Allow multiple api scopes, or none. Add client audience config setting

Author: warwickschroeder

src/ServiceControl/App.config

@@ -7,7 +7,7 @@ These settings are only here so that we can debug ServiceControl while developin
   <appSettings>
     <add key="ServiceControl/ForwardErrorMessages" value="false" />
     <add key="ServiceControl/ErrorRetentionPeriod" value="10.00:00:00" />
-    <add key="ServiceControl/RemoteInstances" value="[{&quot;api_uri&quot;:&quot;http://localhost:44444/api/&quot;}]" />
+    <add key="ServiceControl/RemoteInstances" value="[]" />
     <add key="ServiceControl/HostName" value="localhost" />
     <add key="ServiceControl/DatabaseMaintenancePort" value="33334" />
     <add key="ServiceControl/AllowMessageEditing" value="true" />
@@ -24,9 +24,9 @@ These settings are only here so that we can debug ServiceControl while developin
 
     <add key="ServiceControl/PersistenceType" value="RavenDB" />
 
-	<!-- options are any comma separated combination of NLog,Seq,Otlp -->
-	<add key="ServiceControl/LoggingProviders" value="NLog,Seq"/>
-	<add key="ServiceControl/SeqAddress" value="http://localhost:5341"/>
+	  <!-- options are any comma separated combination of NLog,Seq,Otlp -->
+	  <add key="ServiceControl/LoggingProviders" value="NLog,Seq"/>
+	  <add key="ServiceControl/SeqAddress" value="http://localhost:5341"/>
 
     <!-- Authentication Settings (JWT with OpenID Connect) -->
     <!-- Uncomment and configure to enable authentication -->
@@ -40,11 +40,12 @@ These settings are only here so that we can debug ServiceControl while developin
     <add key="ServiceControl/Authentication.ValidateLifetime" value="true" />
     <add key="ServiceControl/Authentication.ValidateIssuerSigningKey" value="true" />
     <add key="ServiceControl/Authentication.RequireHttpsMetadata" value="true" />-->
-	<!-- ServicePulse Authentication Settings -->
-	<!-- <add key="ServiceControl/Authentication.ServicePulse.Enabled" value="false" />
-	<add key="ServiceControl/Authentication.ServicePulse.ClientId" value="" />
-	<add key="ServiceControl/Authentication.ServicePulse.Authority" value="" />
-	<add key="ServiceControl/Authentication.ServicePulse.ApiScope" value="" /> -->
+
+    <!-- ServicePulse Authentication Settings -->
+    <!--<add key="ServiceControl/Authentication.ServicePulse.ClientId" value="" />
+    <add key="ServiceControl/Authentication.ServicePulse.Authority" value="" />
+    <add key="ServiceControl/Authentication.ServicePulse.Audience" value="" />
+    <add key="ServiceControl/Authentication.ServicePulse.ApiScopes" value="" />-->
   </appSettings>
   <connectionStrings>
     <!-- DEVS - Pick a transport connection string to match chosen transport above -->

src/ServiceControl/Authentication/AuthenticationController.cs

@@ -18,7 +18,8 @@ public ActionResult<AuthConfig> Configuration()
                 Enabled = settings.OpenIdConnectSettings.Enabled,
                 ClientId = settings.OpenIdConnectSettings.ServicePulseClientId,
                 Authority = settings.OpenIdConnectSettings.ServicePulseAuthority,
-                ApiScope = settings.OpenIdConnectSettings.ServicePulseApiScope
+                Audience = settings.OpenIdConnectSettings.Audience,
+                ApiScopes = settings.OpenIdConnectSettings.ServicePulseApiScopes
             };
 
             return Ok(info);
@@ -30,6 +31,7 @@ public class AuthConfig
         public bool Enabled { get; set; }
         public string ClientId { get; set; }
         public string Authority { get; set; }
-        public string ApiScope { get; set; }
+        public string Audience { get; set; }
+        public string ApiScopes { get; set; }
     }
 }

src/ServiceControl/Infrastructure/Settings/OpenIdConnectSettings.cs

@@ -27,7 +27,7 @@ public OpenIdConnectSettings(bool validateConfiguration)
             ValidateIssuerSigningKey = SettingsReader.Read(Settings.SettingsRootNamespace, "Authentication.ValidateIssuerSigningKey", true);
             RequireHttpsMetadata = SettingsReader.Read(Settings.SettingsRootNamespace, "Authentication.RequireHttpsMetadata", true);
             ServicePulseClientId = SettingsReader.Read<string>(Settings.SettingsRootNamespace, "Authentication.ServicePulse.ClientId");
-            ServicePulseApiScope = SettingsReader.Read<string>(Settings.SettingsRootNamespace, "Authentication.ServicePulse.ApiScope");
+            ServicePulseApiScopes = SettingsReader.Read<string>(Settings.SettingsRootNamespace, "Authentication.ServicePulse.ApiScopes");
             ServicePulseAuthority = SettingsReader.Read<string>(Settings.SettingsRootNamespace, "Authentication.ServicePulse.Authority");
 
             if (validateConfiguration)
@@ -63,11 +63,14 @@ public OpenIdConnectSettings(bool validateConfiguration)
         [JsonPropertyName("servicePulseAuthority")]
         public string ServicePulseAuthority { get; }
 
+        [JsonPropertyName("servicePulseAudience")]
+        public string ServicePulseAudience { get; }
+
         [JsonPropertyName("servicePulseClientId")]
         public string ServicePulseClientId { get; }
 
-        [JsonPropertyName("servicePulseApiScope")]
-        public string ServicePulseApiScope { get; }
+        [JsonPropertyName("servicePulseApiScopes")]
+        public string ServicePulseApiScopes { get; }
 
         void Validate()
         {
@@ -129,10 +132,10 @@ void Validate()
                 throw new Exception("Authentication.ServicePulse.ClientId is required when Authentication.ServicePulse.Enabled is true.");
             }
 
-            if (string.IsNullOrWhiteSpace(ServicePulseApiScope))
-            {
-                throw new Exception("Authentication.ServicePulse.ApiScope is required when Authentication.ServicePulse.Enabled is true.");
-            }
+            //if (string.IsNullOrWhiteSpace(ServicePulseApiScope))
+            //{
+            //    throw new Exception("Authentication.ServicePulse.ApiScope is required when Authentication.ServicePulse.Enabled is true.");
+            //}
 
             if (ServicePulseAuthority != null && !Uri.TryCreate(ServicePulseAuthority, UriKind.Absolute, out _))
             {
@@ -149,7 +152,8 @@ void Validate()
             logger.LogInformation("  RequireHttpsMetadata: {RequireHttpsMetadata}", RequireHttpsMetadata);
             logger.LogInformation("  ServicePulseClientId: {ServicePulseClientId}", ServicePulseClientId);
             logger.LogInformation("  ServicePulseAuthority: {ServicePulseAuthority}", ServicePulseAuthority);
-            logger.LogInformation("  ServicePulseApiScope: {ServicePulseApiScope}", ServicePulseApiScope);
+            logger.LogInformation("  ServicePulseAudience: {ServicePulseAudience}", ServicePulseAudience);
+            logger.LogInformation("  ServicePulseApiScopes: {ServicePulseApiScopes}", ServicePulseApiScopes);
         }
     }
 }