Incorrect OAuth Parameters sent on Token requests #1010
Description
The scope parameter is only valid for the client_credentials grant flow, not for authorization_code grant flow, it is currently passed for /oauth/token requests as well: https://github.com/mastodon/mastodon-android/blob/master/mastodon/src/main/java/org/joinmastodon/android/api/requests/oauth/GetOauthToken.java
In https://github.com/mastodon/mastodon-android/blob/master/mastodon/src/main/java/org/joinmastodon/android/fragments/onboarding/SignupFragment.java#L454 — the redirect_uri is still set, which isn't correct for a client_credentials grant flow
You probably want two different GetOAuthToken classes, one that's like GetAccessToken (for authorization code grant flow) and one for GetClientCredentialsToken which is for client_credentials grant flow.
In AccountSessionManager, it is creating an OAuth app, but not reusing the redirect URI constant: https://github.com/mastodon/mastodon-android/blob/master/mastodon/src/main/java/org/joinmastodon/android/api/session/AccountSessionManager.java#L244 — which is defined here: https://github.com/mastodon/mastodon-android/blob/master/mastodon/src/main/java/org/joinmastodon/android/api/session/AccountSessionManager.java#L85
This could cause unexpected issues.
Additionally, before doing the OAuth flows, I highly encourage using the Authorization Server Metadata API to discover the endpoints and other settings for OAuth for that server — this'll allow you to support things like upgrading to PKCE to protect the authorization code and using future features such as refresh tokens when they come out.