Merge pull request #184 from contentstack/fix/oauth-impl

Fix oauth implementation

Author: reeshika-h

src/main/java/com/contentstack/cms/Contentstack.java

@@ -740,14 +740,6 @@ public Builder setOAuthConfig(OAuthConfig config) {
             return this;
         }
 
-        /**
-         * Configures OAuth with client credentials (traditional flow)
-         * @param appId Application ID
-         * @param clientId Client ID
-         * @param clientSecret Client secret
-         * @param redirectUri Redirect URI
-         * @return Builder instance
-         */
         private TokenCallback tokenCallback;
 
         /**
@@ -760,64 +752,51 @@ public Builder setTokenCallback(TokenCallback callback) {
             return this;
         }
 
-        public Builder setOAuth(String appId, String clientId, String clientSecret, String redirectUri) {
-            // Use the builder's hostname (which defaults to Util.HOST if not set)
-            return setOAuth(appId, clientId, clientSecret, redirectUri, this.hostname);
-        }
-
         /**
-         * Configures OAuth with client credentials and specific host
+         * Configures OAuth authentication with PKCE flow (no client secret)
          * @param appId Application ID
          * @param clientId Client ID
-         * @param clientSecret Client secret
          * @param redirectUri Redirect URI
-         * @param host API host (e.g. "api.contentstack.io", "eu-api.contentstack.com")
          * @return Builder instance
          */
-        public Builder setOAuth(String appId, String clientId, String clientSecret, String redirectUri, String host) {
-            OAuthConfig.OAuthConfigBuilder builder = OAuthConfig.builder()
-                .appId(appId)
-                .clientId(clientId)
-                .clientSecret(clientSecret)
-                .redirectUri(redirectUri)
-                .host(host);
-
-            // Add token callback if set
-            if (this.tokenCallback != null) {
-                builder.tokenCallback(this.tokenCallback);
-            }
-
-            this.oauthConfig = builder.build();
-            return this;
+        public Builder setOAuth(String appId, String clientId, String redirectUri) {
+            // Use the builder's hostname (which defaults to Util.HOST if not set)
+            return setOAuth(appId, clientId, redirectUri, this.hostname);
         }
 
         /**
-         * Configures OAuth with PKCE (no client secret)
+         * Configures OAuth authentication with PKCE flow (no client secret) and specific host
          * @param appId Application ID
          * @param clientId Client ID
          * @param redirectUri Redirect URI
+         * @param host API host (e.g. "api.contentstack.io", "eu-api.contentstack.com")
          * @return Builder instance
          */
-        public Builder setOAuthWithPKCE(String appId, String clientId, String redirectUri) {
-            // Use the builder's hostname (which defaults to Util.HOST if not set)
-            return setOAuthWithPKCE(appId, clientId, redirectUri, this.hostname);
+        public Builder setOAuth(String appId, String clientId, String redirectUri, String host) {
+            return setOAuth(appId, clientId, redirectUri, host, null);
         }
 
         /**
-         * Configures OAuth with PKCE (no client secret) and specific host
+         * Configures OAuth authentication with optional client secret. PKCE flow is used when clientSecret is not provided.
          * @param appId Application ID
          * @param clientId Client ID
          * @param redirectUri Redirect URI
          * @param host API host (e.g. "api.contentstack.io", "eu-api.contentstack.com")
+         * @param clientSecret Optional client secret. If not provided, PKCE flow will be used
          * @return Builder instance
          */
-        public Builder setOAuthWithPKCE(String appId, String clientId, String redirectUri, String host) {
+        public Builder setOAuth(String appId, String clientId, String redirectUri, String host, String clientSecret) {
             OAuthConfig.OAuthConfigBuilder builder = OAuthConfig.builder()
                 .appId(appId)
                 .clientId(clientId)
                 .redirectUri(redirectUri)
                 .host(host);
 
+            // Only set clientSecret if provided (otherwise PKCE flow will be used)
+            if (clientSecret != null && !clientSecret.trim().isEmpty()) {
+                builder.clientSecret(clientSecret);
+            }
+
             // Add token callback if set
             if (this.tokenCallback != null) {
                 builder.tokenCallback(this.tokenCallback);

src/main/java/com/contentstack/cms/core/Util.java

@@ -61,7 +61,7 @@ public class Util {
     public static final String OAUTH_NO_TOKENS = "No OAuth tokens available. Please authenticate first.";
     public static final String OAUTH_NO_REFRESH_TOKEN = "No refresh token available";
     public static final String OAUTH_EMPTY_CODE = "Authorization code cannot be null or empty";
-    public static final String OAUTH_CONFIG_MISSING = "OAuth is not configured. Use Builder.setOAuth() or Builder.setOAuthWithPKCE()";
+    public static final String OAUTH_CONFIG_MISSING = "OAuth is not configured. Use Builder.setOAuth() with or without clientSecret for PKCE flow";
     public static final String OAUTH_REFRESH_FAILED = "Failed to refresh access token";
     public static final String OAUTH_REVOKE_FAILED = "Failed to revoke authorization";
     public static final String OAUTH_STATUS_FAILED = "Failed to get authorization status";

src/test/java/com/contentstack/cms/oauth/OAuthTest.java

@@ -80,11 +80,11 @@ public void setup() {
 
         // Create Contentstack clients
         pkceClient = new Contentstack.Builder()
-                .setOAuthWithPKCE(TEST_APP_ID, TEST_CLIENT_ID, TEST_REDIRECT_URI)
+                .setOAuth(TEST_APP_ID, TEST_CLIENT_ID, TEST_REDIRECT_URI)
                 .build();
 
         clientSecretClient = new Contentstack.Builder()
-                .setOAuth(TEST_APP_ID, TEST_CLIENT_ID, TEST_CLIENT_SECRET, TEST_REDIRECT_URI)
+                .setOAuth(TEST_APP_ID, TEST_CLIENT_ID, TEST_REDIRECT_URI, Util.HOST, TEST_CLIENT_SECRET)
                 .build();
     }
 
@@ -113,7 +113,7 @@ public void testInvalidConfigurations() {
         // Test invalid app ID
         try {
             new Contentstack.Builder()
-                    .setOAuthWithPKCE("", TEST_CLIENT_ID, TEST_REDIRECT_URI)
+                    .setOAuth("", TEST_CLIENT_ID, TEST_REDIRECT_URI)
                     .build();
             fail("Should throw exception for empty app ID");
         } catch (IllegalArgumentException e) {
@@ -282,7 +282,7 @@ public void testHostStorage() {
 
         // Test host storage via Contentstack.Builder
         Contentstack client = new Contentstack.Builder()
-                .setOAuth(TEST_APP_ID, TEST_CLIENT_ID, TEST_CLIENT_SECRET, TEST_REDIRECT_URI, testHost)
+                .setOAuth(TEST_APP_ID, TEST_CLIENT_ID, TEST_REDIRECT_URI, testHost, TEST_CLIENT_SECRET)
                 .build();
 
         String authUrl = client.getOAuthAuthorizationUrl();
@@ -291,7 +291,7 @@ public void testHostStorage() {
 
         // Test host storage via PKCE builder
         client = new Contentstack.Builder()
-                .setOAuthWithPKCE(TEST_APP_ID, TEST_CLIENT_ID, TEST_REDIRECT_URI, testHost)
+                .setOAuth(TEST_APP_ID, TEST_CLIENT_ID, TEST_REDIRECT_URI, testHost)
                 .build();
 
         authUrl = client.getOAuthAuthorizationUrl();