feat: Adding oauth authorization code flow

Author: christian-kreuzberger-dtx

.gitignore

@@ -7,6 +7,9 @@ node_modules/
 
 tsconfig.tsbuildinfo
 
+# Token cache directory - contains sensitive OAuth tokens
+.dt-mcp/
+
 # mcp registry
 .mcpregistry_github_token
 .mcpregistry_registry_token

CHANGELOG.md

@@ -25,6 +25,8 @@
 - Fixed an issue with MCP communication failing with `SyntaxError: Unexpected token 'd'` due to `dotenv`
 - Added Support for Google Gemini CLI
 
+- **⚡ Simplified Setup**: OAuth authorization code flow is now automatically enabled when neither, OAuth credentials, nor a platform token are provided. Just provide `DT_ENVIRONMENT`, and authentication is handled automatically via an interactive OAuth authorization code flow
+
 ## 0.6.0
 
 **Highlights**:

src/authentication/dynatrace-clients.test.ts

@@ -2,10 +2,14 @@ import { createDtHttpClient } from './dynatrace-clients';
 import { PlatformHttpClient } from '@dynatrace-sdk/http-client';
 import { getSSOUrl } from 'dt-app';
 import { OAuthTokenResponse } from './types';
+import { performOAuthAuthorizationCodeFlow } from './dynatrace-oauth-auth-code-flow';
+import { globalTokenCache } from './token-cache';
 
 // Mock external dependencies
 jest.mock('@dynatrace-sdk/http-client');
 jest.mock('dt-app');
+jest.mock('./dynatrace-oauth-auth-code-flow');
+jest.mock('./token-cache');
 jest.mock('../../package.json', () => ({
   version: '1.0.0-test',
 }));
@@ -15,13 +19,26 @@ global.fetch = jest.fn();
 
 const mockPlatformHttpClient = PlatformHttpClient as jest.MockedClass<typeof PlatformHttpClient>;
 const mockGetSSOUrl = getSSOUrl as jest.MockedFunction<typeof getSSOUrl>;
+const mockPerformOAuthAuthorizationCodeFlow = performOAuthAuthorizationCodeFlow as jest.MockedFunction<
+  typeof performOAuthAuthorizationCodeFlow
+>;
+const mockGlobalTokenCache = globalTokenCache as jest.Mocked<typeof globalTokenCache>;
 const mockFetch = global.fetch as jest.MockedFunction<typeof fetch>;
 
 describe('dynatrace-clients', () => {
   beforeEach(() => {
     jest.clearAllMocks();
     // Reset console.error mock
     jest.spyOn(console, 'error').mockImplementation(() => {});
+
+    // Mock token cache methods
+    mockGlobalTokenCache.getToken.mockReturnValue(null);
+    mockGlobalTokenCache.isTokenValid.mockReturnValue(false);
+    mockGlobalTokenCache.setToken.mockImplementation(() => {});
+    mockGlobalTokenCache.clearToken.mockImplementation(() => {});
+
+    // Mock getSSOUrl
+    mockGetSSOUrl.mockResolvedValue('https://sso.dynatrace.com');
   });
 
   afterEach(() => {
@@ -79,18 +96,6 @@ describe('dynatrace-clients', () => {
         expect(result).toBeInstanceOf(PlatformHttpClient);
       });
 
-      it('should throw error when clientId, clientSecret and platformToken are missing', async () => {
-        await expect(createDtHttpClient(environmentUrl, scopes, undefined, undefined, undefined)).rejects.toThrow(
-          'Failed to create Dynatrace HTTP Client: Please provide either clientId and clientSecret or dtPlatformToken',
-        );
-      });
-
-      it('should throw error when environmentUrl is missing', async () => {
-        await expect(createDtHttpClient('', scopes, clientId, clientSecret)).rejects.toThrow(
-          'Failed to retrieve environment URL from env "DT_ENVIRONMENT"',
-        );
-      });
-
       it('should throw error when token request fails with HTTP error', async () => {
         mockFetch.mockResolvedValueOnce({
           ok: false,
@@ -157,7 +162,7 @@ describe('dynatrace-clients', () => {
         await createDtHttpClient(environmentUrl, scopes, clientId, clientSecret);
 
         expect(console.error).toHaveBeenCalledWith(
-          `Trying to authenticate API Calls to ${environmentUrl} via OAuthClientId ${clientId} with the following scopes: ${scopes.join(', ')}`,
+          `🔒 Client-Creds-Flow: Trying to authenticate API Calls to ${environmentUrl} via OAuthClientId ${clientId} with the following scopes: ${scopes.join(', ')}`,
         );
       });
     });
@@ -178,14 +183,6 @@ describe('dynatrace-clients', () => {
         expect(result).toBeInstanceOf(PlatformHttpClient);
       });
     });
-
-    describe('with no authentication', () => {
-      it('should throw error when no authentication method is provided', async () => {
-        await expect(createDtHttpClient(environmentUrl, scopes)).rejects.toThrow(
-          'Failed to create Dynatrace HTTP Client: Please provide either clientId and clientSecret or dtPlatformToken',
-        );
-      });
-    });
   });
 
   describe('requestToken function (indirectly tested)', () => {

src/authentication/dynatrace-clients.ts

@@ -1,45 +1,14 @@
 import { HttpClient, PlatformHttpClient } from '@dynatrace-sdk/http-client';
 import { getSSOUrl } from 'dt-app';
 import { getUserAgent } from '../utils/user-agent';
-import { OAuthTokenResponse } from './types';
+import { performOAuthAuthorizationCodeFlow, refreshAccessToken } from './dynatrace-oauth-auth-code-flow';
+import { globalTokenCache } from './token-cache';
+import { getRandomPort } from './utils';
+import { requestTokenForClientCredentials } from './dynatrace-oauth-client-credentials';
 
 /**
- * Uses the provided oauth Client ID and Secret and requests a token via client-credentials flow
- * @param clientId - OAuth Client ID for Dynatrace
- * @param clientSecret - Oauth Client Secret for Dynatrace
- * @param ssoAuthUrl - SSO Authentication URL
- * @param scopes - List of requested scopes
- * @returns Response of the OAuth Endpoint (which, in the best case includes a token)
- */
-const requestToken = async (
-  clientId: string,
-  clientSecret: string,
-  ssoAuthUrl: string,
-  scopes: string[],
-): Promise<OAuthTokenResponse> => {
-  const res = await fetch(ssoAuthUrl, {
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/x-www-form-urlencoded',
-    },
-    body: new URLSearchParams({
-      grant_type: 'client_credentials',
-      client_id: clientId,
-      client_secret: clientSecret,
-      scope: scopes.join(' '),
-    }),
-  });
-  // check if the response was okay (HTTP 2xx) or not (HTTP 4xx or 5xx)
-  if (!res.ok) {
-    // log the error
-    console.error(`Failed to fetch token: ${res.status} ${res.statusText}`);
-  }
-  // and return the JSON result, as it contains additional information
-  return await res.json();
-};
-
-/**
- * Create a Dynatrace Http Client (from the http-client SDK) based on the provided authentication credentails
+ * Create a Dynatrace Http Client (from the http-client SDK) based on the provided authentication credentials
+ * Supports Platform Token, Oauth Client Credentials Flow, and OAuth Authorization Code Flow (interactive)
  * @param environmentUrl
  * @param scopes
  * @param clientId
@@ -54,67 +23,169 @@ export const createDtHttpClient = async (
   clientSecret?: string,
   dtPlatformToken?: string,
 ): Promise<HttpClient> => {
-  if (clientId && clientSecret) {
-    // create an OAuth client if clientId and clientSecret are provided
-    return createOAuthHttpClient(environmentUrl, scopes, clientId, clientSecret);
-  }
+  /** Logic:
+   * * if a platform token is provided, use it
+   * * If no platform token is provided, but clientId and clientSecret are provided, use client credentials flow
+   * * If no platform token is provided, and no clientSecret is provided, but a clientId is provided, use OAuth authorization code flow (interactive)
+   * * If neither platform token nor OAuth credentials are provided, throw an error
+   */
   if (dtPlatformToken) {
     // create a simple HTTP client if only the platform token is provided
-    return createBearerTokenHttpClient(environmentUrl, dtPlatformToken);
+    return createPlatformTokenHttpClient(environmentUrl, dtPlatformToken);
+  } else if (clientId && clientSecret) {
+    // create an Oauth client using client credentials flow (non-interactive)
+    return createOAuthClientCredentialsHttpClient(environmentUrl, scopes, clientId, clientSecret);
+  } else if (clientId) {
+    // create an OAuth client using authorization code flow (interactive)
+    return createOAuthAuthCodeFlowHttpClient(environmentUrl, scopes, clientId);
   }
+
   throw new Error(
-    'Failed to create Dynatrace HTTP Client: Please provide either clientId and clientSecret or dtPlatformToken',
+    'Failed to create Dynatrace HTTP Client: Please provide either clientId and clientSecret for client credentials flow, clientId only for interactive OAuth flow, or just a platform token.',
   );
 };
 
-/** Creates an HTTP Client based on environmentUrl and a platform token */
-const createBearerTokenHttpClient = async (environmentUrl: string, dtPlatformToken: string): Promise<HttpClient> => {
+/**
+ * Creates an HTTP Client based on environmentUrl and a bearer token, and also sets the user agent
+ */
+const createBearerTokenHttpClient = async (environmentUrl: string, bearerToken: string): Promise<HttpClient> => {
   return new PlatformHttpClient({
     baseUrl: environmentUrl,
     defaultHeaders: {
-      'Authorization': `Bearer ${dtPlatformToken}`,
+      'Authorization': `Bearer ${bearerToken}`,
       'User-Agent': getUserAgent(),
     },
   });
 };
 
-/** Create an Oauth Client based on clientId, clientSecret, environmentUrl and scopes
+/**
+ * Creates an HTTP Client based on environmentUrl and a platform token (as bearer token)
+ */
+const createPlatformTokenHttpClient = async (environmentUrl: string, dtPlatformToken: string): Promise<HttpClient> => {
+  console.error(`🔒 Using Platform Token to authenticate API Calls to ${environmentUrl}`);
+  return createBearerTokenHttpClient(environmentUrl, dtPlatformToken);
+};
+
+/**
+ * Create an Oauth Client based on clientId, clientSecret, environmentUrl and scopes
  * This uses a client-credentials flow to request a token from the SSO endpoint.
+ * Note: We do not refresh the token here, we always request a new one on each client creation.
  */
-const createOAuthHttpClient = async (
+const createOAuthClientCredentialsHttpClient = async (
   environmentUrl: string,
   scopes: string[],
   clientId: string,
   clientSecret: string,
 ): Promise<HttpClient> => {
-  if (!clientId) {
-    throw new Error('Failed to retrieve OAuth client id from env "DT_APP_OAUTH_CLIENT_ID"');
-  }
-  if (!clientSecret) {
-    throw new Error('Failed to retrieve OAuth client secret from env "DT_APP_OAUTH_CLIENT_SECRET"');
-  }
-  if (!environmentUrl) {
-    throw new Error('Failed to retrieve environment URL from env "DT_ENVIRONMENT"');
-  }
-
   console.error(
-    `Trying to authenticate API Calls to ${environmentUrl} via OAuthClientId ${clientId} with the following scopes: ${scopes.join(', ')}`,
+    `🔒 Client-Creds-Flow: Trying to authenticate API Calls to ${environmentUrl} via OAuthClientId ${clientId} with the following scopes: ${scopes.join(', ')}`,
   );
 
-  const ssoBaseUrl = await getSSOUrl(environmentUrl);
-  const ssoAuthUrl = new URL('/sso/oauth2/token', ssoBaseUrl).toString();
-  console.error(`Using SSO auth URL: ${ssoAuthUrl}`);
+  // Get SSO Base URL
+  const ssoBaseURL = await getSSOUrl(environmentUrl);
 
   // try to request a token, just to verify that everything is set up correctly
-  const tokenResponse = await requestToken(clientId, clientSecret, ssoAuthUrl, scopes);
+  const tokenResponse = await requestTokenForClientCredentials(clientId, clientSecret, ssoBaseURL, scopes);
 
   // in case we didn't get a token, or error / error_description / issueId is set, we throw an error
   if (!tokenResponse.access_token || tokenResponse.error || tokenResponse.error_description || tokenResponse.issueId) {
     throw new Error(
       `Failed to retrieve OAuth token (IssueId: ${tokenResponse.issueId}): ${tokenResponse.error} - ${tokenResponse.error_description}. Note: Your OAuth client is most likely not configured correctly and/or is missing scopes.`,
     );
   }
-  console.error(`Successfully retrieved token from SSO!`);
+  console.error(
+    `Successfully retrieved token from SSO! Token valid for ${tokenResponse.expires_in}s with scopes: ${tokenResponse.scope}`,
+  );
+
+  // now that we have the access token, we can just use a plain bearer token client
+  return createBearerTokenHttpClient(environmentUrl, tokenResponse.access_token);
+};
+
+/** Create an OAuth Client using authorization code flow (interactive authentication)
+ * This starts a local HTTP server to handle the OAuth redirect and requires user interaction.
+ * Implements token caching (via .dt-mcp/token.json) to avoid repeated OAuth flows.
+ * Note: Always requests a complete set of scopes for maximum token reusability. Else the user will end up having to approve multiple requests.
+ */
+const createOAuthAuthCodeFlowHttpClient = async (
+  environmentUrl: string,
+  scopes: string[],
+  clientId: string,
+): Promise<HttpClient> => {
+  // Get SSO Base URL
+  const ssoBaseURL = await getSSOUrl(environmentUrl);
+
+  // Fast Track: Fetch cached token and check if it is still valid
+  const cachedToken = globalTokenCache.getToken(scopes);
+  const isValid = globalTokenCache.isTokenValid(scopes);
+
+  // If we have a valid cached token, we can use it
+  if (isValid && cachedToken) {
+    const expiresIn = cachedToken.expires_at ? Math.round((cachedToken.expires_at - Date.now()) / 1000) : 'never';
+    console.error(`✅ Auth-Code-Flow: Using cached access token (expires in ${expiresIn}s)`);
+
+    // just use the cached token as a bearer token
+    return createBearerTokenHttpClient(environmentUrl, cachedToken.access_token);
+  }
+
+  // If we have an expired token that can be refreshed, refresh it
+  if (cachedToken && cachedToken.refresh_token && !isValid) {
+    const expiresIn = cachedToken.expires_at ? Math.round((cachedToken.expires_at - Date.now()) / 1000) : 'never';
+    console.error(`🔍 Auth-Code-Flow: Found expired cached token (expires in ${expiresIn}s), attempting refresh...`);
+    try {
+      console.error(`🔄 Attempting to refresh expired access token...`);
+      const tokenResponse = await refreshAccessToken(ssoBaseURL, clientId, cachedToken.refresh_token, scopes);
+
+      if (tokenResponse.access_token && !tokenResponse.error) {
+        console.error(`✅ Successfully refreshed access token!`);
+        // Update the cache with the new token
+        globalTokenCache.setToken(scopes, tokenResponse);
+
+        // now use the updated token as a bearer token
+        return createBearerTokenHttpClient(environmentUrl, tokenResponse.access_token);
+      } else {
+        console.error(`❌ Token refresh failed: ${tokenResponse.error} - ${tokenResponse.error_description}`);
+        // Clear the invalid token from cache
+        globalTokenCache.clearToken();
+      }
+    } catch (error) {
+      console.error(`❌ Token refresh failed with error: ${error instanceof Error ? error.message : String(error)}`);
+      // Clear the invalid token from cache
+      globalTokenCache.clearToken();
+    }
+  }
+
+  // If we get here, we are currently not authenticated, and need to perform a full OAuth Authorization Code Flow
+  console.error(`🚀 Auth-Code-Flow: No valid cached token found, initiating OAuth Authorization Code Flow...`);
+  console.error(`Using SSO base URL ${ssoBaseURL}`);
+
+  // Randomly select a port for the OAuth redirect URL (e.g., 5344)
+  const port = getRandomPort();
+
+  // Perform the OAuth authorization code flow with all scopes
+  const tokenResponse = await performOAuthAuthorizationCodeFlow(
+    ssoBaseURL,
+    {
+      clientId,
+      // redirectUri will be used as a redirect/callback from the authorization code flow
+      redirectUri: `http://localhost:${port}/auth/login`,
+      scopes: scopes, // Request all scopes upfront
+    },
+    port,
+  );
+
+  // Check if we got a valid token
+  if (!tokenResponse.access_token || tokenResponse.error || tokenResponse.error_description || tokenResponse.issueId) {
+    throw new Error(
+      `Failed to retrieve OAuth token via authorization code flow (IssueId: ${tokenResponse.issueId}): ${tokenResponse.error} - ${tokenResponse.error_description}`,
+    );
+  }
+
+  // Cache the new token with all scopes
+  globalTokenCache.setToken(scopes, tokenResponse);
+  console.error(
+    `✅ Successfully retrieved token from SSO! Token cached for future use with scopes: ${scopes.join(', ')}`,
+  );
 
+  // now that we have the access token, we can just use a plain bearer token client
   return createBearerTokenHttpClient(environmentUrl, tokenResponse.access_token);
 };