Added the list-user-client controller.

Change-Id: I65b6d392da59d1f3412b28ae81ae0bec321d2077
diff --git a/full/Changes b/full/Changes
index b111732..1df0b92 100644
--- a/full/Changes
+++ b/full/Changes
@@ -7,6 +7,8 @@
 28/11/2018
    - Updated NamedVCLoader to delete existing VC in DB (margaretha)
    - Handled storing cached VC with VC reference (margaretha)
+29/11/2018
+   - Added the list-user-client controller (margaretha)  
    
 # version 0.61.3
 17/10/2018
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/dao/AccessScopeDao.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/dao/AccessScopeDao.java
index de0cfac..a714420 100644
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/dao/AccessScopeDao.java
+++ b/full/src/main/java/de/ids_mannheim/korap/oauth2/dao/AccessScopeDao.java
@@ -15,7 +15,6 @@
 
 import de.ids_mannheim.korap.constant.OAuth2Scope;
 import de.ids_mannheim.korap.oauth2.entity.AccessScope;
-import de.ids_mannheim.korap.oauth2.entity.AccessScope;
 
 @Repository
 @Transactional
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/dao/OAuth2ClientDao.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/dao/OAuth2ClientDao.java
index 31fa2b3..444659e 100644
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/dao/OAuth2ClientDao.java
+++ b/full/src/main/java/de/ids_mannheim/korap/oauth2/dao/OAuth2ClientDao.java
@@ -1,22 +1,32 @@
 package de.ids_mannheim.korap.oauth2.dao;
 
+import java.time.ZoneId;
+import java.time.ZonedDateTime;
+import java.util.List;
+
 import javax.persistence.EntityManager;
 import javax.persistence.NoResultException;
 import javax.persistence.PersistenceContext;
 import javax.persistence.Query;
+import javax.persistence.TypedQuery;
 import javax.persistence.criteria.CriteriaBuilder;
 import javax.persistence.criteria.CriteriaQuery;
+import javax.persistence.criteria.ListJoin;
+import javax.persistence.criteria.Predicate;
 import javax.persistence.criteria.Root;
 
 import org.springframework.stereotype.Repository;
 import org.springframework.transaction.annotation.Transactional;
 
+import de.ids_mannheim.korap.config.Attributes;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
 import de.ids_mannheim.korap.oauth2.constant.OAuth2ClientType;
 import de.ids_mannheim.korap.oauth2.entity.OAuth2Client;
 import de.ids_mannheim.korap.oauth2.entity.OAuth2ClientUrl;
 import de.ids_mannheim.korap.oauth2.entity.OAuth2Client_;
+import de.ids_mannheim.korap.oauth2.entity.RefreshToken;
+import de.ids_mannheim.korap.oauth2.entity.RefreshToken_;
 import de.ids_mannheim.korap.utils.ParameterChecker;
 
 @Transactional
@@ -97,4 +107,29 @@
         client = entityManager.merge(client);
     }
 
+    public List<OAuth2Client> retrieveUserClients (String username)
+            throws KustvaktException {
+        ParameterChecker.checkStringValue(username, "username");
+
+        CriteriaBuilder builder = entityManager.getCriteriaBuilder();
+        CriteriaQuery<OAuth2Client> query =
+                builder.createQuery(OAuth2Client.class);
+
+        Root<OAuth2Client> client = query.from(OAuth2Client.class);
+        ListJoin<OAuth2Client, RefreshToken> refreshToken =
+                client.join(OAuth2Client_.refreshTokens);
+        Predicate condition = builder.and(
+                builder.equal(refreshToken.get(RefreshToken_.userId), username),
+                builder.equal(refreshToken.get(RefreshToken_.isRevoked), false),
+                builder.greaterThan(
+                        refreshToken
+                                .<ZonedDateTime> get(RefreshToken_.expiryDate),
+                        ZonedDateTime
+                                .now(ZoneId.of(Attributes.DEFAULT_TIME_ZONE))));
+        query.select(client);
+        query.where(condition);
+        TypedQuery<OAuth2Client> q = entityManager.createQuery(query);
+        return q.getResultList();
+    }
+
 }
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/dao/RefreshTokenDao.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/dao/RefreshTokenDao.java
index e98c627..8ee798b 100644
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/dao/RefreshTokenDao.java
+++ b/full/src/main/java/de/ids_mannheim/korap/oauth2/dao/RefreshTokenDao.java
@@ -8,8 +8,10 @@
 import javax.persistence.EntityManager;
 import javax.persistence.PersistenceContext;
 import javax.persistence.Query;
+import javax.persistence.TypedQuery;
 import javax.persistence.criteria.CriteriaBuilder;
 import javax.persistence.criteria.CriteriaQuery;
+import javax.persistence.criteria.Join;
 import javax.persistence.criteria.Root;
 
 import org.springframework.beans.factory.annotation.Autowired;
@@ -20,6 +22,8 @@
 import de.ids_mannheim.korap.config.FullConfiguration;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.oauth2.entity.AccessScope;
+import de.ids_mannheim.korap.oauth2.entity.OAuth2Client;
+import de.ids_mannheim.korap.oauth2.entity.OAuth2Client_;
 import de.ids_mannheim.korap.oauth2.entity.RefreshToken;
 import de.ids_mannheim.korap.oauth2.entity.RefreshToken_;
 import de.ids_mannheim.korap.utils.ParameterChecker;
@@ -32,6 +36,8 @@
     private EntityManager entityManager;
     @Autowired
     private FullConfiguration config;
+    @Autowired
+    private OAuth2ClientDao clientDao;
 
     public RefreshToken storeRefreshToken (String refreshToken, String userId,
             ZonedDateTime userAuthenticationTime, String clientId,
@@ -43,12 +49,13 @@
 
         ZonedDateTime now =
                 ZonedDateTime.now(ZoneId.of(Attributes.DEFAULT_TIME_ZONE));
+        OAuth2Client client = clientDao.retrieveClientById(clientId);
 
         RefreshToken token = new RefreshToken();
         token.setToken(refreshToken);
         token.setUserId(userId);
         token.setUserAuthenticationTime(userAuthenticationTime);
-        token.setClientId(clientId);
+        token.setClient(client);
         token.setCreatedDate(now);
         token.setExpiryDate(now.plusSeconds(config.getRefreshTokenExpiry()));
         token.setScopes(scopes);
@@ -63,13 +70,14 @@
         CriteriaQuery<RefreshToken> query =
                 builder.createQuery(RefreshToken.class);
         Root<RefreshToken> root = query.from(RefreshToken.class);
+        root.fetch(RefreshToken_.client);
+        
         query.select(root);
         query.where(builder.equal(root.get(RefreshToken_.token), token));
         Query q = entityManager.createQuery(query);
         return (RefreshToken) q.getSingleResult();
     }
 
-    @SuppressWarnings("unchecked")
     public List<RefreshToken> retrieveRefreshTokenByClientId (String clientId)
             throws KustvaktException {
         ParameterChecker.checkStringValue(clientId, "client_id");
@@ -78,9 +86,11 @@
         CriteriaQuery<RefreshToken> query =
                 builder.createQuery(RefreshToken.class);
         Root<RefreshToken> root = query.from(RefreshToken.class);
+        Join<RefreshToken, OAuth2Client> client =
+                root.join(RefreshToken_.client);
         query.select(root);
-        query.where(builder.equal(root.get(RefreshToken_.clientId), clientId));
-        Query q = entityManager.createQuery(query);
+        query.where(builder.equal(client.get(OAuth2Client_.id), clientId));
+        TypedQuery<RefreshToken> q = entityManager.createQuery(query);
         return q.getResultList();
     }
 
@@ -91,4 +101,28 @@
         token = entityManager.merge(token);
         return token;
     }
+
+    // public List<RefreshToken> retrieveRefreshTokenByUser (String
+    // username)
+    // throws KustvaktException {
+    // ParameterChecker.checkStringValue(username, "username");
+    //
+    // CriteriaBuilder builder = entityManager.getCriteriaBuilder();
+    // CriteriaQuery<RefreshToken> query =
+    // builder.createQuery(RefreshToken.class);
+    //
+    // Root<RefreshToken> root = query.from(RefreshToken.class);
+    // Predicate condition = builder.and(
+    // builder.equal(root.get(RefreshToken_.userId), username),
+    // builder.equal(root.get(RefreshToken_.isRevoked), false),
+    // builder.greaterThan(
+    // root.<ZonedDateTime> get(RefreshToken_.expiryDate),
+    // ZonedDateTime
+    // .now(ZoneId.of(Attributes.DEFAULT_TIME_ZONE)))
+    // );
+    // query.select(root);
+    // query.where(condition);
+    // TypedQuery<RefreshToken> q = entityManager.createQuery(query);
+    // return q.getResultList();
+    // }
 }
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/dto/OAuth2UserClientDto.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/dto/OAuth2UserClientDto.java
new file mode 100644
index 0000000..02ab148
--- /dev/null
+++ b/full/src/main/java/de/ids_mannheim/korap/oauth2/dto/OAuth2UserClientDto.java
@@ -0,0 +1,20 @@
+package de.ids_mannheim.korap.oauth2.dto;
+
+public class OAuth2UserClientDto {
+    
+    private String clientId;
+    private String clientName;
+    
+    public String getClientName () {
+        return clientName;
+    }
+    public void setClientName (String clientName) {
+        this.clientName = clientName;
+    }
+    public String getClientId () {
+        return clientId;
+    }
+    public void setClientId (String clientId) {
+        this.clientId = clientId;
+    }
+}
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/entity/OAuth2Client.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/entity/OAuth2Client.java
index 09c6e35..8023e32 100644
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/entity/OAuth2Client.java
+++ b/full/src/main/java/de/ids_mannheim/korap/oauth2/entity/OAuth2Client.java
@@ -1,5 +1,7 @@
 package de.ids_mannheim.korap.oauth2.entity;
 
+import java.util.List;
+
 import javax.persistence.CascadeType;
 import javax.persistence.Column;
 import javax.persistence.Entity;
@@ -8,6 +10,7 @@
 import javax.persistence.FetchType;
 import javax.persistence.Id;
 import javax.persistence.JoinColumn;
+import javax.persistence.OneToMany;
 import javax.persistence.OneToOne;
 import javax.persistence.Table;
 
@@ -19,7 +22,7 @@
  */
 @Entity
 @Table(name = "oauth2_client")
-public class OAuth2Client {
+public class OAuth2Client implements Comparable<OAuth2Client>{
 
     @Id
     private String id;
@@ -40,6 +43,9 @@
     @JoinColumn(name = "url_id")
     private OAuth2ClientUrl clientUrl;
 
+    @OneToMany(fetch = FetchType.LAZY, mappedBy = "client")
+    private List<RefreshToken> refreshTokens;
+    
     @Override
     public String toString () {
         return "id=" + id + ", name=" + name + ", secret=" + secret + ", type="
@@ -119,4 +125,9 @@
     public void setClientUrl (OAuth2ClientUrl clientUrl) {
         this.clientUrl = clientUrl;
     }
+
+    @Override
+    public int compareTo (OAuth2Client o) {
+        return this.getName().compareTo(o.getName());
+    }
 }
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/entity/RefreshToken.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/entity/RefreshToken.java
index a43a493..a60aef5 100644
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/entity/RefreshToken.java
+++ b/full/src/main/java/de/ids_mannheim/korap/oauth2/entity/RefreshToken.java
@@ -12,6 +12,7 @@
 import javax.persistence.JoinColumn;
 import javax.persistence.JoinTable;
 import javax.persistence.ManyToMany;
+import javax.persistence.ManyToOne;
 import javax.persistence.OneToMany;
 import javax.persistence.Table;
 import javax.persistence.UniqueConstraint;
@@ -30,8 +31,8 @@
     private ZonedDateTime expiryDate;
     @Column(name = "user_id")
     private String userId;
-    @Column(name = "client_id")
-    private String clientId;
+//    @Column(name = "client_id")
+//    private String clientId;
     @Column(name = "user_auth_time", updatable = false)
     private ZonedDateTime userAuthenticationTime;
     @Column(name = "is_revoked")
@@ -39,6 +40,10 @@
 
     @OneToMany(fetch = FetchType.EAGER, mappedBy = "refreshToken")
     private Set<AccessToken> accessTokens;
+    
+    @ManyToOne(fetch=FetchType.LAZY)
+    @JoinColumn(name="client")
+    private OAuth2Client client;
 
     @ManyToMany(fetch = FetchType.EAGER)
     @JoinTable(name = "oauth2_refresh_token_scope",
@@ -82,14 +87,6 @@
         this.userId = userId;
     }
 
-    public String getClientId () {
-        return clientId;
-    }
-
-    public void setClientId (String clientId) {
-        this.clientId = clientId;
-    }
-
     public ZonedDateTime getUserAuthenticationTime () {
         return userAuthenticationTime;
     }
@@ -123,4 +120,12 @@
         this.scopes = scopes;
     }
 
+    public OAuth2Client getClient () {
+        return client;
+    }
+
+    public void setClient (OAuth2Client client) {
+        this.client = client;
+    }
+
 }
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/oltu/service/OltuTokenService.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/oltu/service/OltuTokenService.java
index 6bf3b39..7b4ac81 100644
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/oltu/service/OltuTokenService.java
+++ b/full/src/main/java/de/ids_mannheim/korap/oauth2/oltu/service/OltuTokenService.java
@@ -120,7 +120,7 @@
                     "Refresh token is not found", OAuth2Error.INVALID_GRANT);
         }
 
-        if (!clientId.equals(refreshToken.getClientId())) {
+        if (!clientId.equals(refreshToken.getClient().getId())) {
             throw new KustvaktException(StatusCodes.CLIENT_AUTHORIZATION_FAILED,
                     "Client " + clientId + "is not authorized",
                     OAuth2Error.INVALID_CLIENT);
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java
index 47dffe3..23b8267 100644
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java
+++ b/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java
@@ -5,6 +5,8 @@
 import java.net.URISyntaxException;
 import java.net.URL;
 import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.Collections;
 import java.util.List;
 
 import org.apache.commons.validator.routines.UrlValidator;
@@ -25,6 +27,7 @@
 import de.ids_mannheim.korap.oauth2.dao.RefreshTokenDao;
 import de.ids_mannheim.korap.oauth2.dto.OAuth2ClientDto;
 import de.ids_mannheim.korap.oauth2.dto.OAuth2ClientInfoDto;
+import de.ids_mannheim.korap.oauth2.dto.OAuth2UserClientDto;
 import de.ids_mannheim.korap.oauth2.entity.AccessToken;
 import de.ids_mannheim.korap.oauth2.entity.Authorization;
 import de.ids_mannheim.korap.oauth2.entity.OAuth2Client;
@@ -337,4 +340,36 @@
                     "Unauthorized operation for user: " + username, username);
         }
     }
+
+    public OAuth2Client retrieveClient (String clientId)
+            throws KustvaktException {
+        return clientDao.retrieveClientById(clientId);
+    }
+
+    public List<OAuth2Client> retrieveUserClients (String username)
+            throws KustvaktException {
+        return clientDao.retrieveUserClients(username);
+    }
+
+    public List<OAuth2UserClientDto> listUserClients (String username,
+            String clientId, String clientSecret) throws KustvaktException {
+        OAuth2Client client = authenticateClient(clientId, clientSecret);
+        if (!client.isSuper()) {
+            throw new KustvaktException(StatusCodes.CLIENT_AUTHORIZATION_FAILED,
+                    "Only super client is allowed to list user clients.",
+                    OAuth2Error.UNAUTHORIZED_CLIENT);
+        }
+        List<OAuth2Client> userClients = retrieveUserClients(username);
+        Collections.sort(userClients);
+        
+        List<OAuth2UserClientDto> dtoList = new ArrayList<>(userClients.size());
+        for (OAuth2Client uc : userClients) {
+            if (uc.isSuper()) continue;
+            OAuth2UserClientDto dto = new OAuth2UserClientDto();
+            dto.setClientId(uc.getId());
+            dto.setClientName(uc.getName());
+            dtoList.add(dto);
+        }
+        return dtoList;
+    }
 }
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java
index ca7e168..02b190f 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java
@@ -1,5 +1,7 @@
 package de.ids_mannheim.korap.web.controller;
 
+import java.util.List;
+
 import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.FormParam;
@@ -22,6 +24,7 @@
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.oauth2.dto.OAuth2ClientDto;
 import de.ids_mannheim.korap.oauth2.dto.OAuth2ClientInfoDto;
+import de.ids_mannheim.korap.oauth2.dto.OAuth2UserClientDto;
 import de.ids_mannheim.korap.oauth2.service.OAuth2ClientService;
 import de.ids_mannheim.korap.oauth2.service.OAuth2ScopeService;
 import de.ids_mannheim.korap.security.context.TokenContext;
@@ -55,7 +58,8 @@
  */
 @Controller
 @Path("{version}/oauth2/client")
-@ResourceFilters({APIVersionFilter.class, AuthenticationFilter.class, BlockingFilter.class })
+@ResourceFilters({ APIVersionFilter.class, AuthenticationFilter.class,
+        BlockingFilter.class })
 public class OAuthClientController {
 
     @Autowired
@@ -180,7 +184,8 @@
      * authorization codes are invalidated.
      * 
      * @param securityContext
-     * @param clientId OAuth2 client id
+     * @param clientId
+     *            OAuth2 client id
      * @param super
      *            true indicating super client, false otherwise
      * @return Response status OK, if successful
@@ -222,4 +227,43 @@
             throw responseHandler.throwit(e);
         }
     }
+
+    /**
+     * Lists user clients having refresh tokens. This service is not
+     * part of the OAuth2 specification. It is intended to facilitate
+     * users revoking any suspicious and misused access or refresh
+     * tokens.
+     * 
+     * Only super clients are allowed to use this service. It requires
+     * user and client authentications.
+     * 
+     * @param context
+     * @return a list of clients having refresh tokens of the
+     *         given user
+     */
+    @POST
+    @Path("list")
+    @ResourceFilters({ AuthenticationFilter.class, BlockingFilter.class })
+    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
+    @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
+    public List<OAuth2UserClientDto> listUserApp (
+            @Context SecurityContext context,
+            @FormParam("client_id") String clientId,
+            @FormParam("client_secret") String clientSecret) {
+
+        TokenContext tokenContext = (TokenContext) context.getUserPrincipal();
+        String username = tokenContext.getUsername();
+
+        try {
+            scopeService.verifyScope(tokenContext,
+                    OAuth2Scope.LIST_USER_CLIENT);
+
+            return clientService.listUserClients(username, clientId,
+                    clientSecret);
+        }
+        catch (KustvaktException e) {
+            throw responseHandler.throwit(e);
+        }
+    }
+
 }
diff --git a/full/src/main/resources/db/sqlite/V1.4__oauth2_tables.sql b/full/src/main/resources/db/sqlite/V1.4__oauth2_tables.sql
index e0c06d6..fe0123c 100644
--- a/full/src/main/resources/db/sqlite/V1.4__oauth2_tables.sql
+++ b/full/src/main/resources/db/sqlite/V1.4__oauth2_tables.sql
@@ -62,11 +62,11 @@
 	token VARCHAR(255) NOT NULL,
 	user_id VARCHAR(100) DEFAULT NULL,
 	user_auth_time TIMESTAMP NOT NULL,
-	client_id VARCHAR(100) DEFAULT NULL,
 	created_date TIMESTAMP NOT NULL,
 	expiry_date TIMESTAMP NULL,
 	is_revoked BOOLEAN DEFAULT 0,
-	FOREIGN KEY (client_id)
+	client VARCHAR(100) DEFAULT NULL,
+	FOREIGN KEY (client)
 	   REFERENCES oauth2_client(id)
 );
 
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java
index 674a5e6..7697db7 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java
@@ -42,7 +42,7 @@
     @Test
     public void testScopeWithSuperClient () throws KustvaktException {
         ClientResponse response =
-                requestTokenWithPassword(superClientId, clientSecret);
+                requestTokenWithDoryPassword(superClientId, clientSecret);
 
         JsonNode node = JsonUtils.readTree(response.getEntity(String.class));
         assertEquals("all", node.at("/scope").asText());
@@ -261,7 +261,7 @@
     public void testRequestAuthorizationWithBearerToken ()
             throws KustvaktException {
         ClientResponse response =
-                requestTokenWithPassword(superClientId, clientSecret);
+                requestTokenWithDoryPassword(superClientId, clientSecret);
         String entity = response.getEntity(String.class);
         
         JsonNode node = JsonUtils.readTree(entity);
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
index 1c59d76..a87e83b 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
@@ -67,7 +67,8 @@
         json.setRedirectURI("https://example.client.com/redirect");
         json.setDescription("This is a confidential test client.");
 
-        return resource().path(API_VERSION).path("oauth2").path("client").path("register")
+        return resource().path(API_VERSION).path("oauth2").path("client")
+                .path("register")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(username, "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
@@ -78,8 +79,8 @@
     private JsonNode retrieveClientInfo (String clientId, String username)
             throws UniformInterfaceException, ClientHandlerException,
             KustvaktException {
-        ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
-                .path("info").path(clientId)
+        ClientResponse response = resource().path(API_VERSION).path("oauth2")
+                .path("client").path("info").path(clientId)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(username, "pass"))
                 .get(ClientResponse.class);
@@ -128,8 +129,8 @@
         json.setRedirectURI("https://test.public.client.com/redirect");
         json.setDescription("This is a public test client.");
 
-        ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
-                .path("register")
+        ClientResponse response = resource().path(API_VERSION).path("oauth2")
+                .path("client").path("register")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(username, "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
@@ -155,8 +156,8 @@
         json.setType(OAuth2ClientType.PUBLIC);
         json.setDescription("This is a desktop test client.");
 
-        ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
-                .path("register")
+        ClientResponse response = resource().path(API_VERSION).path("oauth2")
+                .path("client").path("register")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(username, "pass"))
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
@@ -182,8 +183,8 @@
 
         String code =
                 requestAuthorizationCode(clientId, "", null, userAuthHeader);
-        ClientResponse response = requestTokenWithAuthorizationCodeAndForm(clientId,
-                clientSecret, code);
+        ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
+                clientId, clientSecret, code);
         JsonNode node = JsonUtils.readTree(response.getEntity(String.class));
         String accessToken = node.at("/access_token").asText();
 
@@ -213,8 +214,9 @@
             String clientId) throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
 
-        ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
-                .path("deregister").path(clientId).delete(ClientResponse.class);
+        ClientResponse response = resource().path(API_VERSION).path("oauth2")
+                .path("client").path("deregister").path(clientId)
+                .delete(ClientResponse.class);
 
         assertEquals(Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
 
@@ -228,8 +230,8 @@
             throws UniformInterfaceException, ClientHandlerException,
             KustvaktException {
 
-        ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
-                .path("deregister")
+        ClientResponse response = resource().path(API_VERSION).path("oauth2")
+                .path("client").path("deregister")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(username, "pass"))
                 .delete(ClientResponse.class);
@@ -241,8 +243,8 @@
             throws UniformInterfaceException, ClientHandlerException,
             KustvaktException {
 
-        ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
-                .path("deregister").path(clientId)
+        ClientResponse response = resource().path(API_VERSION).path("oauth2")
+                .path("client").path("deregister").path(clientId)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(username, "pass"))
                 .delete(ClientResponse.class);
@@ -257,8 +259,8 @@
         MultivaluedMap<String, String> form = new MultivaluedMapImpl();
         form.add("client_secret", clientSecret);
 
-        ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
-                .path("deregister").path(clientId)
+        ClientResponse response = resource().path(API_VERSION).path("oauth2")
+                .path("client").path("deregister").path(clientId)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(username, "pass"))
                 .header(HttpHeaders.CONTENT_TYPE,
@@ -271,8 +273,8 @@
     private void testDeregisterConfidentialClientMissingSecret (String clientId)
             throws KustvaktException {
 
-        ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
-                .path("deregister").path(clientId)
+        ClientResponse response = resource().path(API_VERSION).path("oauth2")
+                .path("client").path("deregister").path(clientId)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(username, "pass"))
                 .header(HttpHeaders.CONTENT_TYPE,
@@ -295,8 +297,8 @@
         MultivaluedMap<String, String> form = new MultivaluedMapImpl();
         form.add("client_secret", clientSecret);
 
-        ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
-                .path("deregister").path(clientId)
+        ClientResponse response = resource().path(API_VERSION).path("oauth2")
+                .path("client").path("deregister").path(clientId)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(username, "pass"))
                 .header(HttpHeaders.CONTENT_TYPE,
@@ -320,8 +322,8 @@
         MultivaluedMap<String, String> form = new MultivaluedMapImpl();
         form.add("client_id", clientId);
 
-        ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
-                .path("reset")
+        ClientResponse response = resource().path(API_VERSION).path("oauth2")
+                .path("client").path("reset")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(username, "pass"))
                 .header(HttpHeaders.CONTENT_TYPE,
@@ -343,8 +345,8 @@
         form.add("client_id", clientId);
         form.add("client_secret", clientSecret);
 
-        ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
-                .path("reset")
+        ClientResponse response = resource().path(API_VERSION).path("oauth2")
+                .path("client").path("reset")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(username, "pass"))
                 .header(HttpHeaders.CONTENT_TYPE,
@@ -382,7 +384,7 @@
 
         testAccessTokenAfterUpgradingClient(clientId, accessToken);
         testAccessTokenAfterDegradingSuperClient(clientId, accessToken);
-        
+
         testDeregisterConfidentialClient(clientId, clientSecret);
     }
 
@@ -398,9 +400,11 @@
         assertTrue(node.at("/isSuper").asBoolean());
 
         // list vc
-        ClientResponse response = resource().path(API_VERSION).path("vc").path("list")
-                .header(Attributes.AUTHORIZATION, "Bearer " + accessToken)
-                .get(ClientResponse.class);
+        ClientResponse response =
+                resource().path(API_VERSION).path("vc").path("list")
+                        .header(Attributes.AUTHORIZATION,
+                                "Bearer " + accessToken)
+                        .get(ClientResponse.class);
 
         assertEquals(ClientResponse.Status.UNAUTHORIZED.getStatusCode(),
                 response.getStatus());
@@ -410,7 +414,7 @@
                 node.at("/errors/0/0").asInt());
         assertEquals("Scope vc_info is not authorized",
                 node.at("/errors/0/1").asText());
-        
+
         // search
         response = searchWithAccessToken(accessToken);
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
@@ -421,7 +425,7 @@
         MultivaluedMap<String, String> form = new MultivaluedMapImpl();
         form.add("client_id", clientId);
         form.add("super", "false");
-        
+
         updateClientPrivilege(form);
         JsonNode node = retrieveClientInfo(clientId, username);
         assertTrue(node.at("/isSuper").isMissingNode());
@@ -429,7 +433,7 @@
         ClientResponse response = searchWithAccessToken(accessToken);
         assertEquals(ClientResponse.Status.UNAUTHORIZED.getStatusCode(),
                 response.getStatus());
-        
+
         String entity = response.getEntity(String.class);
         node = JsonUtils.readTree(entity);
         assertEquals(StatusCodes.INVALID_ACCESS_TOKEN,
@@ -437,4 +441,51 @@
         assertEquals("Access token has been revoked",
                 node.at("/errors/0/1").asText());
     }
+
+    @Test
+    public void testListUserClients () throws KustvaktException {
+        String username = "pearl";
+        String password = "pwd";
+        userAuthHeader = HttpAuthorizationHandler
+                .createBasicAuthorizationHeaderValue(username, password);
+
+        // super client
+        ClientResponse response = requestTokenWithPassword(superClientId,
+                clientSecret, username, password);
+        assertEquals(Status.OK.getStatusCode(), response.getStatus());
+
+        // client 1
+        String code = requestAuthorizationCode(publicClientId, clientSecret,
+                null, userAuthHeader);
+        response = requestTokenWithAuthorizationCodeAndForm(publicClientId, "",
+                code);
+        assertEquals(Status.OK.getStatusCode(), response.getStatus());
+
+        // client 2
+        code = requestAuthorizationCode(confidentialClientId, clientSecret,
+                null, userAuthHeader);
+        response = requestTokenWithAuthorizationCodeAndForm(
+                confidentialClientId, clientSecret, code);
+        assertEquals(Status.OK.getStatusCode(), response.getStatus());
+
+        MultivaluedMap<String, String> form = new MultivaluedMapImpl();
+        form.add("client_id", superClientId);
+        form.add("client_secret", clientSecret);
+
+        response = resource().path(API_VERSION).path("oauth2").path("client")
+                .path("list").header(Attributes.AUTHORIZATION, userAuthHeader)
+                .header(HttpHeaders.CONTENT_TYPE,
+                        ContentType.APPLICATION_FORM_URLENCODED)
+                .entity(form).post(ClientResponse.class);
+
+        assertEquals(Status.OK.getStatusCode(), response.getStatus());
+        
+        String entity = response.getEntity(String.class);
+        JsonNode node = JsonUtils.readTree(entity);
+        
+        assertEquals(2, node.size());
+        assertEquals(confidentialClientId, node.at("/0/clientId").asText());
+        assertEquals(publicClientId, node.at("/1/clientId").asText());
+    }
+
 }
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java
index 945e9d0..e454762 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java
@@ -322,7 +322,7 @@
     public void testRequestTokenPasswordGrantConfidentialSuper ()
             throws KustvaktException {
         ClientResponse response =
-                requestTokenWithPassword(superClientId, clientSecret);
+                requestTokenWithDoryPassword(superClientId, clientSecret);
 
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
 
@@ -338,7 +338,7 @@
     public void testRequestTokenPasswordGrantConfidentialNonSuper ()
             throws KustvaktException {
         ClientResponse response =
-                requestTokenWithPassword(confidentialClientId, clientSecret);
+                requestTokenWithDoryPassword(confidentialClientId, clientSecret);
         String entity = response.getEntity(String.class);
         assertEquals(Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
 
@@ -352,7 +352,7 @@
     @Test
     public void testRequestTokenPasswordGrantPublic ()
             throws KustvaktException {
-        ClientResponse response = requestTokenWithPassword(publicClientId, "");
+        ClientResponse response = requestTokenWithDoryPassword(publicClientId, "");
         String entity = response.getEntity(String.class);
 
         assertEquals(Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
@@ -422,7 +422,7 @@
     public void testRequestTokenPasswordGrantMissingClientSecret ()
             throws KustvaktException {
         ClientResponse response =
-                requestTokenWithPassword(confidentialClientId, "");
+                requestTokenWithDoryPassword(confidentialClientId, "");
         assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
 
         String entity = response.getEntity(String.class);
@@ -436,7 +436,7 @@
     @Test
     public void testRequestTokenPasswordGrantMissingClientId ()
             throws KustvaktException {
-        ClientResponse response = requestTokenWithPassword(null, clientSecret);
+        ClientResponse response = requestTokenWithDoryPassword(null, clientSecret);
         String entity = response.getEntity(String.class);
         assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
 
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2TestBase.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2TestBase.java
index bf068bf..42318bc 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2TestBase.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2TestBase.java
@@ -24,8 +24,9 @@
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.utils.JsonUtils;
 
-/** Provides common methods and variables for OAuth2 tests,
- *  and does not run any test. 
+/**
+ * Provides common methods and variables for OAuth2 tests,
+ * and does not run any test.
  * 
  * @author margaretha
  *
@@ -105,8 +106,8 @@
         form.add("client_id", clientId);
         form.add("code", code);
 
-        ClientResponse response = resource().path(API_VERSION).path("oauth2").path("token")
-                .header(Attributes.AUTHORIZATION, authHeader)
+        ClientResponse response = resource().path(API_VERSION).path("oauth2")
+                .path("token").header(Attributes.AUTHORIZATION, authHeader)
                 .header(HttpHeaders.CONTENT_TYPE,
                         ContentType.APPLICATION_FORM_URLENCODED)
                 .entity(form).post(ClientResponse.class);
@@ -115,14 +116,21 @@
         return JsonUtils.readTree(entity);
     }
 
-    public ClientResponse requestTokenWithPassword (String clientId,
+    public ClientResponse requestTokenWithDoryPassword (String clientId,
             String clientSecret) throws KustvaktException {
+        return requestTokenWithPassword(clientId, clientSecret, "dory",
+                "password");
+    }
+
+    public ClientResponse requestTokenWithPassword (String clientId,
+            String clientSecret, String username, String password)
+            throws KustvaktException {
         MultivaluedMap<String, String> form = new MultivaluedMapImpl();
         form.add("grant_type", "password");
         form.add("client_id", clientId);
         form.add("client_secret", clientSecret);
-        form.add("username", "dory");
-        form.add("password", "password");
+        form.add("username", username);
+        form.add("password", password);
 
         return requestToken(form);
     }
@@ -130,8 +138,8 @@
     public void updateClientPrivilege (MultivaluedMap<String, String> form)
             throws UniformInterfaceException, ClientHandlerException,
             KustvaktException {
-        ClientResponse response = resource().path(API_VERSION).path("oauth2").path("client")
-                .path("privilege")
+        ClientResponse response = resource().path(API_VERSION).path("oauth2")
+                .path("client").path("privilege")
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue("admin", "pass"))
                 .header(HttpHeaders.CONTENT_TYPE,
@@ -140,10 +148,10 @@
 
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
     }
-    
+
     public ClientResponse searchWithAccessToken (String accessToken) {
-        return resource().path(API_VERSION).path("search").queryParam("q", "Wasser")
-                .queryParam("ql", "poliqarp")
+        return resource().path(API_VERSION).path("search")
+                .queryParam("q", "Wasser").queryParam("ql", "poliqarp")
                 .header(Attributes.AUTHORIZATION, "Bearer " + accessToken)
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .get(ClientResponse.class);