Tag: dotnet

Distributed Tracing with OpenTelemetry

July 23rd, 2022

I’ve spent a fair bit of time lately working on observability. To date, I’ve been using Application Insights with a fair bit of success, though it takes some work to make the traces correlate properly and give you related spans correctly. I started looking into OpenTelemetry, and found that it is a suitable replacement for Application Insights, and seems to be a little easier to use. However, as it is currently only just releasing version 1.0, it’s a little difficult to piece together things that don’t appear in the demo.

Most notably, I’m using MassTransit/RabbitMQ for messaging, and the messaging example uses the RabbitMQ.Client libraries instead. I’ve also put all the pieces in one place with commentary to try and make things a bit more convenient. First, you define your ActivitySources in a central location so they can be shared between components:

public static class Telemetry
{
    public static readonly ActivitySource Service1Source = new ActivitySource("Service1");
    // ...
}

Now, you can configure OpenTelemetry in the Web API producer:

    protected async Task<IActionResult> HandleCommand<TCommand>(
        TCommand command,
        Action<TCommand>? commandModifier = null)
        where TCommand : class
    {
        using var activity = Telemetry.ApiActivitySource
            .StartActivity($"{typeof(T).Name}.{typeof(TCommand).Name}", ActivityKind.Producer);
        try
        {
            commandModifier?.Invoke(command);
            await _bus.Request<TCommand, CommandResponse>(command, callback: c =>
            {
                var contextToInject = default(ActivityContext);
                if (activity != null)
                    contextToInject = activity.Context;
                else if (Activity.Current != null)
                    contextToInject = Activity.Current.Context;
                Propagator.Inject(new PropagationContext(contextToInject, Baggage.Current), c, InjectContext);
            });
            activity?.SetStatus(ActivityStatusCode.Ok);
        }
        catch (Exception ex)
        {
            activity?.SetTag("exception", ex.StackTrace);
            activity?.SetStatus(ActivityStatusCode.Error, ex.Message);
        }
        finally
        {
            activity?.Stop();
        }
        return Ok();
    }

Here is a generic web API controller that handles commands where the aggregate type and command type are concatenated to form the command name. The key part here is the Propagator.Inject() call, so let’s look at the method it uses to inject the ActivityContext into the RabbitMQ headers:

private void InjectContext<TCommand>(SendContext<TCommand> context, string key, string value) where TCommand : class
    {
        context.Headers.Set(key, value);
    }

It’s only a one-liner, and the Propagator does all the work for us by calling InjectContext with the key and value arguments it needs. The corresponding ExtractContext consumer looks like the following:

    private IEnumerable<string> ExtractContext<TCommand>(ConsumeContext<TCommand> context, string key) where TCommand : class
    {
        if (context.Headers.TryGetHeader(key, out var value))
        {
            return new[] { value?.ToString() ?? string.Empty };
        }
        return Enumerable.Empty<string>();
    }

This method needs to return an IEnumerable<string> with all values for the given key. In our case, there will only ever be one value, but the signature is set for us by the Propagator. The service itself uses the Propagator as follows:

public class ConsumerBase<TAggregate, TCommand> : IConsumer<TCommand>
    where TAggregate : AggregateRoot<TAggregate>
    where TCommand : class
{
    private static readonly TextMapPropagator Propagator = Propagators.DefaultTextMapPropagator;

    protected readonly ApplicationService<TAggregate> Service;
    protected readonly ActivitySource ActivitySource;

    public ConsumerBase(ApplicationService<TAggregate> service, ActivitySource source)
    {
        Service = service;
        ActivitySource = source;
    }

    public virtual async Task Consume(ConsumeContext<TCommand> context)
    {
        var parentContext = Propagator.Extract(default, context, ExtractContext);
        using var activity =
            ActivitySource.StartActivity($"{typeof(TAggregate).Name}.{typeof(TCommand).Name}", ActivityKind.Consumer, parentContext.ActivityContext);
        try
        {
            await Service.Handle(context.Message);
            await context.RespondAsync(new CommandResponse { Success = true });
            activity?.SetStatus(Status.Ok);
        }
        catch (Exception ex)
        {
            await context.RespondAsync(new CommandResponse
                { Error = ex.Message, StackTrace = ex.StackTrace, Success = false });
            activity?.SetTag("exception", ex.StackTrace);
            activity?.SetStatus(ActivityStatusCode.Error, ex.Message);
        }
    }

    private IEnumerable<string> ExtractContext<TCommand>(ConsumeContext<TCommand> context, string key) where TCommand : class
    {
        if (context.Headers.TryGetHeader(key, out var value))
        {
            return new[] { value?.ToString() ?? string.Empty };
        }
        return Enumerable.Empty<string>();
    }
}

The complete consumer base class is shown above.

Finally, in each process that requires OpenTelemetry, the tracer must be initialized:

        services.AddOpenTelemetryTracing(ot => ot
            .AddSource("MyNamespace.MyService")
            .SetResourceBuilder(ResourceBuilder.CreateDefault().AddService("MyNamespace.MyService", serviceVersion: "1.0.0"))
            .AddMassTransitInstrumentation()
            .AddGrpcClientInstrumentation()
            .AddOtlpExporter(otlp =>
            {
                otlp.Endpoint = new Uri(context.Configuration["Telemetry:OpenTelemetry"]);
                otlp.Protocol = OtlpExportProtocol.Grpc;
            }));

That should be it! OpenTelemetry is a very promising replacement for proprietary tracing protocols such as Application Insights and New Relic. Indeed, Application Insights now supports the use of OpenTelemetry instead of its proprietary protocol. OpenTelemetry allows for a choice of UIs for examining the telemetry. I am currently using Jaeger (jaegertracing.io), but have also looked at SigNoz (signoz.io). Either of these are very capable UIs, and OpenTelemetry seems very flexible and easy to use (once you figure out how!)

Bearer token too long?

July 22nd, 2022

I recently switched to Auth0 as an OAuth2 provider, and was a little surprised to find how little data was stored in the bearer token. I’d previously shoved pretty much everything in there: profile and roles as well. Some of you may be snickering since you already know better. Access tokens should be short. But we still need all the user claims. This is available on the Auth0 server as /userinfo. The access token provided will also have access to the /userinfo endpoint, which contains the profile and claims that we are looking for. If you do the obvious thing, and load the claims and profile on demand when receiving the access token, you’ll find out something else about Auth0 – they rate limit the userinfo endpoint.

I put the following singleton into all of my web APIs and microservices:

public class ClaimsHolder
{
    private readonly ConcurrentDictionary<string, ConcurrentDictionary<string, object>> _claims = new();

    public void AddClaim(string userid, string name, object value)
    {
        _claims.AddOrUpdate(userid,
            k =>
            {
                var v = new ConcurrentDictionary<string, object>();
                v[name] = value;
                return v;
            },
            (k, v) =>
            {
                v[name] = value;
                return v;
            }); 
    }

    public IList<Claim> this[string userid]
    {
        get
        {
            return _claims.GetOrAdd(userid, new ConcurrentDictionary<string, object>())
                .Select(c => new Claim(c.Key, c.Value.ToString() ?? throw new Exception("null claim??")))
                .ToList();
        }
        set
        {

            _claims.AddOrUpdate(userid, 
                k => new ConcurrentDictionary<string, object>(),
                (k, v) =>
                {
                    foreach (var claim in value)
                        v.GetOrAdd(claim.Type, claim.Value);
                    return v;
                });
            foreach (var claim in value)
            {
                _claims[userid].AddOrUpdate(claim.Type, 
                    k =>
                    {
                        var v = new ConcurrentDictionary<string, object>();
                        v[claim.Type] = claim.Value;
                        return v;
                    },
                    (k, v) => claim.Value);
            }
        }
    }
}

A web API can use this claims holder as follows. First, add JWT bearer authentication to your Program.cs similar to the following:

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, c =>
    {
        c.Authority = $"https://{auth0Domain}";
        c.TokenValidationParameters = new()
        {
            ValidAudience = auth0Audience,
            ValidIssuer = $"https://{auth0Domain}"
        };
        c.Events = new()
        {
            OnTokenValidated = async context =>
            {
                if (context.SecurityToken is not JwtSecurityToken accessToken) return;
                token.Value = accessToken.RawData;
                if (context.Principal?.Identity is ClaimsIdentity identity)
                {
                    var userid = identity.Claims.Single(c => c.Type == ClaimTypes.NameIdentifier).Value;
                    var claims = claimsHolder[userid ?? throw new Exception("null user!")];
                    if (!claims.Any())
                    {
                        var httpClient = new HttpClient();
                        httpClient.DefaultRequestHeaders.Add("Authorization", $"Bearer {accessToken.RawData}");
                        claims = (await
                                httpClient.GetFromJsonAsync<Dictionary<string, object>>(
                                    $"https://{auth0Domain}/userinfo")
                            )?.Select(x =>
                                new Claim(x.Key, x.Value?.ToString() ?? throw new Exception("null claim??"))).ToList();
                        if (claims != null)
                            foreach (var claim in claims.ToList())
                                claimsHolder.AddClaim(userid, claim.Type, claim.Value);
                    }

                    identity.AddClaims(claims ?? Enumerable.Empty<Claim>().ToList());
                    identity.AddClaim(new Claim("access_token", accessToken.RawData));
                }
            }
        };
    });

What we end up with, then, is a wrapper around a ConcurrentDictionary that holds a per-user ConcurrentDictionary containing all of the claims. This provides a convenience singleton to minimize the amount of times the user info must be retrieved from Auth0. There is a problem with this code, however, in that the claims are not refreshed when the token is refreshed. We should allow the access token to work until the end of its lifetime using the cached claims, but once the token is refreshed we should refresh the cached claims. I don’t currently know how to do this, however. For many low-security scenarios, the code above would work as-is; the claims just don’t change that often. Still, this is a problem that must be solved eventually.

Time Zones in Blazor WASM

July 5th, 2022
Any system that has clients in multiple time zones is always problematic. With the rise in cloud services and containerized applications, it is frequently the case that your web or desktop clients do not use the same time as your server components (which are more frequently running in UTC). Typically this is dealt with by using DateTimeOffset instead of DateTime. But I’ve noticed that it doesn’t quite work as expected in Blazor WASM. While the actual DateTime value itself works as expected, the times are always displayed in GMT. Asking clients to work in GMT simply because the server or database does is not going to be acceptable.

The odd thing is that Blazor WASM seems to know the correct time zone offset:
```

 Local Time Zone: @TimeZoneInfo.Local.DisplayName 
 Local Time Offset: @TimeZoneInfo.Local.BaseUtcOffset 
 Local Time: @DateTimeOffset.Now.ToString("R")

```
But, the Local Time displayed here is in GMT! Why? I haven’t really been able to find an answer, but plenty of similar complaints. The real oddity is as follows:
```

Local Time: @DateTimeOffset.Now.LocalDateTime.ToString("g")

```
I use the “g” format here because LocalDateTime is a DateTime property, without time zone information. This displays the correct local time! So why doesn’t DateTimeOffset.Now contain the correct offset information? This seems to remain a mystery.

Still, this is at least workable. The correct time is stored in the database and it is possible to display the local user’s time for DateTimeOffset values using the LocalDateTime property. A combination of this, plus the (correct, thankfully) data in System.TimeZoneInfo should provide all of the necessary components to display the time as desired.

Tag: dotnet

Distributed Tracing with OpenTelemetry

Bearer token too long?

Time Zones in Blazor WASM