This sub-issue focuses on implementing the authentication layer for the MongoDB Atlas Service Discovery plugin.
The goal is to support both OAuth 2.0 (Client Credentials) and HTTP Digest (Atlas API Keys) authentication mechanisms.
Scope
Implement authentication support that will be used by all programmatic requests to the Atlas Management API v2 (https://cloud.mongodb.com/api/atlas/v2).
1. Credential Storage
- OAuth 2.0
- Store
client_id and client_secret.
- HTTP Digest
- Store
publicKey and privateKey.
- Security requirements
- Sensitive values (
client_secret and privateKey) must be stored securely, following the same protection approach as for connection strings.
- Reference implementation:
src/documentdb/CredentialCache.ts#setAuthCredentials.
2. Credential & Token Cache
- Users may select either OAuth or Digest authentication.
- OAuth
- Maintain a token cache.
- On first request:
- Fetch an access token and cache it along with the expiry timestamp.
- On subsequent requests:
- Reuse the cached token if it has not expired.
- If expired, request a new token and update the cache.
- Note: Access tokens are valid for 1 hour (3600 seconds) and cannot be refreshed. A new token must be requested after expiry.
- Digest
- No additional caching is required beyond the stored credentials.
3. Authentication Process
3.1 OAuth 2.0
3.2 HTTP Digest
- Supply the API key pair directly with Digest auth:
curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
--header "Content-Type: application/json" \
--header "Accept: application/vnd.atlas.2024-08-05+json" \
--request GET "https://cloud.mongodb.com/api/atlas/v2/groups"
- Example for POST with Digest auth:
curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
--header "Content-Type: application/json" \
--header "Accept: application/vnd.atlas.2024-08-05+json" \
--request POST "https://cloud.mongodb.com/api/atlas/v2/groups" \
--data '
{
"name": "MyProject",
"orgId": "5a0a1e7e0f2912c554080adc"
}'
4. Clearing Authentication State
- Provide a mechanism to remove stored credentials and reset the authentication option.
- After clearing, the plugin should behave as if no credentials were set.
Acceptance Criteria
Tasks
This sub-issue focuses on implementing the authentication layer for the MongoDB Atlas Service Discovery plugin.
The goal is to support both OAuth 2.0 (Client Credentials) and HTTP Digest (Atlas API Keys) authentication mechanisms.
Scope
Implement authentication support that will be used by all programmatic requests to the Atlas Management API v2 (
https://cloud.mongodb.com/api/atlas/v2).1. Credential Storage
client_idandclient_secret.publicKeyandprivateKey.client_secretandprivateKey) must be stored securely, following the same protection approach as for connection strings.src/documentdb/CredentialCache.ts#setAuthCredentials.2. Credential & Token Cache
3. Authentication Process
3.1 OAuth 2.0
Construct a Basic Auth header using
client_idandclient_secret:Encode as Base64:
(Implementation should use TypeScript, not shell commands.)
Request an access token:
Use the received access_token for API requests:
3.2 HTTP Digest
4. Clearing Authentication State
Acceptance Criteria
Tasks
CredentialCache).POST /api/oauth/token.