chore: Change to use oauth4webapi instead of simple-oauth2

This adds support for a custom fetch that can use proxies
configured with environment variables.

Author: kmruiz

package-lock.json

@@ -85,8 +85,8 @@
     "mongodb-redact": "^1.1.8",
     "mongodb-schema": "^12.6.2",
     "node-machine-id": "1.1.12",
+    "oauth4webapi": "^3.6.0",
     "openapi-fetch": "^0.14.0",
-    "simple-oauth2": "^5.1.0",
     "yargs-parser": "^22.0.0",
     "zod": "^3.25.76"
   },

package.json

@@ -1,13 +1,12 @@
 import createClient, { Client, Middleware } from "openapi-fetch";
 import type { FetchOptions } from "openapi-fetch";
-import { AccessToken, ClientCredentials } from "simple-oauth2";
 import { ApiClientError } from "./apiClientError.js";
 import { paths, operations } from "./openapi.js";
 import { CommonProperties, TelemetryEvent } from "../../telemetry/types.js";
 import { packageInfo } from "../packageInfo.js";
 import logger, { LogId } from "../logger.js";
-import { createFetch, useOrCreateAgent } from "@mongodb-js/devtools-proxy-support";
-import HTTPS from "https";
+import { createFetch } from "@mongodb-js/devtools-proxy-support";
+import * as oauth from "oauth4webapi";
 
 const ATLAS_API_VERSION = "2025-03-12";
 
@@ -22,6 +21,11 @@ export interface ApiClientOptions {
     userAgent?: string;
 }
 
+interface AccessToken {
+    access_token: string;
+    expires_at?: number;
+}
+
 export class ApiClient {
     private options: {
         baseUrl: string;
@@ -36,24 +40,33 @@ export class ApiClient {
         useEnvironmentVariableProxies: true,
     }) as unknown as typeof fetch;
 
-    private static customAgent = useOrCreateAgent({
-        useEnvironmentVariableProxies: true,
-    });
-
     private client: Client<paths>;
-    private oauth2Client?: ClientCredentials;
+
+    private oauth2Client?: oauth.Client;
+    private oauth2Issuer?: oauth.AuthorizationServer;
     private accessToken?: AccessToken;
 
-    private ensureAgentIsInitialized = async () => {
-        await ApiClient.customAgent?.initialize?.();
-    };
+    public hasCredentials(): boolean {
+        return !!this.oauth2Client && !!this.oauth2Issuer;
+    }
+
+    private isAccessTokenValid(): boolean {
+        return !!(
+            this.accessToken &&
+            (this.accessToken.expires_at == undefined || this.accessToken.expires_at > Date.now() / 1000)
+        );
+    }
 
     private getAccessToken = async () => {
-        //        await this.ensureAgentIsInitialized();
-        if (this.oauth2Client && (!this.accessToken || this.accessToken.expired())) {
-            this.accessToken = await this.oauth2Client.getToken({});
+        if (!this.hasCredentials()) {
+            return undefined;
         }
-        return this.accessToken?.token.access_token as string | undefined;
+
+        if (!this.isAccessTokenValid()) {
+            this.accessToken = await this.getNewAccessToken();
+        }
+
+        return this.accessToken?.access_token;
     };
 
     private authMiddleware: Middleware = {
@@ -90,46 +103,93 @@ export class ApiClient {
             },
             fetch: ApiClient.customFetch,
         });
+
         if (this.options.credentials?.clientId && this.options.credentials?.clientSecret) {
-            this.oauth2Client = new ClientCredentials({
-                client: {
-                    id: this.options.credentials.clientId,
-                    secret: this.options.credentials.clientSecret,
-                },
-                auth: {
-                    tokenHost: this.options.baseUrl,
-                    tokenPath: "/api/oauth/token",
-                    revokePath: "/api/oauth/revoke",
-                },
-                http: {
-                    headers: {
-                        "User-Agent": this.options.userAgent,
-                    },
-                    agent: ApiClient.customAgent,
-                },
-            });
+            this.oauth2Issuer = {
+                issuer: this.options.baseUrl,
+                token_endpoint: new URL("/api/oauth/token", this.options.baseUrl).toString(),
+                revocation_endpoint: new URL("/api/oauth/revoke", this.options.baseUrl).toString(),
+                token_endpoint_auth_methods_supported: ["client_secret_basic"],
+                grant_types_supported: ["client_credentials"],
+            };
+
+            this.oauth2Client = {
+                client_id: this.options.credentials.clientId,
+                client_secret: this.options.credentials.clientSecret,
+            };
+
             this.client.use(this.authMiddleware);
         }
     }
 
-    public hasCredentials(): boolean {
-        return !!this.oauth2Client;
+    private getOauthClientAuth(): { client: oauth.Client | undefined; clientAuth: oauth.ClientAuth | undefined } {
+        if (this.options.credentials?.clientId && this.options.credentials.clientSecret) {
+            const clientSecret = this.options.credentials.clientSecret;
+            const clientId = this.options.credentials.clientId;
+
+            // We are using our own ClientAuth because ClientSecretBasic URL encodes wrongly
+            // the username and password (for example, encodes `_` which is wrong).
+            return {
+                client: { client_id: clientId },
+                clientAuth: (_as, client, _body, headers) => {
+                    const credentials = Buffer.from(`${clientId}:${clientSecret}`).toString("base64");
+                    headers.set("Authorization", `Basic ${credentials}`);
+                },
+            };
+        }
+
+        return { client: undefined, clientAuth: undefined };
+    }
+
+    private async getNewAccessToken(): Promise<AccessToken | undefined> {
+        if (!this.hasCredentials() || !this.oauth2Issuer) {
+            return undefined;
+        }
+
+        const { client, clientAuth } = this.getOauthClientAuth();
+        if (client && clientAuth) {
+            try {
+                const response = await oauth.clientCredentialsGrantRequest(
+                    this.oauth2Issuer,
+                    client,
+                    clientAuth,
+                    new URLSearchParams(),
+                    {
+                        [oauth.customFetch]: ApiClient.customFetch,
+                        headers: {
+                            "User-Agent": this.options.userAgent,
+                        },
+                    }
+                );
+
+                const result = await oauth.processClientCredentialsResponse(this.oauth2Issuer, client, response);
+                this.accessToken = {
+                    access_token: result.access_token,
+                    expires_at: Date.now() / 1000 + (result.expires_in ?? 0),
+                };
+            } catch (error: unknown) {
+                const err = error instanceof Error ? error : new Error(String(error));
+                logger.error(LogId.atlasConnectFailure, "apiClient", `Failed to request access token: ${err.message}`);
+            }
+            return this.accessToken;
+        }
     }
 
     public async validateAccessToken(): Promise<void> {
         await this.getAccessToken();
     }
 
     public async close(): Promise<void> {
-        if (this.accessToken) {
-            try {
-                await this.accessToken.revoke("access_token");
-            } catch (error: unknown) {
-                const err = error instanceof Error ? error : new Error(String(error));
-                logger.error(LogId.atlasApiRevokeFailure, "apiClient", `Failed to revoke access token: ${err.message}`);
+        const { client, clientAuth } = this.getOauthClientAuth();
+        try {
+            if (this.oauth2Issuer && this.accessToken && client && clientAuth) {
+                await oauth.revocationRequest(this.oauth2Issuer, client, clientAuth, this.accessToken.access_token);
             }
-            this.accessToken = undefined;
+        } catch (error: unknown) {
+            const err = error instanceof Error ? error : new Error(String(error));
+            logger.error(LogId.atlasApiRevokeFailure, "apiClient", `Failed to revoke access token: ${err.message}`);
         }
+        this.accessToken = undefined;
     }
 
     public async getIpInfo(): Promise<{