Skip to content

Add authentication and SSL/TLS to ServiceControl #5197

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
warwickschroeder wants to merge 45 commits into
base: master
Choose a base branch
from
Open

Add authentication and SSL/TLS to ServiceControl #5197

warwickschroeder wants to merge 45 commits into from

Conversation

@warwickschroeder
Copy link

@warwickschroeder warwickschroeder commented Nov 24, 2025
edited
Loading

Addresses: Particular/ServicePulse#1723
Documentation: Particular/docs.particular.net#7947

  • Supports JWT bearer tokens, OpenID Connect, OAuth2.0
  • Adds config for ServiceControl authentication. Defaults to disabled
  • Adds config for ServicePulse authentication. Driven by ServiceControl auth
  • Adds config for direct HTTPS hosting (kestral). Defaults to disabled
  • Adds config for HTTPS redirect and HSTS
  • Adds config for stricter Forward Headers (reverse proxy). Defaults to "All" headers and "Any" proxies
  • Adds config for stricter CORS. Defaults to "Allow Any Origin"
  • Add authentication config to Throughput collector
  • Add markdown for manual testing and verification
  • Add unit and acceptance tests for all major security configuration scenarios

warwickschroeder
warwickschroeder commented Nov 26, 2025
View reviewed changes
@jasontaylordev jasontaylordev force-pushed the genxp-3600-add-authentication branch from de7cd32 to 45f7db3 Compare December 1, 2025 03:40
@warwickschroeder warwickschroeder changed the title Add initial authentication to ServiceControl Add authentication and SSL to ServiceControl Dec 3, 2025
@jasontaylordev jasontaylordev force-pushed the genxp-3600-add-authentication branch from 92500bc to 5e86040 Compare December 5, 2025 01:41
warwickschroeder
warwickschroeder commented Dec 8, 2025
View reviewed changes
Copy link
Author

@warwickschroeder warwickschroeder left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Im surprised these are pre-existing. What are they being used for in ServiceControl? Metric collection?

AWS token and Azure Identity packages

@jasontaylordev
Copy link
Contributor

jasontaylordev commented Dec 8, 2025

Im surprised these are pre-existing. What are they being used for in ServiceControl? Metric collection?

AWS token and Azure Identity packages

Assuming you're referring to this commit. In this case the Azure.Identity package is referenced by ServiceControl.Transports.ASBS, which is a transport adapter for Azure Service Bus.

@warwickschroeder
Copy link
Author

warwickschroeder commented Dec 8, 2025

Ah that makes sense. Thanks

Assuming you're referring to this commit. In this case the Azure.Identity package is referenced by ServiceControl.Transports.ASBS, which is a transport adapter for Azure Service Bus.

@warwickschroeder warwickschroeder changed the title Add authentication and SSL to ServiceControl Add authentication and SSL/TLS to ServiceControl Dec 10, 2025
@warwickschroeder warwickschroeder marked this pull request as ready for review December 11, 2025 01:54
warwickschroeder and others added 18 commits January 8, 2026 16:36
@warwickschroeder @jasontaylordev
Add initial authentication supporting JWT tokens, OpenID Connect, OAu…
2b2d96d 
…th2.0
@jasontaylordev
Add ServicePulse-specific OIDC configuration and endpoint
23703ea
@jasontaylordev @warwickschroeder
Update src/ServiceControl/App.config
7fb96c5 
Co-authored-by: Warwick Schroeder <warwick.schroeder@particular.net>
@jasontaylordev @warwickschroeder
Update src/ServiceControl/App.config
b0863c5 
Co-authored-by: Warwick Schroeder <warwick.schroeder@particular.net>
@jasontaylordev
Remove SP enabled flag
c6b4ded
@jasontaylordev
Update approved routes and settings
26085fe
@warwickschroeder @jasontaylordev
Allow multiple api scopes, or none. Add client audience config setting
2c185f4
@jasontaylordev
Add auth to other instances
af70ae9
@jasontaylordev
Rename to ApiScopes
a1298ad
@warwickschroeder @jasontaylordev
Add additional options for flexible and secure hosting; SSL/TLS, Reve…
2d7fbd7 
…rse Proxy, Direct HTTPS, CORS
@warwickschroeder @jasontaylordev
Remove previously added rate limit for anon api
2d2f6a7
@jasontaylordev
Forward auth header
56dba7c
@jasontaylordev
Allow Anon for CheckRemotes
1fc05e7
@jasontaylordev
Remove unused rate limiting middleware
10afc1b
@jasontaylordev
MapControllers correctly
4fdc321
@jasontaylordev
Upgrade package
1122bfe
@warwickschroeder @jasontaylordev
Update local testing files. Add debug endpoint for dev.
182f38b
@warwickschroeder @jasontaylordev
Update reverse proxy test file
e46aeba
@jasontaylordev jasontaylordev force-pushed the genxp-3600-add-authentication branch from eb9853e to 49056a0 Compare January 8, 2026 06:36
@warwickschroeder warwickschroeder mentioned this pull request Jan 19, 2026
Open
abparticular
abparticular reviewed Jan 21, 2026
View reviewed changes
abparticular
abparticular reviewed Jan 22, 2026
View reviewed changes
johnsimons
johnsimons reviewed Jan 22, 2026
View reviewed changes
@johnsimons
Copy link
Member

johnsimons commented Jan 22, 2026

@warwickschroeder, I believe I have mentioned this before, we need to add telemetry so we know what customer configuration customers are using.
You can send this telemetry data via the usage report by adding it to the EnvironmentData in

ServiceControl/src/Particular.LicensingComponent/ThroughputCollector.cs

Line 163 in 5ac6e28

EnvironmentInformation = new EnvironmentInformation { AuditServicesData = new AuditServicesData(auditServiceMetadata.Versions, auditServiceMetadata.Transports), EnvironmentData = brokerMetaData.Data }

I would expect us to send things like:

  • authentication is enabled/disabled
  • customers configured forward headers
  • customers are using a reverse proxy
  • customers configured hsts, redirect to https, ...
  • what authentication provider they use,....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@johnsimons johnsimons johnsimons left review comments

@abparticular abparticular abparticular left review comments

@jasontaylordev jasontaylordev Awaiting requested review from jasontaylordev

At least 1 approving review is required to merge this pull request.

Assignees

@jasontaylordev jasontaylordev

@warwickschroeder warwickschroeder

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@warwickschroeder @jasontaylordev @johnsimons @abparticular @warwick-exia