Particular
diff --git a/‎docs/authentication.md‎
Lines changed: 212 additions & 0 deletions b/‎docs/authentication.md‎
Lines changed: 212 additions & 0 deletions
diff --git a/‎docs/forwarded-headers.md‎
Lines changed: 132 additions & 0 deletions b/‎docs/forwarded-headers.md‎
Lines changed: 132 additions & 0 deletions
@@ -0,0 +1,212 @@
+# Authentication Configuration
+
+ServiceControl instances can be configured to require JWT authentication using OpenID Connect (OIDC). This enables integration with identity providers like Microsoft Entra ID (Azure AD), Okta, Auth0, and other OIDC-compliant providers.
+
+## Configuration
+
+ServiceControl instances can be configured via environment variables or App.config. Each instance type uses a different prefix.
+
+### Environment Variables
+
+| Instance | Prefix |
+|----------|--------|
+| ServiceControl (Primary) | `SERVICECONTROL_` |
+| ServiceControl.Audit | `SERVICECONTROL_AUDIT_` |
+| ServiceControl.Monitoring | `MONITORING_` |
+
+#### Core Settings
+
+| Setting | Default | Description |
+|---------|---------|-------------|
+| `{PREFIX}AUTHENTICATION_ENABLED` | `false` | Enable JWT authentication |
+| `{PREFIX}AUTHENTICATION_AUTHORITY` | (none) | OpenID Connect authority URL (e.g., `https://login.microsoftonline.com/{tenant-id}/v2.0`) |
+| `{PREFIX}AUTHENTICATION_AUDIENCE` | (none) | The audience identifier (typically your API identifier or client ID) |
+
+#### Validation Settings
+
+| Setting | Default | Description |
+|---------|---------|-------------|
+| `{PREFIX}AUTHENTICATION_VALIDATEISSUER` | `true` | Validate the token issuer |
+| `{PREFIX}AUTHENTICATION_VALIDATEAUDIENCE` | `true` | Validate the token audience |
+| `{PREFIX}AUTHENTICATION_VALIDATELIFETIME` | `true` | Validate token expiration |
+| `{PREFIX}AUTHENTICATION_VALIDATEISSUERSIGNINGKEY` | `true` | Validate the signing key |
+| `{PREFIX}AUTHENTICATION_REQUIREHTTPSMETADATA` | `true` | Require HTTPS for OIDC metadata endpoint |
+
+#### ServicePulse Settings (Primary Instance Only)
+
+These settings are required on the primary ServiceControl instance to provide authentication configuration to ServicePulse clients.
+
+| Setting | Default | Description |
+|---------|---------|-------------|
+| `{PREFIX}AUTHENTICATION_SERVICEPULSE_CLIENTID` | (none) | Client ID for ServicePulse application |
+| `{PREFIX}AUTHENTICATION_SERVICEPULSE_AUTHORITY` | (none) | Authority URL for ServicePulse (defaults to main Authority if not set) |
+| `{PREFIX}AUTHENTICATION_SERVICEPULSE_APISCOPES` | (none) | JSON array of API scopes (e.g., `["api://servicecontrol/access_as_user"]`) |
+
+### App.config
+
+| Instance | Key Prefix |
+|----------|------------|
+| ServiceControl (Primary) | `ServiceControl/` |
+| ServiceControl.Audit | `ServiceControl.Audit/` |
+| ServiceControl.Monitoring | `Monitoring/` |
+
+```xml
+<appSettings>
+  <!-- Core Authentication Settings -->
+  <add key="ServiceControl/Authentication.Enabled" value="true" />
+  <add key="ServiceControl/Authentication.Authority" value="https://login.microsoftonline.com/{tenant-id}/v2.0" />
+  <add key="ServiceControl/Authentication.Audience" value="api://servicecontrol" />
+
+  <!-- Validation Settings (defaults shown - recommended for production) -->
+  <add key="ServiceControl/Authentication.ValidateIssuer" value="true" />
+  <add key="ServiceControl/Authentication.ValidateAudience" value="true" />
+  <add key="ServiceControl/Authentication.ValidateLifetime" value="true" />
+  <add key="ServiceControl/Authentication.ValidateIssuerSigningKey" value="true" />
+  <add key="ServiceControl/Authentication.RequireHttpsMetadata" value="true" />
+
+  <!-- ServicePulse Settings (Primary Instance Only) -->
+  <add key="ServiceControl/Authentication.ServicePulse.ClientId" value="{servicepulse-client-id}" />
+  <add key="ServiceControl/Authentication.ServicePulse.ApiScopes" value="[&quot;api://servicecontrol/access_as_user&quot;]" />
+</appSettings>
+```
+
+## Examples
+
+### Microsoft Entra ID (Azure AD)
+
+```cmd
+set SERVICECONTROL_AUTHENTICATION_ENABLED=true
+set SERVICECONTROL_AUTHENTICATION_AUTHORITY=https://login.microsoftonline.com/{tenant-id}/v2.0
+set SERVICECONTROL_AUTHENTICATION_AUDIENCE=api://servicecontrol
+set SERVICECONTROL_AUTHENTICATION_SERVICEPULSE_CLIENTID={servicepulse-client-id}
+set SERVICECONTROL_AUTHENTICATION_SERVICEPULSE_APISCOPES=["api://servicecontrol/access_as_user"]
+```
+
+### Docker Example
+
+```cmd
+docker run -p 33333:33333 -e SERVICECONTROL_AUTHENTICATION_ENABLED=true -e SERVICECONTROL_AUTHENTICATION_AUTHORITY=https://login.microsoftonline.com/{tenant-id}/v2.0 -e SERVICECONTROL_AUTHENTICATION_AUDIENCE=api://servicecontrol -e SERVICECONTROL_AUTHENTICATION_SERVICEPULSE_CLIENTID={servicepulse-client-id} -e "SERVICECONTROL_AUTHENTICATION_SERVICEPULSE_APISCOPES=[\"api://servicecontrol/.default\"]" particular/servicecontrol:latest
+```
+
+### Audit and Monitoring Instances
+
+Audit and Monitoring instances don't require ServicePulse settings:
+
+```cmd
+set SERVICECONTROL_AUDIT_AUTHENTICATION_ENABLED=true
+set SERVICECONTROL_AUDIT_AUTHENTICATION_AUTHORITY=https://login.microsoftonline.com/{tenant-id}/v2.0
+set SERVICECONTROL_AUDIT_AUTHENTICATION_AUDIENCE=api://servicecontrol
+```
+
+```cmd
+set MONITORING_AUTHENTICATION_ENABLED=true
+set MONITORING_AUTHENTICATION_AUTHORITY=https://login.microsoftonline.com/{tenant-id}/v2.0
+set MONITORING_AUTHENTICATION_AUDIENCE=api://servicecontrol
+```
+
+## How It Works
+
+When authentication is enabled:
+
+1. Most API requests must include a valid JWT bearer token in the `Authorization` header
+2. ServiceControl validates the token against the configured authority
+3. The token must have the correct audience and not be expired
+4. ServicePulse retrieves authentication configuration from the `/api/authentication/configuration` endpoint
+
+### Anonymous Endpoints
+
+The following endpoints are accessible without authentication, even when authentication is enabled:
+
+| Endpoint | Purpose |
+|----------|---------|
+| `/api` | API root/discovery - returns available endpoints and API information |
+| `/api/authentication/configuration` | Returns authentication configuration for clients like ServicePulse |
+
+These endpoints must remain accessible so clients can discover API capabilities and obtain the authentication configuration needed to acquire tokens.
+
+### Request Flow
+
+```mermaid
+flowchart TD
+    Client[Client Request] --> Header[Authorization: Bearer token]
+    Header --> Validate{ServiceControl validates token}
+
+    Validate --> |Valid| Process[Request processed]
+    Validate --> |Invalid| Reject[401 Unauthorized]
+
+    subgraph Validation
+        V1[Issuer matches Authority]
+        V2[Audience matches configured]
+        V3[Token not expired]
+        V4[Signature is valid]
+    end
+
+    Validate -.-> Validation
+```
+
+## Security Considerations
+
+### HTTPS Recommended
+
+When authentication is enabled, HTTPS is strongly recommended for production deployments. Without HTTPS, JWT tokens are transmitted in plain text and can be intercepted by attackers. Use either:
+
+- **Direct HTTPS**: Configure ServiceControl with a certificate (see [HTTPS Configuration](https-configuration.md))
+- **Reverse Proxy**: Terminate SSL at a reverse proxy (NGINX, Traefik, cloud load balancer)
+
+### Production Settings
+
+The default validation settings are recommended for production:
+
+| Setting | Recommendation |
+|---------|----------------|
+| `ValidateIssuer` | `true` - Prevents tokens from untrusted issuers |
+| `ValidateAudience` | `true` - Prevents tokens intended for other applications |
+| `ValidateLifetime` | `true` - Prevents expired tokens |
+| `ValidateIssuerSigningKey` | `true` - Ensures token signature is valid |
+| `RequireHttpsMetadata` | `true` - Ensures OIDC metadata is fetched securely |
+
+### Development Settings
+
+For local development with a test identity provider, you may need to relax some settings:
+
+```cmd
+set SERVICECONTROL_AUTHENTICATION_REQUIREHTTPSMETADATA=false
+```
+
+> **Warning:** Never disable validation settings in production. Doing so can expose your system to serious security vulnerabilities.
+
+### HTTPS Requirement
+
+When `RequireHttpsMetadata` is `true` (the default), the Authority URL must use HTTPS. This ensures that the OIDC metadata (including signing keys) is fetched over a secure connection.
+
+## Configuring Identity Providers
+
+### Microsoft Entra ID (Azure AD)
+
+1. Register an application in Azure AD for ServiceControl API
+2. Register a separate application for ServicePulse (SPA)
+3. Configure API permissions and expose an API scope
+4. Set the Authority to `https://login.microsoftonline.com/{tenant-id}/v2.0`
+5. Set the Audience to your API application ID URI (e.g., `api://servicecontrol`)
+
+### Other OIDC Providers
+
+ServiceControl works with any OIDC-compliant provider. Configure:
+
+- **Authority**: The issuer URL from your provider's OIDC discovery document
+- **Audience**: The identifier configured for your API in the provider
+
+## Testing Other Instances
+
+The primary ServiceControl instance requires ServicePulse settings because it serves the `/api/auth/config` endpoint that ServicePulse uses to configure its authentication. Audit and Monitoring instances only need the core authentication settings.
+
+| Instance | Requires ServicePulse Settings |
+|----------|-------------------------------|
+| ServiceControl (Primary) | Yes |
+| ServiceControl.Audit | No |
+| ServiceControl.Monitoring | No |
+
+## See Also
+
+- [Forwarded Headers Configuration](forwarded-headers.md) - Configure forwarded headers when behind a reverse proxy
+- [HTTPS Configuration](https-configuration.md) - Configure direct HTTPS
@@ -0,0 +1,132 @@
+# Forwarded Headers Configuration
+
+When ServiceControl instances are deployed behind a reverse proxy (like NGINX, Traefik, or a cloud load balancer) that terminates SSL/TLS, you need to configure forwarded headers so ServiceControl correctly understands the original client request.
+
+## Configuration
+
+ServiceControl instances can be configured via environment variables or App.config. Each instance type uses a different prefix.
+
+### Environment Variables
+
+| Instance | Prefix |
+|----------|--------|
+| ServiceControl (Primary) | `SERVICECONTROL_` |
+| ServiceControl.Audit | `SERVICECONTROL_AUDIT_` |
+| ServiceControl.Monitoring | `MONITORING_` |
+
+| Setting | Default | Description |
+|---------|---------|-------------|
+| `{PREFIX}FORWARDEDHEADERS_ENABLED` | `true` | Enable forwarded headers processing |
+| `{PREFIX}FORWARDEDHEADERS_TRUSTALLPROXIES` | `true` | Trust all proxies (auto-disabled if known proxies/networks set) |
+| `{PREFIX}FORWARDEDHEADERS_KNOWNPROXIES` | (none) | Comma-separated IP addresses of trusted proxies |
+| `{PREFIX}FORWARDEDHEADERS_KNOWNNETWORKS` | (none) | Comma-separated CIDR networks (e.g., `10.0.0.0/8,172.16.0.0/12`) |
+
+### App.config
+
+| Instance | Key Prefix |
+|----------|------------|
+| ServiceControl (Primary) | `ServiceControl/` |
+| ServiceControl.Audit | `ServiceControl.Audit/` |
+| ServiceControl.Monitoring | `Monitoring/` |
+
+```xml
+<appSettings>
+  <add key="ServiceControl/ForwardedHeaders.Enabled" value="true" />
+  <add key="ServiceControl/ForwardedHeaders.TrustAllProxies" value="false" />
+  <add key="ServiceControl/ForwardedHeaders.KnownProxies" value="127.0.0.1,10.0.0.5" />
+  <add key="ServiceControl/ForwardedHeaders.KnownNetworks" value="10.0.0.0/8,172.16.0.0/12" />
+</appSettings>
+```
+
+## Examples
+
+### Trust all proxies (default, suitable for containers)
+
+```cmd
+docker run -p 33333:33333 -e SERVICECONTROL_FORWARDEDHEADERS_ENABLED=true particular/servicecontrol:latest
+```
+
+### Restrict to specific proxies
+
+```cmd
+docker run -p 33333:33333 -e SERVICECONTROL_FORWARDEDHEADERS_ENABLED=true -e SERVICECONTROL_FORWARDEDHEADERS_KNOWNPROXIES=127.0.0.1,10.0.0.5 particular/servicecontrol:latest
+```
+
+### Restrict to specific networks
+
+```cmd
+docker run -p 33333:33333 -e SERVICECONTROL_FORWARDEDHEADERS_ENABLED=true -e SERVICECONTROL_FORWARDEDHEADERS_KNOWNNETWORKS=10.0.0.0/8,172.16.0.0/12 particular/servicecontrol:latest
+```
+
+When `KNOWNPROXIES` or `KNOWNNETWORKS` are set, `TRUSTALLPROXIES` is automatically disabled.
+
+## What Headers Are Processed
+
+When enabled, ServiceControl processes:
+
+- `X-Forwarded-For` - Original client IP address
+- `X-Forwarded-Proto` - Original protocol (http/https)
+- `X-Forwarded-Host` - Original host header
+
+## HTTP to HTTPS Redirect
+
+When using a reverse proxy that terminates SSL, you can configure ServiceControl to redirect HTTP requests to HTTPS. This works in combination with forwarded headers:
+
+1. The reverse proxy forwards both HTTP and HTTPS requests to ServiceControl
+2. The proxy sets `X-Forwarded-Proto` to indicate the original protocol
+3. ServiceControl reads this header (via forwarded headers processing)
+4. If the original request was HTTP and redirect is enabled, ServiceControl returns a redirect to HTTPS
+
+To enable HTTP to HTTPS redirect:
+
+```cmd
+set SERVICECONTROL_HTTPS_REDIRECTHTTPTOHTTPS=true
+set SERVICECONTROL_HTTPS_PORT=443
+```
+
+Or in App.config:
+
+```xml
+<appSettings>
+  <add key="ServiceControl/Https.RedirectHttpToHttps" value="true" />
+  <add key="ServiceControl/Https.Port" value="443" />
+</appSettings>
+```
+
+## Proxy Chain Behavior (ForwardLimit)
+
+When processing `X-Forwarded-For` headers with multiple IPs (proxy chains), the behavior depends on trust configuration:
+
+| Configuration | ForwardLimit | Behavior |
+|---------------|--------------|----------|
+| `TrustAllProxies = true` | `null` (no limit) | Processes all IPs, returns original client IP |
+| `TrustAllProxies = false` | `1` (default) | Processes only the last proxy IP |
+
+For example, with `X-Forwarded-For: 203.0.113.50, 10.0.0.1, 192.168.1.1`:
+
+- **TrustAllProxies = true**: Returns `203.0.113.50` (original client)
+- **TrustAllProxies = false**: Returns `192.168.1.1` (last proxy)
+
+## Security Considerations
+
+By default, `TrustAllProxies` is `true`, which is suitable for container deployments where the proxy is trusted infrastructure. For production deployments with untrusted networks, consider restricting to known proxies or networks to prevent header spoofing attacks.
+
+### Forwarded Headers Behavior
+
+When the proxy is trusted:
+
+- `Request.Scheme` will be set from `X-Forwarded-Proto` (e.g., `https`)
+- `Request.Host` will be set from `X-Forwarded-Host` (e.g., `servicecontrol.example.com`)
+- Client IP will be available from `X-Forwarded-For`
+
+When the proxy is **not** trusted (incorrect `KnownProxies`):
+
+- `X-Forwarded-*` headers are **ignored** (not applied to the request)
+- `Request.Scheme` remains `http`
+- `Request.Host` remains the internal hostname
+- The request is still processed (not blocked)
+
+## See Also
+
+- [Local Forwarded Headers Testing](local-forward-headers-testing.md) - Test forwarded headers configuration with curl
+- [Local Reverse Proxy Testing](local-reverseproxy-testing.md) - Guide for testing with NGINX reverse proxy locally