Skip to content

feat: add OpenTelemetry metrics for credential issuance and verification#495

Open
leifj wants to merge 1 commit into
SUNET:mainfrom
sirosfoundation:feat/otel-metrics
Open

feat: add OpenTelemetry metrics for credential issuance and verification#495
leifj wants to merge 1 commit into
SUNET:mainfrom
sirosfoundation:feat/otel-metrics

Conversation

@leifj

@leifj leifj commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Closes #494

What

Adds OTel Metrics SDK instrumentation alongside existing tracing, covering the full OpenID4VCI and OpenID4VP flows.

Changes

New: pkg/metric/

  • otel.go: MeterProvider with OTLP push + Prometheus scrape reader
  • vci.go: VCI instruments (offers, tokens, credentials, notifications counters + latency histograms)
  • vp.go: VP instruments (requests, presentations, failures counters + latency histogram)
  • handler.go: Prometheus HTTP handler via OTel bridge
  • otel_test.go: Tests for all of the above

Modified

  • pkg/model/config.go: Add common.metrics config section (OTEL struct, same as tracing)
  • cmd/apigw/main.go: Wire MeterProvider + VCI metrics + /metrics handler
  • cmd/verifier/main.go: Wire MeterProvider + VP metrics
  • internal/apigw/apiv1/client.go: Add vci *metric.VCI field, update constructor
  • internal/apigw/apiv1/handlers_oauth.go: Instrument OAuthToken (counter + latency)
  • internal/apigw/apiv1/handlers_issuer.go: Instrument VCICredential (issued/failed counters + latency), VCIDeferredCredential, VCINotification
  • internal/apigw/apiv1/handlers_oidcrp.go: Instrument credential offer creation
  • internal/apigw/httpserver/service.go: Add /metrics Prometheus scrape endpoint
  • internal/verifier/apiv1/client.go: Add vp *metric.VP field, update constructor
  • internal/verifier/apiv1/handler_openid4vp.go: Instrument CreateRequestObject, HandleDirectPost

PII Safety

All labels are protocol-level only: format, grant_type, credential_config_id, source, error_class, event, status. No identifiers, session IDs, or claim values are ever recorded.

Cardinality

Worst case ~60 series for VCI + ~9 for VP. Well within Prometheus comfort zone.

Testing

  • pkg/metric has 6 tests covering construction, no-op, recording, and Prometheus exporter
  • All existing tests pass (nil-safe guards when vci/vp is not injected)
  • go build ./... and go vet ./... clean

feat: add OpenTelemetry metrics for credential issuance and verification
2db9479 
Wire OTel Metrics SDK alongside existing tracing infrastructure:
- pkg/metric: MeterProvider with OTLP push + Prometheus scrape exporter
- pkg/metric/vci.go: VCI counters (offers, tokens, credentials, notifications)
  and histograms (token latency, issuance latency)
- pkg/metric/vp.go: VP counters (requests, presentations, failures)
  and histogram (verification latency)

Instrument key handlers:
- apigw: OAuthToken, VCICredential, VCIDeferredCredential, VCINotification,
  OIDC RP credential offer creation
- verifier: CreateRequestObject, HandleDirectPost

All metric labels use protocol-level metadata only (format, grant_type,
credential_config_id, source, error_class) — no PII is ever recorded.

Adds /metrics Prometheus scrape endpoint to apigw HTTP server.
Adds common.metrics config section (mirrors common.tracing).
@sonarqubecloud

sonarqubecloud Bot commented Jun 16, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
1.5% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add Prometheus/OTel metrics for credential issuance and verification

1 participant

@leifj