Add initial authentication supporting JWT tokens, OpenID Connect, OAuth2.0

Author: warwickschroeder

src/Directory.Packages.props

@@ -17,6 +17,8 @@
     <PackageVersion Include="Fody" Version="6.9.1" />
     <PackageVersion Include="GitHubActionsTestLogger" Version="3.0.1" />
     <PackageVersion Include="HdrHistogram" Version="2.5.0" />
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.22" />
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.22" />
     <PackageVersion Include="Microsoft.AspNetCore.Mvc.Testing" Version="8.0.21" />
     <PackageVersion Include="Microsoft.AspNetCore.SignalR.Client" Version="8.0.21" />
     <PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="8.0.1" />
@@ -28,6 +30,8 @@
     <PackageVersion Include="Microsoft.Extensions.Logging.Configuration" Version="8.0.1" />
     <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.3" />
     <PackageVersion Include="Microsoft.Extensions.TimeProvider.Testing" Version="8.10.0" />
+    <PackageVersion Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="8.15.0" />
+    <PackageVersion Include="Microsoft.IdentityModel.Tokens" Version="8.15.0" />
     <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="18.0.1" />
     <PackageVersion Include="Microsoft-WindowsAPICodePack-Shell" Version="1.1.5" />
     <PackageVersion Include="Mindscape.Raygun4Net.NetCore" Version="11.2.1" />

src/ServiceControl/App.config

@@ -27,6 +27,19 @@ These settings are only here so that we can debug ServiceControl while developin
 	<!-- options are any comma separated combination of NLog,Seq,Otlp -->
 	<add key="ServiceControl/LoggingProviders" value="NLog,Seq"/>
 	<add key="ServiceControl/SeqAddress" value="http://localhost:5341"/>
+
+    <!-- Authentication Settings (JWT with OpenID Connect) -->
+    <!-- Uncomment and configure to enable authentication -->
+    <!-- Leaving 'Authentication.Enabled' commented out defaults authentication to 'false'-->
+    <!--<add key="ServiceControl/Authentication.Enabled" value="false" />
+    <add key="ServiceControl/Authentication.Authority" value="" />
+    <add key="ServiceControl/Authentication.Audience" value="" />-->
+    <!-- Optional Authentication Settings (defaults shown) -->
+    <!--<add key="ServiceControl/Authentication.ValidateIssuer" value="true" />
+    <add key="ServiceControl/Authentication.ValidateAudience" value="true" />
+    <add key="ServiceControl/Authentication.ValidateLifetime" value="true" />
+    <add key="ServiceControl/Authentication.ValidateIssuerSigningKey" value="true" />
+    <add key="ServiceControl/Authentication.RequireHttpsMetadata" value="true" />-->
   </appSettings>
   <connectionStrings>
     <!-- DEVS - Pick a transport connection string to match chosen transport above -->

src/ServiceControl/Hosting/Commands/RunCommand.cs

@@ -1,8 +1,13 @@
 namespace ServiceControl.Hosting.Commands
 {
+    using System;
     using System.Threading.Tasks;
     using Infrastructure.WebApi;
+    using Microsoft.AspNetCore.Authentication.JwtBearer;
     using Microsoft.AspNetCore.Builder;
+    using Microsoft.Extensions.DependencyInjection;
+    using Microsoft.IdentityModel.JsonWebTokens;
+    using Microsoft.IdentityModel.Tokens;
     using NServiceBus;
     using Particular.ServiceControl;
     using Particular.ServiceControl.Hosting;
@@ -20,11 +25,49 @@ public override async Task Execute(HostArguments args, Settings settings)
             settings.RunCleanupBundle = true;
 
             var hostBuilder = WebApplication.CreateBuilder();
+
+            // Configure JWT Bearer Authentication with OpenID Connect
+            if (settings.OpenIdConnectSettings.Enabled)
+            {
+                hostBuilder.Services.AddAuthentication(options =>
+                {
+                    options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
+                    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
+                })
+                .AddJwtBearer(options =>
+                {
+                    var oidcSettings = settings.OpenIdConnectSettings;
+
+                    options.Authority = oidcSettings.Authority;
+
+                    // Configure token validation parameters
+                    options.TokenValidationParameters = new TokenValidationParameters
+                    {
+                        ValidateIssuer = oidcSettings.ValidateIssuer,
+                        ValidateAudience = oidcSettings.ValidateAudience,
+                        ValidateLifetime = oidcSettings.ValidateLifetime,
+                        ValidateIssuerSigningKey = oidcSettings.ValidateIssuerSigningKey,
+                        ValidAudience = oidcSettings.Audience,
+                        ClockSkew = TimeSpan.FromMinutes(5) // Allow 5 minutes clock skew
+                    };
+
+                    options.RequireHttpsMetadata = oidcSettings.RequireHttpsMetadata;
+
+                    // Don't map inbound claims to legacy Microsoft claim types
+                    options.MapInboundClaims = false;
+                });
+
+                // Clear the default claim type mappings to use standard JWT claim names
+                JsonWebTokenHandler.DefaultInboundClaimTypeMap.Clear();
+            }
+
+
             hostBuilder.AddServiceControl(settings, endpointConfiguration);
             hostBuilder.AddServiceControlApi();
 
             var app = hostBuilder.Build();
-            app.UseServiceControl();
+            app.UseServiceControl(authenticationEnabled: settings.OpenIdConnectSettings.Enabled);
+
             await app.RunAsync(settings.RootUrl);
         }
     }

src/ServiceControl/Infrastructure/Settings/OpenIdConnectSettings.cs

@@ -0,0 +1,125 @@
+namespace ServiceBus.Management.Infrastructure.Settings
+{
+    using System;
+    using System.Text.Json.Serialization;
+    using Microsoft.Extensions.Logging;
+    using ServiceControl.Configuration;
+    using ServiceControl.Infrastructure;
+
+    public class OpenIdConnectSettings
+    {
+        readonly ILogger logger = LoggerUtil.CreateStaticLogger<OpenIdConnectSettings>();
+
+        public OpenIdConnectSettings(bool validateConfiguration)
+        {
+            Enabled = SettingsReader.Read(Settings.SettingsRootNamespace, "Authentication.Enabled", false);
+
+            if (!Enabled)
+            {
+                return;
+            }
+
+            Authority = SettingsReader.Read<string>(Settings.SettingsRootNamespace, "Authentication.Authority");
+            Audience = SettingsReader.Read<string>(Settings.SettingsRootNamespace, "Authentication.Audience");
+            ValidateIssuer = SettingsReader.Read(Settings.SettingsRootNamespace, "Authentication.ValidateIssuer", true);
+            ValidateAudience = SettingsReader.Read(Settings.SettingsRootNamespace, "Authentication.ValidateAudience", true);
+            ValidateLifetime = SettingsReader.Read(Settings.SettingsRootNamespace, "Authentication.ValidateLifetime", true);
+            ValidateIssuerSigningKey = SettingsReader.Read(Settings.SettingsRootNamespace, "Authentication.ValidateIssuerSigningKey", true);
+            RequireHttpsMetadata = SettingsReader.Read(Settings.SettingsRootNamespace, "Authentication.RequireHttpsMetadata", true);
+
+            if (validateConfiguration)
+            {
+                Validate();
+            }
+        }
+
+        [JsonPropertyName("enabled")]
+        public bool Enabled { get; }
+
+        [JsonPropertyName("authority")]
+        public string Authority { get; }
+
+        [JsonPropertyName("audience")]
+        public string Audience { get; }
+
+        [JsonPropertyName("validateIssuer")]
+        public bool ValidateIssuer { get; }
+
+        [JsonPropertyName("validateAudience")]
+        public bool ValidateAudience { get; }
+
+        [JsonPropertyName("validateLifetime")]
+        public bool ValidateLifetime { get; }
+
+        [JsonPropertyName("validateIssuerSigningKey")]
+        public bool ValidateIssuerSigningKey { get; }
+
+        [JsonPropertyName("requireHttpsMetadata")]
+        public bool RequireHttpsMetadata { get; }
+
+        void Validate()
+        {
+            if (!Enabled)
+            {
+                return;
+            }
+
+            if (string.IsNullOrWhiteSpace(Authority))
+            {
+                var message = "Authentication.Authority is required when authentication is enabled. Please provide a valid OpenID Connect authority URL (e.g., https://login.microsoftonline.com/{tenant-id}/v2.0)";
+                logger.LogCritical(message);
+                throw new Exception(message);
+            }
+
+            if (!Uri.TryCreate(Authority, UriKind.Absolute, out var authorityUri))
+            {
+                var message = $"Authentication.Authority must be a valid absolute URI. Current value: '{Authority}'";
+                logger.LogCritical(message);
+                throw new Exception(message);
+            }
+
+            if (RequireHttpsMetadata && authorityUri.Scheme != Uri.UriSchemeHttps)
+            {
+                var message = $"Authentication.Authority must use HTTPS when RequireHttpsMetadata is true. Current value: '{Authority}'. Either use HTTPS or set Authentication.RequireHttpsMetadata to false (not recommended for production)";
+                logger.LogCritical(message);
+                throw new Exception(message);
+            }
+
+            if (string.IsNullOrWhiteSpace(Audience))
+            {
+                var message = "Authentication.Audience is required when authentication is enabled. Please provide a valid audience identifier (typically your API identifier or client ID)";
+                logger.LogCritical(message);
+                throw new Exception(message);
+            }
+
+            if (!ValidateIssuer)
+            {
+                logger.LogWarning("Authentication.ValidateIssuer is set to false. This is not recommended for production environments as it may allow tokens from untrusted issuers");
+            }
+
+            if (!ValidateAudience)
+            {
+                logger.LogWarning("Authentication.ValidateAudience is set to false. This is not recommended for production environments as it may allow tokens intended for other applications");
+            }
+
+            if (!ValidateLifetime)
+            {
+                logger.LogWarning("Authentication.ValidateLifetime is set to false. This is not recommended as it may allow expired tokens to be accepted");
+            }
+
+            if (!ValidateIssuerSigningKey)
+            {
+                logger.LogWarning("Authentication.ValidateIssuerSigningKey is set to false. This is a serious security risk and should only be used in development environments");
+            }
+
+            logger.LogInformation("Authentication configuration validated successfully");
+            logger.LogInformation("  Authority: {Authority}", Authority);
+            logger.LogInformation("  Audience: {Audience}", Audience);
+            logger.LogInformation("  ValidateIssuer: {ValidateIssuer}", ValidateIssuer);
+            logger.LogInformation("  ValidateAudience: {ValidateAudience}", ValidateAudience);
+            logger.LogInformation("  ValidateLifetime: {ValidateLifetime}", ValidateLifetime);
+            logger.LogInformation("  ValidateIssuerSigningKey: {ValidateIssuerSigningKey}", ValidateIssuerSigningKey);
+            logger.LogInformation("  RequireHttpsMetadata: {RequireHttpsMetadata}", RequireHttpsMetadata);
+        }
+    }
+}

src/ServiceControl/Infrastructure/Settings/Settings.cs

@@ -37,6 +37,8 @@ public Settings(
 
             LoadErrorIngestionSettings();
 
+            OpenIdConnectSettings = new OpenIdConnectSettings(ValidateConfiguration);
+
             TransportConnectionString = GetConnectionString();
             TransportType = transportType ?? SettingsReader.Read<string>(SettingsRootNamespace, "TransportType");
             PersistenceType = persisterType ?? SettingsReader.Read<string>(SettingsRootNamespace, "PersistenceType");
@@ -181,6 +183,8 @@ public TimeSpan HeartbeatGracePeriod
 
         public bool DisableHealthChecks { get; set; }
 
+        public OpenIdConnectSettings OpenIdConnectSettings { get; }
+
         // The default value is set to the maximum allowed time by the most
         // restrictive hosting platform, which is Linux containers. Linux
         // containers allow for a maximum of 10 seconds. We set it to 5 to

src/ServiceControl/Infrastructure/WebApi/Cors.cs

@@ -10,7 +10,7 @@ public static CorsPolicy GetDefaultPolicy()
 
             builder.AllowAnyOrigin();
             builder.WithExposedHeaders(["ETag", "Last-Modified", "Link", "Total-Count", "X-Particular-Version", "Content-Disposition"]);
-            builder.WithHeaders(["Origin", "X-Requested-With", "Content-Type", "Accept"]);
+            builder.WithHeaders(["Origin", "X-Requested-With", "Content-Type", "Accept", "Authorization"]);
             builder.WithMethods(["POST", "GET", "PUT", "DELETE", "OPTIONS", "PATCH", "HEAD"]);
 
             return builder.Build();

src/ServiceControl/ServiceControl.csproj

@@ -28,7 +28,11 @@
   </ItemGroup>
 
   <ItemGroup>
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" />
     <PackageReference Include="Microsoft.Extensions.Hosting.WindowsServices" />
+    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" />
+    <PackageReference Include="Microsoft.IdentityModel.Tokens" />
     <PackageReference Include="NServiceBus.CustomChecks" />
     <PackageReference Include="NServiceBus.Extensions.Hosting" />
     <PackageReference Include="NServiceBus.Extensions.Logging" />

src/ServiceControl/WebApplicationExtensions.cs

@@ -7,14 +7,27 @@ namespace ServiceControl;
 
 public static class WebApplicationExtensions
 {
-    public static void UseServiceControl(this WebApplication app)
+    public static void UseServiceControl(this WebApplication app, bool authenticationEnabled = false)
     {
         app.UseForwardedHeaders(new ForwardedHeadersOptions { ForwardedHeaders = ForwardedHeaders.All });
         app.UseResponseCompression();
         app.UseMiddleware<BodyUrlRouteFix>();
         app.UseHttpLogging();
         app.MapHub<MessageStreamerHub>("/api/messagestream");
         app.UseCors();
-        app.MapControllers();
+
+        // Always add middleware (harmless when not configured)
+        app.UseAuthentication();
+        app.UseAuthorization();
+
+        // Only require authorization if authentication is enabled
+        if (authenticationEnabled)
+        {
+            app.MapControllers().RequireAuthorization();
+        }
+        else
+        {
+            app.MapControllers();
+        }
     }
 }