Authentication for MongoDB Atlas Discovery #261
Description
This sub-issue focuses on implementing the authentication layer for the MongoDB Atlas Service Discovery plugin.
The goal is to support both OAuth 2.0 (Client Credentials) and HTTP Digest (Atlas API Keys) authentication mechanisms.
Scope
Implement authentication support that will be used by all programmatic requests to the Atlas Management API v2 (https://cloud.mongodb.com/api/atlas/v2).
1. Credential Storage
- OAuth 2.0
- Store
client_idandclient_secret.
- Store
- HTTP Digest
- Store
publicKeyandprivateKey.
- Store
- Security requirements
- Sensitive values (
client_secretandprivateKey) must be stored securely, following the same protection approach as for connection strings. - Reference implementation:
src/documentdb/CredentialCache.ts#setAuthCredentials.
- Sensitive values (
2. Credential & Token Cache
- Users may select either OAuth or Digest authentication.
- OAuth
- Maintain a token cache.
- On first request:
- Fetch an access token and cache it along with the expiry timestamp.
- On subsequent requests:
- Reuse the cached token if it has not expired.
- If expired, request a new token and update the cache.
- Note: Access tokens are valid for 1 hour (3600 seconds) and cannot be refreshed. A new token must be requested after expiry.
- Digest
- No additional caching is required beyond the stored credentials.
3. Authentication Process
3.1 OAuth 2.0
-
Construct a Basic Auth header using
client_idandclient_secret:-
Encode as Base64:
echo -n {CLIENT-ID}:{CLIENT-SECRET} | base64 -
(Implementation should use TypeScript, not shell commands.)
-
-
Request an access token:
curl --request POST \ --url https://cloud.mongodb.com/api/oauth/token \ --header 'accept: application/json' \ --header 'cache-control: no-cache' \ --header 'authorization: Basic {BASE64-AUTH}' \ --header 'content-type: application/x-www-form-urlencoded' \ --data 'grant_type=client_credentials'
-
Use the received access_token for API requests:
curl --request GET \ --url https://cloud.mongodb.com/api/atlas/v2/groups \ --header 'Authorization: Bearer {ACCESS-TOKEN}' \ --header 'Accept: application/vnd.atlas.2023-02-01+json' \ --header 'Content-Type: application/json'
3.2 HTTP Digest
- Supply the API key pair directly with Digest auth:
curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
--header "Content-Type: application/json" \
--header "Accept: application/vnd.atlas.2024-08-05+json" \
--request GET "https://cloud.mongodb.com/api/atlas/v2/groups"- Example for POST with Digest auth:
curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
--header "Content-Type: application/json" \
--header "Accept: application/vnd.atlas.2024-08-05+json" \
--request POST "https://cloud.mongodb.com/api/atlas/v2/groups" \
--data '
{
"name": "MyProject",
"orgId": "5a0a1e7e0f2912c554080adc"
}'4. Clearing Authentication State
- Provide a mechanism to remove stored credentials and reset the authentication option.
- After clearing, the plugin should behave as if no credentials were set.
Acceptance Criteria
- Secure credential storage implemented for both OAuth and Digest.
- OAuth token caching and renewal logic works correctly (validated via unit tests).
- Digest authentication works for both GET and POST requests.
- Clearing/removing credentials resets authentication state.
- Unit tests cover:
- Credential storage/retrieval.
- OAuth token request, caching, and expiry.
- Digest auth request signing.
- Clearing of credentials.
Tasks
- Implement credential storage logic (reuse/extend
CredentialCache). - Implement OAuth token acquisition:
- Base64 encoding of credentials.
- Request to
POST /api/oauth/token. - Token caching with expiry handling.
- Implement Digest authentication flow using existing HTTP libraries.
- Implement a function to clear/remove credentials.
- Add unit tests:
- Mocked HTTP responses for OAuth and Digest.
- Token expiry simulation.
- Credential removal tests.
- Update README with instructions:
- How to configure OAuth credentials.
- How to configure Digest credentials.
- How to clear/reset credentials.
Metadata
Metadata
Assignees
Labels
No labels