Added authorization request with GET and deprecated that with POST.

Change-Id: I1a26048c0691bb87ccb05edb06fc99be0e5205c5
diff --git a/full/Changes b/full/Changes
index 5117c88..4902952 100644
--- a/full/Changes
+++ b/full/Changes
@@ -8,6 +8,8 @@
  - Added registration_date, refresh_token_expiry, source and is_permitted
    to the oauth2_client database table, and updated the OAuth2 client 
    registration mechanism.
+ - Added authorization request with GET and deprecated that with POST.
+
 
 # version 0.65.2
 
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java
index 0b1d438..e29ad15 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java
@@ -6,9 +6,11 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.FormParam;
+import javax.ws.rs.GET;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
+import javax.ws.rs.QueryParam;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.MultivaluedMap;
@@ -92,6 +94,7 @@
      *            form parameters
      * @return a redirect URL
      */
+    @Deprecated
     @POST
     @Path("authorize")
     @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@@ -125,6 +128,38 @@
             throw responseHandler.throwit(e, state);
         }
     }
+    
+    @GET
+    @Path("authorize")
+    public Response requestAuthorizationCode (
+            @Context HttpServletRequest request,
+            @Context SecurityContext context,
+            @QueryParam("state") String state
+            ) {
+
+        TokenContext tokenContext = (TokenContext) context.getUserPrincipal();
+        String username = tokenContext.getUsername();
+        ZonedDateTime authTime = tokenContext.getAuthenticationTime();
+
+        try {
+            scopeService.verifyScope(tokenContext, OAuth2Scope.AUTHORIZE);
+
+            OAuth2AuthorizationRequest authzRequest =
+                    new OAuth2AuthorizationRequest(request);
+            String uri = authorizationService.requestAuthorizationCode(
+                    request, authzRequest, username, authTime);
+            return responseHandler.sendRedirect(uri);
+        }
+        catch (OAuthSystemException e) {
+            throw responseHandler.throwit(e, state);
+        }
+        catch (OAuthProblemException e) {
+            throw responseHandler.throwit(e, state);
+        }
+        catch (KustvaktException e) {
+            throw responseHandler.throwit(e, state);
+        }
+    }
 
     /**
      * Grants a client an access token, namely a string used in
diff --git a/full/src/main/resources/db/test/V3.5__insert_oauth2_clients.sql b/full/src/main/resources/db/test/V3.5__insert_oauth2_clients.sql
index 043426d..b2d6949 100644
--- a/full/src/main/resources/db/test/V3.5__insert_oauth2_clients.sql
+++ b/full/src/main/resources/db/test/V3.5__insert_oauth2_clients.sql
@@ -24,12 +24,11 @@
   "http://third.party.com/confidential", CURRENT_TIMESTAMP,1);
 
 INSERT INTO oauth2_client(id,name,secret,type,super,
-  redirect_uri,registered_by, description,url, registration_date, 
+  registered_by, description,url, registration_date, 
   is_permitted) 
 VALUES ("52atrL0ajex_3_5imd9Mgw","confidential client 2",
   "$2a$08$vi1FbuN3p6GcI1tSxMAoeuIYL8Yw3j6A8wJthaN8ZboVnrQaTwLPq",
-  "CONFIDENTIAL", 0,
-  "https://example.client.de/redirect", "system",
+  "CONFIDENTIAL", 0,"system",
   "This is a test nonsuper confidential client.",
   "http://example.client.de", CURRENT_TIMESTAMP, 1);
 
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java
index f6768f1..eeae3b7 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java
@@ -5,6 +5,7 @@
 import static org.junit.Assert.assertTrue;
 
 import java.io.IOException;
+import java.net.URI;
 
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Response.Status;
@@ -12,6 +13,8 @@
 import org.apache.http.entity.ContentType;
 import org.apache.oltu.oauth2.common.message.types.GrantType;
 import org.junit.Test;
+import org.springframework.util.MultiValueMap;
+import org.springframework.web.util.UriComponentsBuilder;
 
 import com.fasterxml.jackson.databind.JsonNode;
 import com.google.common.net.HttpHeaders;
@@ -60,9 +63,17 @@
 
     @Test
     public void testCustomScope () throws KustvaktException {
-        String code = requestAuthorizationCode(confidentialClientId,
-                clientSecret, OAuth2Scope.VC_INFO.toString(), userAuthHeader);
-        ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
+        ClientResponse response =
+                requestAuthorizationCode("code", confidentialClientId, "",
+                        OAuth2Scope.VC_INFO.toString(), "", userAuthHeader);
+        assertEquals(Status.TEMPORARY_REDIRECT.getStatusCode(),
+                response.getStatus());
+        URI redirectUri = response.getLocation();
+        MultiValueMap<String, String> params = UriComponentsBuilder
+                .fromUri(redirectUri).build().getQueryParams();
+        String code = params.getFirst("code");
+        
+        response = requestTokenWithAuthorizationCodeAndForm(
                 confidentialClientId, clientSecret, code);
         JsonNode node = JsonUtils.readTree(response.getEntity(String.class));
 
@@ -82,8 +93,7 @@
 
     @Test
     public void testDefaultScope () throws KustvaktException, IOException {
-        String code = requestAuthorizationCode(confidentialClientId, clientSecret,
-                null, userAuthHeader);
+        String code = requestAuthorizationCode(confidentialClientId, userAuthHeader);
         ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
                 confidentialClientId, clientSecret, code);
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
@@ -160,7 +170,7 @@
     public void testRevokeAccessTokenConfidentialClient ()
             throws KustvaktException {
         String code = requestAuthorizationCode(confidentialClientId,
-                clientSecret, null, userAuthHeader);
+                userAuthHeader);
         JsonNode node = requestTokenWithAuthorizationCodeAndHeader(
                 confidentialClientId, code, clientAuthHeader);
 
@@ -183,7 +193,7 @@
     @Test
     public void testRevokeAccessTokenPublicClientViaSuperClient()
             throws KustvaktException {
-        String code = requestAuthorizationCode(publicClientId, "", null,
+        String code = requestAuthorizationCode(publicClientId,
                 userAuthHeader);
         ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
                 publicClientId, "", code);
@@ -211,8 +221,8 @@
     @Test
     public void testAccessTokenAfterRequestRefreshToken ()
             throws KustvaktException, IOException {
-        String code = requestAuthorizationCode(confidentialClientId,
-                clientSecret, null, userAuthHeader);
+        String code =
+                requestAuthorizationCode(confidentialClientId, userAuthHeader);
         JsonNode node = requestTokenWithAuthorizationCodeAndHeader(
                 confidentialClientId, code, clientAuthHeader);
 
@@ -245,22 +255,13 @@
     public void testRequestAuthorizationWithBearerTokenUnauthorized ()
             throws KustvaktException {
         String code = requestAuthorizationCode(confidentialClientId,
-                clientSecret, null, userAuthHeader);
+                userAuthHeader);
         JsonNode node = requestTokenWithAuthorizationCodeAndHeader(
                 confidentialClientId, code, clientAuthHeader);
         String userAuthToken = node.at("/access_token").asText();
 
-        MultivaluedMap<String, String> form = new MultivaluedMapImpl();
-        form.add("response_type", "code");
-        form.add("client_id", confidentialClientId);
-        form.add("client_secret", clientSecret);
-
-        ClientResponse response = resource().path(API_VERSION).path("oauth2").path("authorize")
-                .header(Attributes.AUTHORIZATION, "Bearer " + userAuthToken)
-                .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
-                .header(HttpHeaders.CONTENT_TYPE,
-                        ContentType.APPLICATION_FORM_URLENCODED)
-                .entity(form).post(ClientResponse.class);
+        ClientResponse response = requestAuthorizationCode("code",
+                confidentialClientId, "", "", "", "Bearer " + userAuthToken);
 
         assertEquals(Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
 
@@ -286,7 +287,7 @@
         assertNotNull(node.at("/expires_in").asText());
 
         String code = requestAuthorizationCode(superClientId,
-                clientSecret, null, "Bearer " + userAuthToken);
+                "Bearer " + userAuthToken);
         assertNotNull(code);
     }
 
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AdminControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AdminControllerTest.java
index 435bf1b..b656b63 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AdminControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AdminControllerTest.java
@@ -96,9 +96,7 @@
     public void testCleanRevokedTokens () throws KustvaktException {
 
         int accessTokensBefore = accessDao.retrieveInvalidAccessTokens().size();
-
-        String code = requestAuthorizationCode(publicClientId, "", null,
-                userAuthHeader);
+        String code = requestAuthorizationCode(publicClientId, userAuthHeader);
 
         ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
                 publicClientId, clientSecret, code);
@@ -129,8 +127,7 @@
         // request an access token
         String clientAuthHeader = HttpAuthorizationHandler
                 .createBasicAuthorizationHeaderValue(clientId, clientSecret);
-        String code = requestAuthorizationCode(clientId, clientSecret, null,
-                userAuthHeader);
+        String code = requestAuthorizationCode(clientId, userAuthHeader);
         node = requestTokenWithAuthorizationCodeAndHeader(clientId, code,
                 clientAuthHeader);
         String accessToken = node.at("/access_token").asText();
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AuthorizationPostTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AuthorizationPostTest.java
new file mode 100644
index 0000000..7501798
--- /dev/null
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AuthorizationPostTest.java
@@ -0,0 +1,97 @@
+package de.ids_mannheim.korap.web.controller;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+
+import java.net.URI;
+
+import javax.ws.rs.core.MultivaluedMap;
+
+import org.apache.http.entity.ContentType;
+import org.apache.oltu.oauth2.common.message.types.TokenType;
+import org.junit.Test;
+import org.springframework.util.MultiValueMap;
+import org.springframework.web.util.UriComponentsBuilder;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.google.common.net.HttpHeaders;
+import com.sun.jersey.api.client.ClientResponse;
+import com.sun.jersey.api.client.ClientResponse.Status;
+import com.sun.jersey.api.uri.UriComponent;
+import com.sun.jersey.core.util.MultivaluedMapImpl;
+
+import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
+import de.ids_mannheim.korap.config.Attributes;
+import de.ids_mannheim.korap.exceptions.KustvaktException;
+import de.ids_mannheim.korap.utils.JsonUtils;
+
+public class OAuth2AuthorizationPostTest extends OAuth2TestBase {
+
+    public String userAuthHeader;
+
+    public OAuth2AuthorizationPostTest () throws KustvaktException {
+        userAuthHeader = HttpAuthorizationHandler
+                .createBasicAuthorizationHeaderValue("dory", "password");
+    }
+    
+    private ClientResponse requestAuthorizationCode (
+            MultivaluedMap<String, String> form, String authHeader)
+            throws KustvaktException {
+
+        return resource().path(API_VERSION).path("oauth2").path("authorize")
+                .header(Attributes.AUTHORIZATION, authHeader)
+                .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
+                .header(HttpHeaders.CONTENT_TYPE,
+                        ContentType.APPLICATION_FORM_URLENCODED)
+                .entity(form).post(ClientResponse.class);
+    }
+    
+    @Test
+    public void testAuthorizeConfidentialClient () throws KustvaktException {
+        MultivaluedMap<String, String> form = new MultivaluedMapImpl();
+        form.add("response_type", "code");
+        form.add("client_id", confidentialClientId);
+        form.add("state", "thisIsMyState");
+
+        ClientResponse response =
+                requestAuthorizationCode(form, userAuthHeader);
+
+        assertEquals(Status.TEMPORARY_REDIRECT.getStatusCode(),
+                response.getStatus());
+        URI redirectUri = response.getLocation();
+        MultiValueMap<String, String> params = UriComponentsBuilder
+                .fromUri(redirectUri).build().getQueryParams();
+        assertNotNull(params.getFirst("code"));
+        assertEquals("thisIsMyState", params.getFirst("state"));
+    }
+    
+    @Test
+    public void testRequestTokenAuthorizationConfidential ()
+            throws KustvaktException {
+
+        MultivaluedMap<String, String> authForm = new MultivaluedMapImpl();
+        authForm.add("response_type", "code");
+        authForm.add("client_id", confidentialClientId);
+        authForm.add("scope", "search");
+
+        ClientResponse response =
+                requestAuthorizationCode(authForm, userAuthHeader);
+        URI redirectUri = response.getLocation();
+        MultivaluedMap<String, String> params =
+                UriComponent.decodeQuery(redirectUri, true);
+        String code = params.get("code").get(0);
+        String scopes = params.get("scope").get(0);
+
+        assertEquals(scopes, "search");
+
+        response = requestTokenWithAuthorizationCodeAndForm(
+                confidentialClientId, clientSecret, code);
+        String entity = response.getEntity(String.class);
+        JsonNode node = JsonUtils.readTree(entity);
+        assertNotNull(node.at("/access_token").asText());
+        assertNotNull(node.at("/refresh_token").asText());
+        assertEquals(TokenType.BEARER.toString(),
+                node.at("/token_type").asText());
+        assertNotNull(node.at("/expires_in").asText());
+    }
+}
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
index ec73796..1cf6c9c 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
@@ -119,7 +119,7 @@
         assertNotNull(clientId);
         assertNotNull(clientSecret);
         assertFalse(clientId.contains("a"));
-        
+
         testConfidentialClientInfo(clientId, username);
         testResetConfidentialClientSecret(clientId, clientSecret);
         deregisterConfidentialClient(username, clientId);
@@ -238,11 +238,12 @@
     @Test
     public void testRegisterPublicClient () throws UniformInterfaceException,
             ClientHandlerException, KustvaktException {
+        String redirectUri = "https://test.public.client.com/redirect";
         OAuth2ClientJson clientJson =
                 createOAuth2ClientJson("OAuth2PublicClient",
                         OAuth2ClientType.PUBLIC, "A public test client.");
         clientJson.setUrl("http://test.public.client.com");
-        clientJson.setRedirectURI("https://test.public.client.com/redirect");
+        clientJson.setRedirectURI(redirectUri);
 
         ClientResponse response = registerClient(username, clientJson);
 
@@ -255,7 +256,7 @@
 
         testRegisterClientUnauthorizedScope(clientId);
         testResetPublicClientSecret(clientId);
-        testAccessTokenAfterDeregistration(clientId, null, null);
+        testAccessTokenAfterDeregistration(clientId, null, "");
     }
 
     private void testRegisterClientUnauthorizedScope (String clientId)
@@ -264,10 +265,9 @@
 
         String userAuthHeader = HttpAuthorizationHandler
                 .createBasicAuthorizationHeaderValue("dory", "password");
-        String code = requestAuthorizationCode(clientId, "", null,
-                userAuthHeader, null);
+        String code = requestAuthorizationCode(clientId, userAuthHeader);
         ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
-                clientId, clientSecret, code, null);
+                clientId, clientSecret, code);
         JsonNode node = JsonUtils.readTree(response.getEntity(String.class));
 
         assertEquals("match_info search", node.at("/scope").asText());
@@ -318,7 +318,7 @@
         assertTrue(node.at("/client_secret").isMissingNode());
 
         testResetPublicClientSecret(clientId);
-        testAccessTokenAfterDeregistration(clientId, null, null);
+        testAccessTokenAfterDeregistration(clientId, null, "");
     }
 
     @Test
@@ -387,8 +387,8 @@
         String userAuthHeader = HttpAuthorizationHandler
                 .createBasicAuthorizationHeaderValue("dory", "password");
 
-        String code = requestAuthorizationCode(clientId, "", null,
-                userAuthHeader, redirectUri);
+        String code = requestAuthorizationCode(clientId, redirectUri, userAuthHeader);
+        
         ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
                 clientId, clientSecret, code, redirectUri);
         JsonNode node = JsonUtils.readTree(response.getEntity(String.class));
@@ -397,8 +397,7 @@
         response = searchWithAccessToken(accessToken);
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
 
-        code = requestAuthorizationCode(clientId, "", null, userAuthHeader,
-                redirectUri);
+        code = requestAuthorizationCode(clientId, redirectUri, userAuthHeader);
         testDeregisterPublicClient(clientId, username);
 
         response = requestTokenWithAuthorizationCodeAndForm(clientId,
@@ -552,8 +551,7 @@
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
 
         // client 1
-        String code = requestAuthorizationCode(publicClientId, "", null,
-                userAuthHeader);
+        String code = requestAuthorizationCode(publicClientId, userAuthHeader);
         response = requestTokenWithAuthorizationCodeAndForm(publicClientId, "",
                 code);
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
@@ -562,8 +560,7 @@
         String accessToken = node.at("/access_token").asText();
 
         // client 2
-        code = requestAuthorizationCode(confidentialClientId, clientSecret,
-                null, userAuthHeader);
+        code = requestAuthorizationCode(confidentialClientId, userAuthHeader);
         response = requestTokenWithAuthorizationCodeAndForm(
                 confidentialClientId, clientSecret, code);
         String refreshToken = node.at("/refresh_token").asText();
@@ -591,8 +588,8 @@
     private void testListAuthorizedClientWithMultipleRefreshTokens (
             String userAuthHeader) throws KustvaktException {
         // client 2
-        String code = requestAuthorizationCode(confidentialClientId,
-                clientSecret, null, userAuthHeader);
+        String code =
+                requestAuthorizationCode(confidentialClientId, userAuthHeader);
         ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
                 confidentialClientId, clientSecret, code);
 
@@ -604,8 +601,7 @@
     private void testListAuthorizedClientWithMultipleAccessTokens (
             String userAuthHeader) throws KustvaktException {
         // client 1
-        String code = requestAuthorizationCode(publicClientId, "", null,
-                userAuthHeader);
+        String code = requestAuthorizationCode(publicClientId, userAuthHeader);
         ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
                 publicClientId, "", code);
 
@@ -621,8 +617,7 @@
                 .createBasicAuthorizationHeaderValue("aaa", "pwd");
 
         // client 1
-        String code = requestAuthorizationCode(publicClientId, "", null,
-                aaaAuthHeader);
+        String code = requestAuthorizationCode(publicClientId, aaaAuthHeader);
         ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
                 publicClientId, "", code);
 
@@ -630,8 +625,7 @@
         String accessToken1 = node.at("/access_token").asText();
 
         // client 2
-        code = requestAuthorizationCode(confidentialClientId, clientSecret,
-                null, aaaAuthHeader);
+        code = requestAuthorizationCode(confidentialClientId, aaaAuthHeader);
         response = requestTokenWithAuthorizationCodeAndForm(
                 confidentialClientId, clientSecret, code);
 
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java
index b6cc9ef..b7911b3 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java
@@ -47,13 +47,8 @@
 
     @Test
     public void testAuthorizeConfidentialClient () throws KustvaktException {
-        MultivaluedMap<String, String> form = new MultivaluedMapImpl();
-        form.add("response_type", "code");
-        form.add("client_id", confidentialClientId);
-        form.add("state", "thisIsMyState");
-
-        ClientResponse response =
-                requestAuthorizationCode(form, userAuthHeader);
+        ClientResponse response = requestAuthorizationCode("code",
+                confidentialClientId, "", "", state, userAuthHeader);
 
         assertEquals(Status.TEMPORARY_REDIRECT.getStatusCode(),
                 response.getStatus());
@@ -66,22 +61,15 @@
 
     @Test
     public void testAuthorizePublicClient () throws KustvaktException {
-        String code = requestAuthorizationCode(publicClientId, clientSecret,
-                null, userAuthHeader);
+        String code = requestAuthorizationCode(publicClientId, userAuthHeader);
         assertNotNull(code);
     }
 
     @Test
     public void testAuthorizeInvalidRedirectUri () throws KustvaktException {
         String redirectUri = "https://different.uri/redirect";
-
-        MultivaluedMap<String, String> form = new MultivaluedMapImpl();
-        form.add("response_type", "code");
-        form.add("client_id", confidentialClientId);
-        form.add("redirect_uri", redirectUri);
-        form.add("state", "thisIsMyState");
-        ClientResponse response =
-                requestAuthorizationCode(form, userAuthHeader);
+        ClientResponse response = requestAuthorizationCode("code",
+                confidentialClientId, redirectUri, "", state, userAuthHeader);
 
         assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
 
@@ -93,15 +81,23 @@
                 node.at("/error_description").asText());
         assertEquals("thisIsMyState", node.at("/state").asText());
     }
+    
+//    @Test
+//    public void testAuthorizeRedirectUriLocalhost () throws KustvaktException {
+//        String redirectUri = "http://localhost:1410/";
+//        ClientResponse response =
+//                requestAuthorizationCode("code", confidentialClientId2,
+//                        redirectUri, null, "myState", userAuthHeader);
+//        System.out.println(response.getStatus());
+//        System.out.println(response.getEntity(String.class));
+//    }
 
     @Test
     public void testAuthorizeMissingRequiredParameters ()
             throws KustvaktException {
-        MultivaluedMap<String, String> form = new MultivaluedMapImpl();
-        form.add("state", "thisIsMyState");
         // missing response_type
-        ClientResponse response =
-                requestAuthorizationCode(form, userAuthHeader);
+        ClientResponse response = requestAuthorizationCode("",
+                confidentialClientId, "", "", state, userAuthHeader);
 
         assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
 
@@ -114,8 +110,7 @@
         assertEquals("thisIsMyState", node.at("/state").asText());
 
         // missing client_id
-        form.add("response_type", "code");
-        response = requestAuthorizationCode(form, userAuthHeader);
+        response = requestAuthorizationCode("code","", "", "", "", userAuthHeader);
         entity = response.getEntity(String.class);
         node = JsonUtils.readTree(entity);
         assertEquals("Missing parameters: client_id",
@@ -128,8 +123,8 @@
         form.add("response_type", "string");
         form.add("state", "thisIsMyState");
 
-        ClientResponse response =
-                requestAuthorizationCode(form, userAuthHeader);
+        ClientResponse response = requestAuthorizationCode("string",
+                confidentialClientId, "", "", state, userAuthHeader);
         assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
 
         String entity = response.getEntity(String.class);
@@ -143,14 +138,10 @@
 
     @Test
     public void testAuthorizeInvalidScope () throws KustvaktException {
-        MultivaluedMap<String, String> form = new MultivaluedMapImpl();
-        form.add("response_type", "code");
-        form.add("client_id", confidentialClientId);
-        form.add("scope", "read_address");
-        form.add("state", "thisIsMyState");
+        String scope = "read_address";
 
-        ClientResponse response =
-                requestAuthorizationCode(form, userAuthHeader);
+        ClientResponse response = requestAuthorizationCode("code",
+                confidentialClientId, "", scope, state, userAuthHeader);
         assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
 
         URI location = response.getLocation();
@@ -165,8 +156,8 @@
     @Test
     public void testRequestTokenAuthorizationPublic ()
             throws KustvaktException {
-        String code = requestAuthorizationCode(publicClientId, "", null,
-                userAuthHeader);
+        String code =
+                requestAuthorizationCode(publicClientId, userAuthHeader);
 
         ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
                 publicClientId, clientSecret, code);
@@ -188,13 +179,9 @@
     public void testRequestTokenAuthorizationConfidential ()
             throws KustvaktException {
 
-        MultivaluedMap<String, String> authForm = new MultivaluedMapImpl();
-        authForm.add("response_type", "code");
-        authForm.add("client_id", confidentialClientId);
-        authForm.add("scope", "search");
-
-        ClientResponse response =
-                requestAuthorizationCode(authForm, userAuthHeader);
+        String scope = "search";
+        ClientResponse response = requestAuthorizationCode("code",
+                confidentialClientId, "", scope, state, userAuthHeader);
         URI redirectUri = response.getLocation();
         MultivaluedMap<String, String> params =
                 UriComponent.decodeQuery(redirectUri, true);
@@ -256,15 +243,12 @@
     @Test
     public void testRequestTokenAuthorizationReplyAttack ()
             throws KustvaktException {
-        String uri = "https://third.party.com/confidential/redirect";
-        MultivaluedMap<String, String> authForm = new MultivaluedMapImpl();
-        authForm.add("response_type", "code");
-        authForm.add("client_id", confidentialClientId);
-        authForm.add("scope", "search");
-        authForm.add("redirect_uri", uri);
+        String redirect_uri = "https://third.party.com/confidential/redirect";
+        String scope = "search";
 
         ClientResponse response =
-                requestAuthorizationCode(authForm, userAuthHeader);
+                requestAuthorizationCode("code", confidentialClientId,
+                        redirect_uri, scope, state, userAuthHeader);
         URI redirectUri = response.getLocation();
         MultivaluedMap<String, String> params =
                 UriComponent.decodeQuery(redirectUri, true);
@@ -272,7 +256,7 @@
 
         testRequestTokenAuthorizationInvalidClient(code);
         testRequestTokenAuthorizationInvalidRedirectUri(code);
-        testRequestTokenAuthorizationRevoked(code, uri);
+        testRequestTokenAuthorizationRevoked(code, redirect_uri);
     }
 
     private void testRequestTokenAuthorizationInvalidClient (String code)
@@ -701,17 +685,17 @@
         String refreshToken1 = node.at("/refresh_token").asText();
 
         // client 1
-        String code = requestAuthorizationCode(confidentialClientId,
-                clientSecret, null, userAuthHeader);
+        String code =
+                requestAuthorizationCode(confidentialClientId, userAuthHeader);
         response = requestTokenWithAuthorizationCodeAndForm(
                 confidentialClientId, clientSecret, code);
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
 
         // client 2
-        code = requestAuthorizationCode(confidentialClientId2, clientSecret,
-                null, userAuthHeader);
+        code = requestAuthorizationCode(confidentialClientId2,
+                clientRedirectUri, userAuthHeader);
         response = requestTokenWithAuthorizationCodeAndForm(
-                confidentialClientId2, clientSecret, code);
+                confidentialClientId2, clientSecret, code, clientRedirectUri);
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
 
         // list
@@ -721,8 +705,7 @@
         assertEquals(confidentialClientId2, node.at("/1/client_id").asText());
 
         // client 1
-        code = requestAuthorizationCode(confidentialClientId, clientSecret,
-                null, userAuthHeader);
+        code = requestAuthorizationCode(confidentialClientId, userAuthHeader);
         response = requestTokenWithAuthorizationCodeAndForm(
                 confidentialClientId, clientSecret, code);
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
@@ -736,8 +719,7 @@
         assertEquals(0, node.size());
 
         // client 1
-        code = requestAuthorizationCode(confidentialClientId, clientSecret,
-                null, darlaAuthHeader);
+        code = requestAuthorizationCode(confidentialClientId, darlaAuthHeader);
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
         response = requestTokenWithAuthorizationCodeAndForm(
                 confidentialClientId, clientSecret, code);
@@ -788,8 +770,7 @@
                 .createBasicAuthorizationHeaderValue(username, password);
 
         // access token 1
-        String code = requestAuthorizationCode(publicClientId, clientSecret,
-                null, userAuthHeader);
+        String code = requestAuthorizationCode(publicClientId, userAuthHeader);
         ClientResponse response = requestTokenWithAuthorizationCodeAndForm(publicClientId, "",
                 code);
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
@@ -797,8 +778,7 @@
         String accessToken1 = node.at("/access_token").asText();
 
         // access token 2
-        code = requestAuthorizationCode(publicClientId, clientSecret, null,
-                userAuthHeader);
+        code = requestAuthorizationCode(publicClientId, userAuthHeader);
         response = requestTokenWithAuthorizationCodeAndForm(publicClientId, "",
                 code);
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2TestBase.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2TestBase.java
index 1574505..bcdcee7 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2TestBase.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2TestBase.java
@@ -49,38 +49,33 @@
     protected String confidentialClientId2 = "52atrL0ajex_3_5imd9Mgw";
     protected String superClientId = "fCBbQkAyYzI4NzUxMg";
     protected String clientSecret = "secret";
+    protected String state = "thisIsMyState";
 
     public static String ACCESS_TOKEN_TYPE = "access_token";
     public static String REFRESH_TOKEN_TYPE = "refresh_token";
     
-    private String clientURL = "http://example.client.com";
-    private String clientRedirectUri = "https://example.client.com/redirect";
+    protected String clientURL = "http://example.client.com";
+    protected String clientRedirectUri = "https://example.client.com/redirect";
 
-    protected ClientResponse requestAuthorizationCode (
-            MultivaluedMap<String, String> form, String authHeader)
-            throws KustvaktException {
+    protected ClientResponse requestAuthorizationCode (String responseType,
+            String clientId, String redirectUri, String scope, String state,
+            String authHeader) throws KustvaktException {
 
         return resource().path(API_VERSION).path("oauth2").path("authorize")
+                .queryParam("response_type", responseType)
+                .queryParam("client_id", clientId)
+                .queryParam("redirect_uri", redirectUri)
+                .queryParam("scope", scope)
+                .queryParam("state", state)
                 .header(Attributes.AUTHORIZATION, authHeader)
-                .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
-                .header(HttpHeaders.CONTENT_TYPE,
-                        ContentType.APPLICATION_FORM_URLENCODED)
-                .entity(form).post(ClientResponse.class);
+                .get(ClientResponse.class);
     }
 
-    protected String requestAuthorizationCode (String clientId,
-            String clientSecret, String scope, String authHeader)
-            throws KustvaktException {
+    protected String requestAuthorizationCode (String clientId, 
+            String authHeader) throws KustvaktException {
 
-        MultivaluedMap<String, String> form = new MultivaluedMapImpl();
-        form.add("response_type", "code");
-        form.add("client_id", clientId);
-        form.add("client_secret", clientSecret);
-        if (scope != null) {
-            form.add("scope", scope);
-        }
-
-        ClientResponse response = requestAuthorizationCode(form, authHeader);
+        ClientResponse response = requestAuthorizationCode("code", clientId,
+                "", "", "", authHeader);
         assertEquals(Status.TEMPORARY_REDIRECT.getStatusCode(),
                 response.getStatus());
         URI redirectUri = response.getLocation();
@@ -90,22 +85,10 @@
         return params.getFirst("code");
     }
     
-    protected String requestAuthorizationCode (String clientId,
-            String clientSecret, String scope, String authHeader, 
-            String redirect_uri) throws KustvaktException {
-
-        MultivaluedMap<String, String> form = new MultivaluedMapImpl();
-        form.add("response_type", "code");
-        form.add("client_id", clientId);
-        form.add("client_secret", clientSecret);
-        if (scope != null) {
-            form.add("scope", scope);
-        }
-        if (redirect_uri!=null){
-            form.add("redirect_uri", redirect_uri);
-        }
-
-        ClientResponse response = requestAuthorizationCode(form, authHeader);
+    protected String requestAuthorizationCode (String clientId, String redirect_uri,
+            String authHeader) throws KustvaktException {
+        ClientResponse response = requestAuthorizationCode("code", clientId,
+                redirect_uri, "", "", authHeader);
         assertEquals(Status.TEMPORARY_REDIRECT.getStatusCode(),
                 response.getStatus());
         URI redirectUri = response.getLocation();