Removed client authentication from the client deregistration &
client-secret reset APIs.

Change-Id: I9af0c65b5a7e34af761db6d519ea72a2c6d9c46e
diff --git a/full/Changes b/full/Changes
index ff981f6..c72f6df 100644
--- a/full/Changes
+++ b/full/Changes
@@ -6,7 +6,9 @@
 05/02/2020
    - Added a config properties for a long-time access token expiry 
      and excluded refresh tokens for public clients in OAuth2 token 
-     responses (margaretha) 
+     responses (margaretha)
+   - Removed client authentication from the client deregistration and 
+     client-secret reset APIs (margaretha)   
    
 # version 0.62.3
 03/12/2019
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java
index 05280a2..a4188c8 100644
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java
+++ b/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java
@@ -184,14 +184,11 @@
         return true;
     }
 
-    public void deregisterClient (String clientId, String clientSecret,
-            String username) throws KustvaktException {
+    public void deregisterClient (String clientId, String username)
+            throws KustvaktException {
 
         OAuth2Client client = clientDao.retrieveClientById(clientId);
-        if (client.getType().equals(OAuth2ClientType.CONFIDENTIAL)) {
-            authenticateClient(clientId, clientSecret);
-        }
-
+        
         if (adminDao.isAdmin(username)
                 || client.getRegisteredBy().equals(username)) {
 
@@ -231,10 +228,10 @@
         }
     }
 
-    public OAuth2ClientDto resetSecret (String clientId, String clientSecret,
-            String username) throws KustvaktException {
+    public OAuth2ClientDto resetSecret (String clientId, String username)
+            throws KustvaktException {
 
-        OAuth2Client client = authenticateClient(clientId, clientSecret);
+        OAuth2Client client = clientDao.retrieveClientById(clientId);
         if (!client.getType().equals(OAuth2ClientType.CONFIDENTIAL)) {
             throw new KustvaktException(StatusCodes.NOT_ALLOWED,
                     "Operation is not allowed for public clients",
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java
index 6763241..04927c9 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java
@@ -124,17 +124,14 @@
      */
     @DELETE
     @Path("deregister/{client_id}")
-    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
     public Response deregisterClient (
             @Context SecurityContext securityContext,
-            @PathParam("client_id") String clientId,
-            @FormParam("client_secret") String clientSecret) {
+            @PathParam("client_id") String clientId) {
         TokenContext context =
                 (TokenContext) securityContext.getUserPrincipal();
         try {
             scopeService.verifyScope(context, OAuth2Scope.DEREGISTER_CLIENT);
-            clientService.deregisterClient(clientId, clientSecret,
-                    context.getUsername());
+            clientService.deregisterClient(clientId, context.getUsername());
             return Response.ok().build();
         }
         catch (KustvaktException e) {
@@ -158,14 +155,12 @@
     @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
     public OAuth2ClientDto resetClientSecret (
             @Context SecurityContext securityContext,
-            @FormParam("client_id") String clientId,
-            @FormParam("client_secret") String clientSecret) {
+            @FormParam("client_id") String clientId) {
         TokenContext context =
                 (TokenContext) securityContext.getUserPrincipal();
         try {
             scopeService.verifyScope(context, OAuth2Scope.RESET_CLIENT_SECRET);
-            return clientService.resetSecret(clientId, clientSecret,
-                    context.getUsername());
+            return clientService.resetSecret(clientId, context.getUsername());
         }
         catch (KustvaktException e) {
             throw responseHandler.throwit(e);
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
index 2ee4bc2..3183beb 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
@@ -136,13 +136,11 @@
         assertNotNull(clientSecret);
 
         testRegisterClientNonUniqueURL();
+        testResetConfidentialClientSecret(clientId, clientSecret);
 
-        String newclientSecret =
-                testResetConfidentialClientSecret(clientId, clientSecret);
-
-        testDeregisterConfidentialClientMissingSecret(clientId);
-        testDeregisterClientIncorrectCredentials(clientId, clientSecret);
-        testDeregisterConfidentialClient(clientId, newclientSecret);
+//        testDeregisterConfidentialClientMissingSecret(clientId);
+//        testDeregisterClientIncorrectCredentials(clientId, clientSecret);
+        testDeregisterConfidentialClient(clientId);
     }
 
     private void testRegisterClientNonUniqueURL () throws KustvaktException {
@@ -291,24 +289,20 @@
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
     }
 
-    private void testDeregisterConfidentialClient (String clientId,
-            String clientSecret) throws UniformInterfaceException,
-            ClientHandlerException, KustvaktException {
-
-        MultivaluedMap<String, String> form = new MultivaluedMapImpl();
-        form.add("client_secret", clientSecret);
+    private void testDeregisterConfidentialClient (String clientId)
+            throws UniformInterfaceException, ClientHandlerException,
+            KustvaktException {
 
         ClientResponse response = resource().path(API_VERSION).path("oauth2")
                 .path("client").path("deregister").path(clientId)
                 .header(Attributes.AUTHORIZATION, HttpAuthorizationHandler
                         .createBasicAuthorizationHeaderValue(username, "pass"))
-                .header(HttpHeaders.CONTENT_TYPE,
-                        ContentType.APPLICATION_FORM_URLENCODED)
-                .entity(form).delete(ClientResponse.class);
+                .delete(ClientResponse.class);
 
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
     }
 
+    @Deprecated
     private void testDeregisterConfidentialClientMissingSecret (String clientId)
             throws KustvaktException {
 
@@ -329,6 +323,7 @@
                 node.at("/error_description").asText());
     }
 
+    @Deprecated
     private void testDeregisterClientIncorrectCredentials (String clientId,
             String clientSecret) throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
@@ -424,7 +419,7 @@
         testAccessTokenAfterUpgradingClient(clientId, accessToken);
         testAccessTokenAfterDegradingSuperClient(clientId, accessToken);
 
-        testDeregisterConfidentialClient(clientId, clientSecret);
+        testDeregisterConfidentialClient(clientId);
     }
 
     // old access tokens retain their scopes