Add authentication and SSL/TLS to ServiceControl (#5197)

* Add initial authentication supporting JWT tokens, OpenID Connect, OAuth2.0

* Add ServicePulse-specific OIDC configuration and endpoint

* Update src/ServiceControl/App.config

Co-authored-by: Warwick Schroeder <warwick.schroeder@particular.net>

* Update src/ServiceControl/App.config

Co-authored-by: Warwick Schroeder <warwick.schroeder@particular.net>

* Remove SP enabled flag

* Update approved routes and settings

* Allow multiple api scopes, or none. Add client audience config setting

* Add auth to other instances

* Rename to ApiScopes

* Add additional options for flexible and secure hosting; SSL/TLS, Reverse Proxy, Direct HTTPS, CORS

* Remove previously added rate limit for anon api

* Forward auth header

* Allow Anon for CheckRemotes

* Remove unused rate limiting middleware

* MapControllers correctly

* Upgrade package

* Update local testing files. Add debug endpoint for dev.

* Update reverse proxy test file

* Update HTTPS config and documentation

* Update documentation for authentication

* Add forward header tests for all instances. Add links to additional documentation in readme

* Add more manual testing scenarios to docs. Rename files.

* Clean doc formatting. Update hosting guide.

* Update internal auth docs. Fix issue with server-to-server remote instance checks with auth.

* Move public docs content to the docs PR

* Clean servicecontrol hosting guide. Move content to docs RP (WIP)

* Move public docs into docs PR

* Clean forward header tests and add comments

* Fix build issues

* fix breaking tests. Add unit tests for security settings

* Add security acceptance tests for Primary instance

* Add CORS acceptance tests to audit and monitoring.

* Add HTTPS acceptance tests to audit and monitoring

* Add OpenID Conntect acceptance tests to audit and monitoring

* Move some documentation to public docs

* Small tweaks off review

* Add comments. Update security setting validation.

* Update tests off of review

* Fix API approval tests

* Update from feedback

* Updates from testing. Add additional logging to support testing. Updates from feedback.

* Remove sensitive data from diagnostics file

* add MD doc file back in

* Remove some details from debug logs.

* Clean logging. Fix issue with Platform Connector when auth is enabled.

* Undo making the connection controller anonymous. This is not required as ServicePulse should be the only client using it.

* Forward Authorization header to remote instances

* Update security package to .NET10

* Resolve new obsolete APIs due to .NET10 upgrade

* Fix auth issue with service-to-service call audit-count

---------

Co-authored-by: Jason Taylor <hello@jasontaylor.dev>
Co-authored-by: Jason Taylor <1988321+jasontaylordev@users.noreply.github.com>
Co-authored-by: Warwick Schroeder <warwick@exia-it.com>

Author: 3 people

.gitignore

@@ -101,3 +101,10 @@ src/scaffolding.config
 
 # Visual Studio Code
 .vscode
+
+# AI config
+.claude/
+CLAUDE.md
+
+# User-specific files
+.local

README.md

@@ -31,7 +31,7 @@ It's also possible to [locally test containers built from PRs in GitHub Containe
 ### Infrastructure setup
 
 If the instance is executed for the first time, it must set up the required infrastructure. To do so, once the instance is configured to use the selected transport and persister, run it in setup mode. This can be done by using the `Setup {instance name}` launch profile that is defined in 
-the `launchSettings.json` file of each instance. When started in setup mode, the instance will start as usual, execute the setup process, and exit. At this point the instance can be run normally by using the non-setup launch profile. 
+the `launchSettings.json` file of each instance. When started in setup mode, the instance will start as usual, execute the setup process, and exit. At this point the instance can be run normally by using the non-setup launch profile.
 
 ## Secrets
 
@@ -56,6 +56,22 @@ Running all tests all the times takes a lot of resources. Tests are filtered bas
 
 NOTE: If no variable is defined all tests will be executed.
 
+## Security Configuration
+
+Documentation for configuring security features:
+
+- [TLS Configuration](https://docs.particular.net/servicecontrol/security/configuration/tls) - Configure HTTPS/TLS for secure connections
+- [Forwarded Headers](https://docs.particular.net/servicecontrol/security/configuration/forward-headers) - Configure X-Forwarded-* header handling for reverse proxy scenarios
+- [Authentication](https://docs.particular.net/servicecontrol/security/configuration/authentication) - Configure authentication for the HTTP API
+- [Hosting Guide](https://docs.particular.net/servicecontrol/security/hosting-guide) - Scenario based hosting options for ServiceControl
+
+Local testing guides:
+
+- [HTTPS Testing](docs/https-testing.md)
+- [Reverse Proxy Testing](docs/reverseproxy-testing.md)
+- [Forward Headers Testing](docs/forward-headers-testing.md)
+- [Authentication Testing](docs/authentication-testing.md)
+
 ## How to developer test the PowerShell Module
 
 Steps: