Add Authentication and Authorization Support to the ServiceControl REST API

[fafachd]

Describe the feature.

Is your feature related to a problem? Please describe.

There is currently no way to secure access to ServicePulse / ServiceControl API which exposes the traffic to everyone on the network.

Describe the requested feature

Include support for authentication, authorization, and TLS/SSL. Support JWT bearer tokens, OpenID Connect, and OAuth 2.0, with ServicePulse authentication configuration automatically fed from the ServiceControl API. Authentication defaults to disabled for backward compatibility.

Add direct HTTPS hosting via Kestrel, HTTPS redirect, HSTS configuration, and improved security controls for CORS and reverse proxy scenarios. Include comprehensive documentation covering all security configuration options and best practices at https://docs.particular.net.

Additional Context

These features cannot be used with ServiceInsight. Please note that its core features have been moved to ServicePulse, which is now the recommended tool for monitoring and debugging distributed systems.
New development on ServiceInsight has stopped.

Original feature request

See the following for background:

• Login screen ServicePulse#3

There needs to be a way to do authentication and authorization on the SC REST API so IT OPS can run ServiceInsight on their desktops without exposing the REST API to everyone on the network.
The alternative is to have IT Ops remote into the server, but in larger orgs this access is very difficult to obtain.

[wooliet]

+1
Gaining access to anything in a moderately sized org is almost universally a painful process (especially as an outside contractor). Their ability to keep the production server locked down while still granting access to the web service is critical.

[jarrettv]

+1 agree

+1 Totally the case here - this would be a great improvement.

[rsutkowski]

WE NEED THIS!!!! Production servers are so locked down, nobody outside of the production control group has access nor will ever get access. PLEASE MAKE THIS A PRIORITY!

[fafachd]

Any update on this, @johnsimons or @andreasohlund?

[johnsimons]

No updates @fafachd, at the moment we are focusing on performance improvements.

@Particular/servicecontrol-maintainers should we raise this in plat dev ?

[gbiellem]

@johnsimons I'd say yes as it concerns multiple products.

[johnsimons]

This issue has been raised internally in plat dev.

@fafachd thanks a lot for starting this discussion, the way we manage this kind of suggestions, is by raising them internally in a private repo, where we prioritise it and manage it from now on.
So with that in mind, I'll close this suggestion for now, and once we are ready to act on it we will reopen it. This does not mean we will not be working on it.