
Metadata endpoint reachability + certificate expiry check |
| Google |
Token introspection endpoint probe |
| Microsoft |
Tenant discovery endpoint probe |
| AuthProxy |
N/A — passive; mark as |
What operators gain
- Prometheus metrics exported alongside the endpoint: , , by connector_id and type
- Config drift detection: changes signal that a connector was reconfigured without a dex restart
- Alert routing: a state can be routed to PagerDuty/Opsgenie via existing Prometheus + Alertmanager pipelines
Prior art
- Envoy's for upstream clusters
- Keycloak's health check SPI and endpoint
- OAuth2-Proxy's
Implementation notes
- The health endpoint itself should require no authentication or a lightweight shared-secret header; it must work when dex is in a degraded state
- Health checks should be async and cached (configurable TTL, default 30s) to avoid thundering herd on upstream IdPs
- Connectors that are disabled or misconfigured should still appear in the response with and an explanatory message
Summary
Add a endpoint that reports the operational status, last successful authentication timestamp, error rate, and configuration checksum of each configured connector — giving operators visibility into upstream identity provider health.
Motivation
Dex is used as a critical authentication gateway in production environments (Kubernetes clusters, SaaS platforms, enterprises). When an upstream IdP goes down or misbehaves, the failure mode is often silent: users see login errors but operators have no way to distinguish "dex is down" from "the LDAP server is unreachable" from "the GitHub API rate-limited us."
Dex has 11 connector types spanning LDAP, SAML, GitHub, Google, OIDC, and others (see README connector table). Each has different failure modes and connectivity semantics. A centralized health endpoint would dramatically improve operational debuggability.
Proposed Design
New endpoint:
Returns a JSON response:
{ "status": "degraded", "connectors": [ { "id": "ldap-main", "type": "ldap", "enabled": true, "health": "healthy", "last_auth_success": "2026-06-19T14:30:00Z", "last_auth_failure": null, "failure_count_1h": 0, "config_checksum": "a1b2c3d4", "latency_ms": 12 }, { "id": "github-org", "type": "github", "enabled": true, "health": "degraded", "last_auth_success": "2026-06-19T12:00:00Z", "last_auth_failure": "2026-06-19T12:05:00Z", "failure_count_1h": 15, "config_checksum": "e5f6g7h8", "error": "API rate limit exceeded (remaining: 0, resets: 2026-06-19T13:00:00Z)" } ] }How each connector reports health
What operators gain
Prior art
Implementation notes