Add ServicePulse-specific OIDC configuration and endpoint

jasontaylordev · jasontaylordev · commit f8e77ffeebd3 · 2025-12-05T11:41:26.000+10:00
diff --git a/src/ServiceControl/App.config b/src/ServiceControl/App.config
@@ -31,15 +31,20 @@ These settings are only here so that we can debug ServiceControl while developin
     <!-- Authentication Settings (JWT with OpenID Connect) -->
     <!-- Uncomment and configure to enable authentication -->
     <!-- Leaving 'Authentication.Enabled' commented out defaults authentication to 'false'-->
-    <!--<add key="ServiceControl/Authentication.Enabled" value="false" />
-    <add key="ServiceControl/Authentication.Authority" value="" />
-    <add key="ServiceControl/Authentication.Audience" value="" />-->
+    <add key="ServiceControl/Authentication.Enabled" value="true" />
+    <add key="ServiceControl/Authentication.Authority" value="https://login.microsoftonline.com/bf54c0f1-b0c5-406c-9d9a-013ab0361764" />
+    <add key="ServiceControl/Authentication.Audience" value="api://78726835-cedc-4ec1-b452-6b8983d31495" />
     <!-- Optional Authentication Settings (defaults shown) -->
     <!--<add key="ServiceControl/Authentication.ValidateIssuer" value="true" />
     <add key="ServiceControl/Authentication.ValidateAudience" value="true" />
     <add key="ServiceControl/Authentication.ValidateLifetime" value="true" />
     <add key="ServiceControl/Authentication.ValidateIssuerSigningKey" value="true" />
     <add key="ServiceControl/Authentication.RequireHttpsMetadata" value="true" />-->
+	<!-- ServicePulse Authentication Settings -->
+	<add key="ServiceControl/Authentication.ServicePulse.Enabled" value="true" />
+	<add key="ServiceControl/Authentication.ServicePulse.ClientId" value="1ca862df-9a0a-4f7d-87a7-d84732d83dfe" />
+	<add key="ServiceControl/Authentication.ServicePulse.Authority" value="https://login.microsoftonline.com/bf54c0f1-b0c5-406c-9d9a-013ab0361764/v2.0" />
+	<add key="ServiceControl/Authentication.ServicePulse.ApiScope" value="api://78726835-cedc-4ec1-b452-6b8983d31495/api.access" />
   </appSettings>
   <connectionStrings>
     <!-- DEVS - Pick a transport connection string to match chosen transport above -->
diff --git a/src/ServiceControl/Authentication/AuthenticationController.cs b/src/ServiceControl/Authentication/AuthenticationController.cs
@@ -0,0 +1,35 @@
+﻿namespace ServiceControl.Authentication
+{
+    using Microsoft.AspNetCore.Authorization;
+    using Microsoft.AspNetCore.Mvc;
+    using ServiceBus.Management.Infrastructure.Settings;
+
+    [ApiController]
+    [Route("api/authentication")]
+    public class AuthenticationController(Settings settings) : ControllerBase
+    {
+        [HttpGet]
+        [AllowAnonymous]
+        [Route("configuration")]
+        public ActionResult<AuthConfig> Configuration()
+        {
+            var info = new AuthConfig
+            {
+                Enabled = settings.OpenIdConnectSettings.ServicePulseEnabled,
+                ClientId = settings.OpenIdConnectSettings.ServicePulseClientId,
+                Authority = settings.OpenIdConnectSettings.ServicePulseAuthority,
+                ApiScope = settings.OpenIdConnectSettings.ServicePulseApiScope
+            };
+
+            return Ok(info);
+        }
+    }
+
+    public class AuthConfig
+    {
+        public bool Enabled { get; set; }
+        public string ClientId { get; set; }
+        public string Authority { get; set; }
+        public string ApiScope { get; set; }
+    }
+}
diff --git a/src/ServiceControl/Infrastructure/Settings/OpenIdConnectSettings.cs b/src/ServiceControl/Infrastructure/Settings/OpenIdConnectSettings.cs
@@ -27,6 +27,15 @@ public OpenIdConnectSettings(bool validateConfiguration)
             ValidateIssuerSigningKey = SettingsReader.Read(Settings.SettingsRootNamespace, "Authentication.ValidateIssuerSigningKey", true);
             RequireHttpsMetadata = SettingsReader.Read(Settings.SettingsRootNamespace, "Authentication.RequireHttpsMetadata", true);
 
+            ServicePulseEnabled = SettingsReader.Read(Settings.SettingsRootNamespace, "Authentication.ServicePulse.Enabled", false);
+
+            if (ServicePulseEnabled)
+            {
+                ServicePulseClientId = SettingsReader.Read<string>(Settings.SettingsRootNamespace, "Authentication.ServicePulse.ClientId");
+                ServicePulseApiScope = SettingsReader.Read<string>(Settings.SettingsRootNamespace, "Authentication.ServicePulse.ApiScope");
+                ServicePulseAuthority = SettingsReader.Read<string>(Settings.SettingsRootNamespace, "Authentication.ServicePulse.Authority");
+            }
+
             if (validateConfiguration)
             {
                 Validate();
@@ -57,6 +66,18 @@ public OpenIdConnectSettings(bool validateConfiguration)
         [JsonPropertyName("requireHttpsMetadata")]
         public bool RequireHttpsMetadata { get; }
 
+        [JsonPropertyName("servicePulseEnabled")]
+        public bool ServicePulseEnabled { get; }
+
+        [JsonPropertyName("servicePulseAuthority")]
+        public string ServicePulseAuthority { get; }
+
+        [JsonPropertyName("servicePulseClientId")]
+        public string ServicePulseClientId { get; }
+
+        [JsonPropertyName("servicePulseApiScope")]
+        public string ServicePulseApiScope { get; }
+
         void Validate()
         {
             if (!Enabled)
@@ -112,6 +133,24 @@ void Validate()
                 logger.LogWarning("Authentication.ValidateIssuerSigningKey is set to false. This is a serious security risk and should only be used in development environments");
             }
 
+            if (ServicePulseEnabled)
+            {
+                if (string.IsNullOrWhiteSpace(ServicePulseClientId))
+                {
+                    throw new Exception("Authentication.ServicePulse.ClientId is required when Authentication.ServicePulse.Enabled is true.");
+                }
+
+                if (string.IsNullOrWhiteSpace(ServicePulseApiScope))
+                {
+                    throw new Exception("Authentication.ServicePulse.ApiScope is required when Authentication.ServicePulse.Enabled is true.");
+                }
+
+                if (ServicePulseAuthority != null && !Uri.TryCreate(ServicePulseAuthority, UriKind.Absolute, out _))
+                {
+                    throw new Exception("Authentication.ServicePulse.Authority must be a valid absolute URI if provided.");
+                }
+            }
+
             logger.LogInformation("Authentication configuration validated successfully");
             logger.LogInformation("  Authority: {Authority}", Authority);
             logger.LogInformation("  Audience: {Audience}", Audience);
@@ -120,6 +159,10 @@ void Validate()
             logger.LogInformation("  ValidateLifetime: {ValidateLifetime}", ValidateLifetime);
             logger.LogInformation("  ValidateIssuerSigningKey: {ValidateIssuerSigningKey}", ValidateIssuerSigningKey);
             logger.LogInformation("  RequireHttpsMetadata: {RequireHttpsMetadata}", RequireHttpsMetadata);
+            logger.LogInformation("  ServicePulseEnabled: {ServicePulseEnabled}", ServicePulseEnabled);
+            logger.LogInformation("  ServicePulseClientId: {ServicePulseClientId}", ServicePulseClientId);
+            logger.LogInformation("  ServicePulseAuthority: {ServicePulseAuthority}", ServicePulseAuthority);
+            logger.LogInformation("  ServicePulseApiScope: {ServicePulseApiScope}", ServicePulseApiScope);
         }
     }
 }
