Ticket #20768: 20768.patch

new file src/org/openstreetmap/josm/data/oauth/IOAuthAuthorization.java

@@ +1 @@
+// License: GPL. For details, see LICENSE file.
+package org.openstreetmap.josm.data.oauth;
+
+import java.util.function.Consumer;
+
+/**
+ * Interface for OAuth authorization classes
+ * @author Taylor Smock
+ * @since xxx
+ */
+public interface IOAuthAuthorization {
+    /**
+     * Perform the authorization dance
+     * @param parameters The OAuth parameters
+     * @param consumer The callback for the generated token
+     * @param scopes The scopes to ask for
+     */
+    void authorize(IOAuthParameters parameters, Consumer<IOAuthToken> consumer, Enum<?>... scopes);
+}

new file src/org/openstreetmap/josm/data/oauth/IOAuthParameters.java

@@ +1 @@
+// License: GPL. For details, see LICENSE file.
+package org.openstreetmap.josm.data.oauth;
+
+import java.util.stream.Stream;
+
+/**
+ * A generic interface for OAuth Parameters
+ * @author Taylor Smock
+ * @since xxx
+ */
+public interface IOAuthParameters {
+    /**
+     * Get the access token URL
+     * @return The URL to use to switch the code to a token
+     */
+    String getAccessTokenUrl();
+
+    /**
+     * Get the base authorization URL to open in a browser
+     * @return The base URL to send to the browser
+     */
+    String getAuthorizationUrl();
+
+    /**
+     * Get the authorization URL to open in a browser
+     * @param state The state to prevent attackers from providing their own token
+     * @param scopes The scopes to request
+     * @return The URL to send to the browser
+     */
+    default String getAuthorizationUrl(String state, Enum<?>... scopes) {
+        return this.getAuthorizationUrl(state, Stream.of(scopes).map(Enum::toString).toArray(String[]::new));
+    }
+
+    /**
+     * Get the authorization URL to open in a browser
+     * @param state The state to prevent attackers from providing their own token
+     * @param scopes The scopes to request
+     * @return The URL to send to the browser
+     */
+    default String getAuthorizationUrl(String state, String... scopes) {
+        // response_type = code | token, but token is deprecated in the draft oauth 2.1 spec
+        // 2.1 is adding code_challenge, code_challenge_method
+        // code_challenge requires a code_verifier
+        return this.getAuthorizationUrl() + "?response_type=code&client_id=" + this.getClientId()
+                + "&redirect_uri=" + this.getRedirectUri()
+                + "&scope=" + String.join(" ", scopes)
+                // State is used to detect/prevent cross-site request forgery
+                + "&state=" + state;
+    }
+
+    /**
+     * Get the OAuth version that the API expects
+     * @return The oauth version
+     */
+    OAuthVersion getOAuthVersion();
+
+    /**
+     * Get the client id
+     * @return The client id
+     */
+    String getClientId();
+
+    /**
+     * Get the client secret
+     * @return The client secret
+     */
+    String getClientSecret();
+
+    /**
+     * Get the redirect URI
+     * @return The redirect URI
+     */
+    default String getRedirectUri() {
+        return null;
+    }
+
+    /**
+     * Convert to a preference string
+     * @return the preference string
+     */
+    default String toPreferencesString() {
+        return null;
+    }
+
+    /**
+     * Get the actual API URL
+     * @return The API URl
+     */
+    default String getApiUrl() {
+        return null;
+    }
+
+    void rememberPreferences();
+}

new file src/org/openstreetmap/josm/data/oauth/IOAuthToken.java

@@ +1 @@
+// License: GPL. For details, see LICENSE file.
+package org.openstreetmap.josm.data.oauth;
+
+import org.openstreetmap.josm.tools.HttpClient;
+
+/**
+ * An interface for oauth tokens
+ * @author Taylor Smock
+ * @since xxx
+ */
+public interface IOAuthToken {
+    /**
+     * Sign a client
+     * @param client The client to sign
+     */
+    void sign(HttpClient client) throws OAuthException;
+
+    /**
+     * Get the preferences string of this auth token.
+     * This should match the expected return body from the authentication server.
+     * For OAuth, this is typically JSON.
+     * @return The preferences string
+     */
+    String toPreferencesString();
+
+    /**
+     * Get the auth type of this token
+     * @return The auth type
+     */
+    OAuthVersion getOAuthType();
+
+    /**
+     * Get the OAuth parameters
+     * @return The OAuth parameters
+     */
+    IOAuthParameters getParameters();
+}

new file src/org/openstreetmap/josm/data/oauth/OAuth20Authorization.java

@@ +1 @@
+// License: GPL. For details, see LICENSE file.
+package org.openstreetmap.josm.data.oauth;
+
+import static org.openstreetmap.josm.tools.I18n.tr;
+
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Base64;
+import java.util.Map;
+import java.util.Objects;
+import java.util.UUID;
+import java.util.function.Consumer;
+
+import org.openstreetmap.josm.io.remotecontrol.handler.AuthorizationHandler;
+import org.openstreetmap.josm.io.remotecontrol.handler.RequestHandler;
+import org.openstreetmap.josm.tools.HttpClient;
+import org.openstreetmap.josm.tools.JosmRuntimeException;
+import org.openstreetmap.josm.tools.OpenBrowser;
+
+/**
+ * Authorize the application
+ * @since xxx
+ */
+public class OAuth20Authorization implements IOAuthAuthorization {
+    /**
+     * See <a href="https://www.rfc-editor.org/rfc/rfc7636">RFC7636</a>: PKCE
+     * @param cryptographicallyRandomString A cryptographically secure string
+     * @return The S256 bytes
+     */
+    private static String getPKCES256CodeChallenge(String cryptographicallyRandomString) {
+        // S256: code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
+        try {
+            byte[] encodedBytes = cryptographicallyRandomString.getBytes(StandardCharsets.US_ASCII);
+            MessageDigest digest = MessageDigest.getInstance("SHA-256");
+            return new String(Base64.getUrlEncoder().encode(digest.digest(encodedBytes)), StandardCharsets.US_ASCII)
+                    .replace("=", "").replace("+", "-").replace("/", "_");
+        } catch (NoSuchAlgorithmException e) {
+            throw new JosmRuntimeException(e);
+        }
+    }
+
+    @Override
+    public void authorize(IOAuthParameters parameters, Consumer<IOAuthToken> consumer, Enum<?>... scopes) {
+        final String state = UUID.randomUUID().toString();
+        final String codeVerifier = UUID.randomUUID().toString(); // Cryptographically random string (ASCII)
+        final String s256CodeChallenge = getPKCES256CodeChallenge(codeVerifier);
+
+        // Enable authorization remote control
+        new AuthorizationHandler().getPermissionPreference().put(true);
+        String url = parameters.getAuthorizationUrl(state, scopes)
+                + "&code_challenge_method=S256&code_challenge=" + s256CodeChallenge;
+        AuthorizationHandler.addAuthorizationConsumer(state, new OAuth20AuthorizationHandler(state, codeVerifier, parameters, consumer));
+        OpenBrowser.displayUrl(url);
+    }
+
+    private static class OAuth20AuthorizationHandler implements AuthorizationHandler.AuthorizationConsumer {
+
+        private final String state;
+        private final IOAuthParameters parameters;
+        private final Consumer<IOAuthToken> consumer;
+        private final String codeVerifier;
+
+        OAuth20AuthorizationHandler(String state, String codeVerifier, IOAuthParameters parameters, Consumer<IOAuthToken> consumer) {
+            this.state = state;
+            this.parameters = parameters;
+            this.consumer = consumer;
+            this.codeVerifier = codeVerifier;
+        }
+
+        @Override
+        public void validateRequest(String sender, String request, Map<String, String> args)
+                throws RequestHandler.RequestHandlerBadRequestException {
+            String argState = args.get("state");
+            if (!Objects.equals(this.state, argState)) {
+                throw new RequestHandler.RequestHandlerBadRequestException(
+                        tr("Mismatched state: Expected {0} but got {1}", this.state, argState));
+            }
+        }
+
+        @Override
+        public AuthorizationHandler.ResponseRecord handleRequest(String sender, String request, Map<String, String> args)
+                throws RequestHandler.RequestHandlerErrorException, RequestHandler.RequestHandlerBadRequestException {
+            String code = args.get("code");
+            try {
+                HttpClient tradeCodeForToken = HttpClient.create(new URL(parameters.getAccessTokenUrl()), "POST");
+                tradeCodeForToken.setRequestBody(("grant_type=authorization_code&client_id=" + parameters.getClientId()
+                        + "&redirect_uri=" + parameters.getRedirectUri()
+                        + "&code=" + code
+                        + (this.codeVerifier != null ? "&code_verifier=" + this.codeVerifier : "")
+                ).getBytes(StandardCharsets.UTF_8));
+                try {
+                    tradeCodeForToken.connect();
+                    HttpClient.Response response = tradeCodeForToken.getResponse();
+                    OAuth20Token oAuth20Token = new OAuth20Token(parameters, response.getContentReader());
+                    consumer.accept(oAuth20Token);
+                } catch (IOException | OAuth20Exception e) {
+                    consumer.accept(null);
+                    throw new JosmRuntimeException(e);
+                } finally {
+                    tradeCodeForToken.disconnect();
+                }
+            } catch (MalformedURLException e) {
+                throw new JosmRuntimeException(e);
+            }
+            return null;
+        }
+    }
+}

new file src/org/openstreetmap/josm/data/oauth/OAuth20Exception.java

@@ +1 @@
+// License: GPL. For details, see LICENSE file.
+package org.openstreetmap.josm.data.oauth;
+
+import javax.json.JsonObject;
+
+/**
+ * A generic OAuth 2.0 exception
+ * @since xxx
+ */
+public final class OAuth20Exception extends OAuthException {
+    private static final long serialVersionUID = -203910656089454886L;
+
+    /**
+     * Invalid request types
+     */
+    public enum Type {
+        invalid_request,
+        invalid_client,
+        invalid_grant,
+        unauthorized_client,
+        unsupported_grant_type,
+        invalid_scope,
+        unknown
+    }
+
+    private final Type type;
+
+    /**
+     * Create a new exception with a specified cause
+     * @param cause The cause leading to this exception
+     */
+    public OAuth20Exception(Exception cause) {
+        super(cause);
+        this.type = Type.unknown;
+    }
+
+    /**
+     * Create a new exception with a given message
+     * @param message The message to use
+     */
+    public OAuth20Exception(String message) {
+        super(message);
+        this.type = Type.unknown;
+    }
+
+    /**
+     * Create an exception from a server message
+     * @param serverMessage The server message. Should conform to
+     *                      <a href="https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2">RFC 6747 Section 4.2.2</a>, but in JSON
+     *                      format.
+     */
+    OAuth20Exception(JsonObject serverMessage) {
+        super(serverMessage != null
+                ? serverMessage.getString("error_description", serverMessage.getString("error", "Unknown error"))
+                : "Unknown error");
+        if (serverMessage != null && serverMessage.containsKey("error")) {
+            switch(serverMessage.getString("error")) {
+                case "invalid_request":
+                case "invalid_client":
+                case "invalid_grant":
+                case "unauthorized_client":
+                case "unsupported_grant_type":
+                case "invalid_scope":
+                    this.type = Type.valueOf(serverMessage.getString("error"));
+                    break;
+                default:
+                    this.type = Type.unknown;
+            }
+        } else {
+            this.type = Type.unknown;
+        }
+    }
+
+    @Override
+    OAuthVersion[] getOAuthVersions() {
+        return new OAuthVersion[] {OAuthVersion.OAuth20};
+    }
+
+    @Override
+    public String getMessage() {
+        String message = super.getMessage();
+        if (message == null) {
+            return "OAuth error " + this.type;
+        }
+        return "OAuth error " + this.type + ": " + message;
+    }
+}

new file src/org/openstreetmap/josm/data/oauth/OAuth20Parameters.java

@@ +1 @@
+// License: GPL. For details, see LICENSE file.
+package org.openstreetmap.josm.data.oauth;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.nio.charset.StandardCharsets;
+import java.util.Objects;
+
+import javax.json.Json;
+import javax.json.JsonObject;
+import javax.json.JsonObjectBuilder;
+import javax.json.JsonReader;
+import javax.json.JsonStructure;
+import javax.json.JsonValue;
+
+import org.openstreetmap.josm.spi.preferences.Config;
+
+/**
+ * Parameters for OAuth 2.0
+ * @author Taylor Smock
+ * @since xxx
+ */
+public final class OAuth20Parameters implements IOAuthParameters {
+    private static final String REDIRECT_URI = "redirect_uri";
+    private static final String CLIENT_ID = "client_id";
+    private static final String CLIENT_SECRET = "client_secret";
+    private static final String TOKEN_URL = "token_url";
+    private static final String AUTHORIZE_URL = "authorize_url";
+    private static final String API_URL = "api_url";
+    private final String redirectUri;
+    private final String clientSecret;
+    private final String clientId;
+    private final String tokenUrl;
+    private final String authorizeUrl;
+    private final String apiUrl;
+
+    /**
+     * Recreate a parameter object from a JSON string
+     * @param jsonString The JSON string with the required data
+     */
+    public OAuth20Parameters(String jsonString) {
+        try (ByteArrayInputStream bais = new ByteArrayInputStream(jsonString.getBytes(StandardCharsets.UTF_8));
+             JsonReader reader = Json.createReader(bais)) {
+            JsonStructure structure = reader.read();
+            if (structure.getValueType() != JsonValue.ValueType.OBJECT) {
+                throw new IllegalArgumentException("Invalid JSON object: " + jsonString);
+            }
+            JsonObject jsonObject = structure.asJsonObject();
+            this.redirectUri = jsonObject.getString(REDIRECT_URI);
+            this.clientId = jsonObject.getString(CLIENT_ID);
+            this.clientSecret = jsonObject.getString(CLIENT_SECRET, null);
+            this.tokenUrl = jsonObject.getString(TOKEN_URL);
+            this.authorizeUrl = jsonObject.getString(AUTHORIZE_URL);
+            this.apiUrl = jsonObject.getString(API_URL);
+        } catch (IOException e) {
+            // This should literally never happen -- ByteArrayInputStream does not do *anything* in the close method.
+            throw new UncheckedIOException(e);
+        }
+    }
+
+    /**
+     * Create a new OAuth parameter object
+     * @param clientId The client id. May not be {@code null}.
+     * @param clientSecret The client secret. May be {@code null}. Not currently used.
+     * @param baseUrl The base url. This assumes that the endpoints are {@code /token} and {@code /authorize}.
+     * @param apiUrl The API url
+     * @param redirectUri The redirect URI for the client.
+     */
+    public OAuth20Parameters(String clientId, String clientSecret, String baseUrl, String apiUrl, String redirectUri) {
+        this(clientId, clientSecret, baseUrl + "/token", baseUrl + "/authorize", apiUrl, redirectUri);
+    }
+
+    /**
+     * Create a new OAuth parameter object
+     * @param clientId The client id.
+     * @param clientSecret The client secret. May be {@code null}. Not currently used.
+     * @param tokenUrl The token request URL (RFC6749 4.4.2)
+     * @param authorizeUrl The authorization request URL (RFC6749 4.1.1)
+     * @param apiUrl The API url
+     * @param redirectUri The redirect URI for the client.
+     */
+    public OAuth20Parameters(String clientId, String clientSecret, String tokenUrl, String authorizeUrl, String apiUrl, String redirectUri) {
+        Objects.requireNonNull(authorizeUrl, "authorizeUrl");
+        Objects.requireNonNull(clientId, "clientId");
+        Objects.requireNonNull(redirectUri, "redirectUri");
+        Objects.requireNonNull(tokenUrl, "tokenUrl");
+        Objects.requireNonNull(apiUrl, "apiUrl");
+        // Alternatively, we could try using rfc8414 ( /.well-known/oauth-authorization-server ), but OSM (doorkeeper) doesn't support it.
+        this.redirectUri = redirectUri;
+        this.clientId = clientId;
+        this.clientSecret = clientSecret;
+        this.tokenUrl = tokenUrl;
+        this.authorizeUrl = authorizeUrl;
+        this.apiUrl = apiUrl;
+    }
+
+    @Override
+    public String getAccessTokenUrl() {
+        return this.tokenUrl;
+    }
+
+    @Override
+    public String getAuthorizationUrl() {
+        return this.authorizeUrl;
+    }
+
+    @Override
+    public OAuthVersion getOAuthVersion() {
+        return OAuthVersion.OAuth20;
+    }
+
+    @Override
+    public String getClientId() {
+        return this.clientId;
+    }
+
+    @Override
+    public String getClientSecret() {
+        return this.clientSecret;
+    }
+
+    @Override
+    public String getRedirectUri() {
+        return this.redirectUri;
+    }
+
+    @Override
+    public String getApiUrl() {
+        return this.apiUrl;
+    }
+
+    @Override
+    public void rememberPreferences() {
+        Config.getPref().put("oauth.access-token.parameters." + OAuthVersion.OAuth20 + "." + this.apiUrl,
+                this.toPreferencesString());
+    }
+
+    @Override
+    public String toPreferencesString() {
+        JsonObjectBuilder builder = Json.createObjectBuilder();
+        builder.add(CLIENT_ID, this.clientId);
+        builder.add(REDIRECT_URI, this.redirectUri);
+        if (this.apiUrl != null) builder.add(API_URL, this.apiUrl);
+        if (this.authorizeUrl != null) builder.add(AUTHORIZE_URL, this.authorizeUrl);
+        if (this.clientSecret != null) builder.add(CLIENT_SECRET, this.clientSecret);
+        if (this.tokenUrl != null) builder.add(TOKEN_URL, this.tokenUrl);
+        return builder.build().toString();
+    }
+}

new file src/org/openstreetmap/josm/data/oauth/OAuth20Token.java

@@ +1 @@
+// License: GPL. For details, see LICENSE file.
+package org.openstreetmap.josm.data.oauth;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.Reader;
+import java.net.URI;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+import java.time.Instant;
+
+import javax.json.Json;
+import javax.json.JsonObject;
+import javax.json.JsonObjectBuilder;
+import javax.json.JsonReader;
+import javax.json.JsonStructure;
+import javax.json.JsonValue;
+
+import org.openstreetmap.josm.tools.HttpClient;
+import org.openstreetmap.josm.tools.JosmRuntimeException;
+
+/**
+ * Token holder for OAuth 2.0
+ * @author Taylor Smock
+ * @since xxx
+ */
+public final class OAuth20Token implements IOAuthToken {
+    private static final String ACCESS_TOKEN = "access_token";
+    private static final String CREATED_AT = "created_at";
+    private static final String EXPIRES_IN = "expires_in";
+    private static final String REFRESH_TOKEN = "refresh_token";
+    private static final String SCOPE = "scope";
+    private static final String TOKEN_TYPE = "token_type";
+    private final String accessToken;
+    private final String tokenType;
+    private final int expiresIn;
+    private final String refreshToken;
+    private final String[] scopes;
+    private final Instant createdAt;
+    private final IOAuthParameters oauthParameters;
+
+    /**
+     * Create a new OAuth token
+     * @param oauthParameters The parameters for the OAuth token
+     * @param json The stored JSON for the token
+     * @throws OAuth20Exception If the JSON creates an invalid token
+     */
+    public OAuth20Token(IOAuthParameters oauthParameters, String json) throws OAuth20Exception {
+        this(oauthParameters, new InputStreamReader(new ByteArrayInputStream(json.getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
+    }
+
+    OAuth20Token(IOAuthParameters oauthParameters, Reader bufferedReader) throws OAuth20Exception {
+        this.oauthParameters = oauthParameters;
+        try (JsonReader reader = Json.createReader(bufferedReader)) {
+            JsonStructure structure = reader.read();
+            if (structure.getValueType() != JsonValue.ValueType.OBJECT
+            || !structure.asJsonObject().containsKey(ACCESS_TOKEN)
+            || !structure.asJsonObject().containsKey(TOKEN_TYPE)) {
+                if (structure.getValueType() == JsonValue.ValueType.OBJECT
+                && structure.asJsonObject().containsKey("error")) {
+                    throw new OAuth20Exception(structure.asJsonObject());
+                } else {
+                    throw new OAuth20Exception("Either " + ACCESS_TOKEN + " or " + TOKEN_TYPE + " is not present: " + structure);
+                }
+            }
+            JsonObject object = structure.asJsonObject();
+            this.accessToken = object.getString(ACCESS_TOKEN);
+            this.tokenType = object.getString(TOKEN_TYPE);
+            this.expiresIn = object.getInt(EXPIRES_IN, Integer.MAX_VALUE);
+            this.refreshToken = object.getString(REFRESH_TOKEN, null);
+            this.scopes = object.getString(SCOPE, "").split(" ");
+            if (object.containsKey(CREATED_AT)) {
+                this.createdAt = Instant.ofEpochSecond(object.getJsonNumber(CREATED_AT).longValue());
+            } else {
+                this.createdAt = Instant.now();
+            }
+        }
+    }
+
+    @Override
+    public void sign(HttpClient client) throws OAuthException {
+        if (!this.oauthParameters.getApiUrl().contains(client.getURL().getHost())) {
+            String host = URI.create(this.oauthParameters.getAccessTokenUrl()).getHost();
+            throw new IllegalArgumentException("Cannot sign URL with token for different host: Expected " + host
+                + " but got " + client.getURL().getHost());
+        }
+        if (this.getBearerToken() != null) {
+            client.setHeader("Authorization", "Bearer " + this.getBearerToken());
+            return;
+        }
+        throw new OAuth20Exception("Unknown token type: " + this.tokenType);
+    }
+
+    /**
+     * Get the OAuth 2.0 bearer token
+     * @return The bearer token. May return {@code null} if the token type is not a bearer type.
+     */
+    public String getBearerToken() {
+        if ("bearer".equalsIgnoreCase(this.tokenType)) {
+            return this.accessToken;
+        }
+        return null;
+    }
+
+    @Override
+    public String toPreferencesString() {
+        final OAuth20Token tokenToSave;
+        if (shouldRefresh()) {
+            tokenToSave = refresh();
+        } else {
+            tokenToSave = this;
+        }
+        JsonObjectBuilder jsonObjectBuilder = Json.createObjectBuilder();
+        jsonObjectBuilder.add(ACCESS_TOKEN, tokenToSave.accessToken);
+        jsonObjectBuilder.add(TOKEN_TYPE, tokenToSave.tokenType);
+        if (tokenToSave.createdAt != null) {
+            jsonObjectBuilder.add(CREATED_AT, tokenToSave.createdAt.getEpochSecond());
+        }
+        if (tokenToSave.expiresIn != Integer.MAX_VALUE) {
+            jsonObjectBuilder.add(EXPIRES_IN, tokenToSave.expiresIn);
+        }
+        if (tokenToSave.refreshToken != null) {
+            jsonObjectBuilder.add(REFRESH_TOKEN, tokenToSave.refreshToken);
+        }
+        if (tokenToSave.scopes.length > 0) {
+            jsonObjectBuilder.add(SCOPE, String.join(" ", tokenToSave.scopes));
+        }
+        return jsonObjectBuilder.build().toString();
+    }
+
+    @Override
+    public OAuthVersion getOAuthType() {
+        return OAuthVersion.OAuth20;
+    }
+
+    @Override
+    public IOAuthParameters getParameters() {
+        return this.oauthParameters;
+    }
+
+    /**
+     * Check if the token should be refreshed
+     * @return {@code true} if the token should be refreshed
+     */
+    boolean shouldRefresh() {
+        return this.refreshToken != null && this.expiresIn != Integer.MAX_VALUE
+                // We should refresh the token when 10% of its lifespan has been spent.
+                // We aren't an application that will be used every day by every user.
+                && this.createdAt.getEpochSecond() + this.expiresIn < Instant.now().getEpochSecond() - this.expiresIn * 9L / 10;
+    }
+
+    /**
+     * Refresh the OAuth 2.0 token
+     * @return The new token to use
+     */
+    OAuth20Token refresh() {
+        // This bit isn't necessarily OAuth 2.1 compliant. Spec isn't finished yet, but
+        // refresh tokens will either be sender constrained or some kind of rotation or both.
+        // This refresh code handles rotation, mostly by creating a new OAuth20Token. :)
+        // For sender constrained, it will likely allow self-signed certificates (RFC8705).
+        // Note: OSM doesn't have age limits on their tokens, at time of writing.
+        String refresh = "grant_type=refresh_token&refresh_token=" + this.refreshToken;
+        if (this.scopes.length > 0) {
+            refresh += "&scope=" + String.join(" ", this.scopes);
+        }
+        HttpClient client = null;
+        try {
+            client = HttpClient.create(new URL(this.oauthParameters.getAccessTokenUrl()), "POST");
+            client.setRequestBody(refresh.getBytes(StandardCharsets.UTF_8));
+            client.connect();
+            HttpClient.Response response = client.getResponse();
+            return new OAuth20Token(this.oauthParameters, response.getContentReader());
+        } catch (IOException | OAuth20Exception e) {
+            throw new JosmRuntimeException(e);
+        } finally {
+            if (client != null) {
+                client.disconnect();
+            }
+        }
+    }
+}

src/org/openstreetmap/josm/data/oauth/OAuthAccessTokenHolder.java

@@ -3 +3 @@
 
 import static org.openstreetmap.josm.tools.I18n.tr;
 
+import java.net.URI;
+import java.util.EnumMap;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Optional;
+
 import org.openstreetmap.josm.io.auth.CredentialsAgent;
 import org.openstreetmap.josm.io.auth.CredentialsAgentException;
+import org.openstreetmap.josm.io.auth.CredentialsManager;
 import org.openstreetmap.josm.spi.preferences.Config;
 import org.openstreetmap.josm.tools.CheckParameterUtil;
 import org.openstreetmap.josm.tools.Logging;
@@ -31 +39 @@
     private String accessTokenKey;
     private String accessTokenSecret;
 
+    private final Map<String, Map<OAuthVersion, IOAuthToken>> tokenMap = new HashMap<>();
+
     /**
      * Replies true if current access token should be saved to the preferences file.
      *
@@ -102 +112 @@
         return new OAuthToken(accessTokenKey, accessTokenSecret);
     }
 
+    /**
+     * Replies the access token.
+     * @param api The api the token is for
+     * @param version The OAuth version the token is for
+     * @return the access token, can be {@code null}
+     * @since xxx
+     */
+    public IOAuthToken getAccessToken(String api, OAuthVersion version) {
+        api = URI.create(api).getHost();
+        if (this.tokenMap.containsKey(api)) {
+            Map<OAuthVersion, IOAuthToken> map = this.tokenMap.get(api);
+            return map.get(version);
+        }
+        try {
+            IOAuthToken token = CredentialsManager.getInstance().lookupOAuthAccessToken(api);
+            // We *do* want to set the API token to null, if it doesn't exist. Just to avoid unnecessary lookups.
+            this.setAccessToken(api, token);
+            return token;
+        } catch (CredentialsAgentException exception) {
+            Logging.trace(exception);
+        }
+        return null;
+    }
+
     /**
      * Sets the access token hold by this holder.
      *
@@ -128 +162 @@
         }
     }
 
+    /**
+     * Sets the access token hold by this holder.
+     *
+     * @param api The api the token is for
+     * @param token the access token. Can be null to clear the content in this holder.
+     * @since xxx
+     */
+    public void setAccessToken(String api, IOAuthToken token) {
+        Objects.requireNonNull(api, "api url");
+        // Sometimes the api might be sent as the host
+        api = Optional.ofNullable(URI.create(api).getHost()).orElse(api);
+        if (token == null) {
+            if (this.tokenMap.containsKey(api)) {
+                this.tokenMap.get(api).clear();
+            }
+        } else {
+            this.tokenMap.computeIfAbsent(api, key -> new EnumMap<>(OAuthVersion.class)).put(token.getOAuthType(), token);
+        }
+    }
+
     /**
      * Replies true if this holder contains an complete access token, consisting of an
      * Access Token Key and an Access Token Secret.
@@ -175 +229 @@
         try {
             if (!saveToPreferences) {
                 cm.storeOAuthAccessToken(null);
+                for (String host : this.tokenMap.keySet()) {
+                    cm.storeOAuthAccessToken(host, null);
+                }
             } else {
-                cm.storeOAuthAccessToken(new OAuthToken(accessTokenKey, accessTokenSecret));
+                if (this.accessTokenKey != null && this.accessTokenSecret != null) {
+                    cm.storeOAuthAccessToken(new OAuthToken(accessTokenKey, accessTokenSecret));
+                }
+                for (Map.Entry<String, Map<OAuthVersion, IOAuthToken>> entry : this.tokenMap.entrySet()) {
+                    if (entry.getValue().isEmpty()) {
+                        cm.storeOAuthAccessToken(entry.getKey(), null);
+                        continue;
+                    }
+                    for (OAuthVersion version : OAuthVersion.values()) {
+                        if (entry.getValue().containsKey(version)) {
+                            cm.storeOAuthAccessToken(entry.getKey(), entry.getValue().get(version));
+                        }
+                    }
+                }
             }
         } catch (CredentialsAgentException e) {
             Logging.error(e);

new file src/org/openstreetmap/josm/data/oauth/OAuthException.java

@@ +1 @@
+// License: GPL. For details, see LICENSE file.
+package org.openstreetmap.josm.data.oauth;
+
+/**
+ * Base OAuth exception
+ * @author Taylor Smock
+ * @since xxx
+ */
+public abstract class OAuthException extends Exception {
+    OAuthException(Exception cause) {
+        super(cause);
+    }
+
+    OAuthException(String message) {
+        super(message);
+    }
+
+    abstract OAuthVersion[] getOAuthVersions();
+}

src/org/openstreetmap/josm/data/oauth/OAuthParameters.java

@@ -1 +1 @@
 // License: GPL. For details, see LICENSE file.
 package org.openstreetmap.josm.data.oauth;
 
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.net.URL;
 import java.util.Objects;
 
+import javax.json.Json;
+import javax.json.JsonObject;
+import javax.json.JsonReader;
+import javax.json.JsonStructure;
+import javax.json.JsonValue;
+
+import org.openstreetmap.josm.io.OsmApi;
+import org.openstreetmap.josm.io.auth.CredentialsAgentException;
+import org.openstreetmap.josm.io.auth.CredentialsManager;
 import org.openstreetmap.josm.spi.preferences.Config;
 import org.openstreetmap.josm.spi.preferences.IUrls;
 import org.openstreetmap.josm.tools.CheckParameterUtil;
+import org.openstreetmap.josm.tools.HttpClient;
+import org.openstreetmap.josm.tools.Logging;
 import org.openstreetmap.josm.tools.Utils;
 
 import oauth.signpost.OAuthConsumer;
@@ -15 +29 @@
  * This class manages an immutable set of OAuth parameters.
  * @since 2747
  */
-public class OAuthParameters {
+public class OAuthParameters implements IOAuthParameters {
 
     /**
      * The default JOSM OAuth consumer key (created by user josmeditor).
@@ -46 +60 @@
      * @since 5422
      */
     public static OAuthParameters createDefault(String apiUrl) {
+        return (OAuthParameters) createDefault(apiUrl, OAuthVersion.OAuth10a);
+    }
+
+    /**
+     * Replies a set of default parameters for a consumer accessing an OSM server
+     * at the given API url. URL parameters are only set if the URL equals {@link IUrls#getDefaultOsmApiUrl}
+     * or references the domain "dev.openstreetmap.org", otherwise they may be <code>null</code>.
+     *
+     * @param apiUrl The API URL for which the OAuth default parameters are created. If null or empty, the default OSM API url is used.
+     * @param oAuthVersion The OAuth version to create default parameters for
+     * @return a set of default parameters for the given {@code apiUrl}
+     * @since xxx
+     */
+    public static IOAuthParameters createDefault(String apiUrl, OAuthVersion oAuthVersion) {
+        if (!Utils.isValidUrl(apiUrl)) {
+            apiUrl = null;
+        }
+
+        switch (oAuthVersion) {
+            case OAuth10a:
+                return getDefaultOAuth10Parameters(apiUrl);
+            case OAuth20:
+            case OAuth21: // For now, OAuth 2.1 (draft) is just OAuth 2.0 with mandatory extensions, which we implement.
+                return getDefaultOAuth20Parameters(apiUrl);
+            default:
+                throw new IllegalArgumentException("Unknown OAuth version: " + oAuthVersion);
+        }
+    }
+
+    /**
+     * Get the default OAuth 2.0 parameters
+     * @param apiUrl The API url
+     * @return The default parameters
+     */
+    private static OAuth20Parameters getDefaultOAuth20Parameters(String apiUrl) {
+        final String clientId;
+        final String clientSecret;
+        final String redirectUri;
+        final String baseUrl;
+        if (apiUrl != null && !Config.getUrls().getDefaultOsmApiUrl().equals(apiUrl)) {
+            clientId = "";
+            clientSecret = "";
+            baseUrl = apiUrl;
+            HttpClient client = null;
+            redirectUri = "";
+            // Check if the server is RFC 8414 compliant
+            try {
+                client = HttpClient.create(new URL(apiUrl + (apiUrl.endsWith("/") ? "" : "/") + ".well-known/oauth-authorization-server"));
+                HttpClient.Response response = client.connect();
+                if (response.getResponseCode() == 200) {
+                    try (BufferedReader reader = response.getContentReader();
+                         JsonReader jsonReader = Json.createReader(reader)) {
+                        JsonStructure structure = jsonReader.read();
+                        if (structure.getValueType() == JsonValue.ValueType.OBJECT) {
+                            return parseAuthorizationServerMetadataResponse(clientId, clientSecret, apiUrl,
+                                    redirectUri, structure.asJsonObject());
+                        }
+                    }
+                }
+            } catch (IOException | OAuthException e) {
+                Logging.trace(e);
+            } finally {
+                if (client != null) client.disconnect();
+            }
+        } else {
+            clientId = "edPII614Lm0_0zEpc_QzEltA9BUll93-Y-ugRQUoHMI";
+            // We don't actually use the client secret in our authorization flow.
+            clientSecret = null;
+            baseUrl = "https://www.openstreetmap.org/oauth2";
+            redirectUri = "http://127.0.0.1:8111/oauth_authorization";
+            apiUrl = OsmApi.getOsmApi().getBaseUrl();
+        }
+        return new OAuth20Parameters(clientId, clientSecret, baseUrl, apiUrl, redirectUri);
+    }
+
+    /**
+     * Parse the response from <a href="https://www.rfc-editor.org/rfc/rfc8414.html">RFC 8414</a>
+     * (OAuth 2.0 Authorization Server Metadata)
+     * @return The parameters for the server metadata
+     */
+    private static OAuth20Parameters parseAuthorizationServerMetadataResponse(String clientId, String clientSecret,
+                                                                              String apiUrl, String redirectUri,
+                                                                              JsonObject serverMetadata)
+            throws OAuthException {
+        final String authorizationEndpoint = serverMetadata.getString("authorization_endpoint", null);
+        final String tokenEndpoint = serverMetadata.getString("token_endpoint", null);
+        // This may also have additional documentation like what the endpoints allow (e.g. scopes, algorithms, etc.)
+        if (authorizationEndpoint == null || tokenEndpoint == null) {
+            throw new OAuth20Exception("Either token endpoint or authorization endpoints are missing");
+        }
+        return new OAuth20Parameters(clientId, clientSecret, tokenEndpoint, authorizationEndpoint, apiUrl, redirectUri);
+    }
+
+    /**
+     * Get the default OAuth 1.0a parameters
+     * @param apiUrl The api url
+     * @return The default parameters
+     */
+    private static OAuthParameters getDefaultOAuth10Parameters(String apiUrl) {
         final String consumerKey;
         final String consumerSecret;
         final String serverUrl;
 
-        if (!Utils.isValidUrl(apiUrl)) {
-            apiUrl = null;
-        }
-
         if (apiUrl != null && !Config.getUrls().getDefaultOsmApiUrl().equals(apiUrl)) {
             consumerKey = ""; // a custom consumer key is required
             consumerSecret = ""; // a custom consumer secret is requireds
@@ -81 +190 @@
      * @return the parameters
      */
     public static OAuthParameters createFromApiUrl(String apiUrl) {
-        OAuthParameters parameters = createDefault(apiUrl);
-        return new OAuthParameters(
-                Config.getPref().get("oauth.settings.consumer-key", parameters.getConsumerKey()),
-                Config.getPref().get("oauth.settings.consumer-secret", parameters.getConsumerSecret()),
-                Config.getPref().get("oauth.settings.request-token-url", parameters.getRequestTokenUrl()),
-                Config.getPref().get("oauth.settings.access-token-url", parameters.getAccessTokenUrl()),
-                Config.getPref().get("oauth.settings.authorise-url", parameters.getAuthoriseUrl()),
-                Config.getPref().get("oauth.settings.osm-login-url", parameters.getOsmLoginUrl()),
-                Config.getPref().get("oauth.settings.osm-logout-url", parameters.getOsmLogoutUrl()));
+        return (OAuthParameters) createFromApiUrl(apiUrl, OAuthVersion.OAuth10a);
+    }
+
+    /**
+     * Replies a set of parameters as defined in the preferences.
+     *
+     * @param oAuthVersion The OAuth version to use.
+     * @param apiUrl the API URL. Must not be {@code null}.
+     * @return the parameters
+     * @since xxx
+     */
+    public static IOAuthParameters createFromApiUrl(String apiUrl, OAuthVersion oAuthVersion) {
+        IOAuthParameters parameters = createDefault(apiUrl, oAuthVersion);
+        switch (oAuthVersion) {
+            case OAuth10a:
+                OAuthParameters oauth10aParameters = (OAuthParameters) parameters;
+                return new OAuthParameters(
+                    Config.getPref().get("oauth.settings.consumer-key", oauth10aParameters.getConsumerKey()),
+                    Config.getPref().get("oauth.settings.consumer-secret", oauth10aParameters.getConsumerSecret()),
+                    Config.getPref().get("oauth.settings.request-token-url", oauth10aParameters.getRequestTokenUrl()),
+                    Config.getPref().get("oauth.settings.access-token-url", oauth10aParameters.getAccessTokenUrl()),
+                    Config.getPref().get("oauth.settings.authorise-url", oauth10aParameters.getAuthoriseUrl()),
+                    Config.getPref().get("oauth.settings.osm-login-url", oauth10aParameters.getOsmLoginUrl()),
+                    Config.getPref().get("oauth.settings.osm-logout-url", oauth10aParameters.getOsmLogoutUrl()));
+            case OAuth20:
+            case OAuth21: // Right now, OAuth 2.1 will work with our OAuth 2.0 implementation
+                OAuth20Parameters oAuth20Parameters = (OAuth20Parameters) parameters;
+                try {
+                    IOAuthToken storedToken = CredentialsManager.getInstance().lookupOAuthAccessToken(apiUrl);
+                    return storedToken != null ? storedToken.getParameters() : oAuth20Parameters;
+                } catch (CredentialsAgentException e) {
+                    Logging.trace(e);
+                }
+                return oAuth20Parameters;
+            default:
+                throw new IllegalArgumentException("Unknown OAuth version: " + oAuthVersion);
+        }
     }
 
     /**
      * Remembers the current values in the preferences.
      */
+    @Override
     public void rememberPreferences() {
         Config.getPref().put("oauth.settings.consumer-key", getConsumerKey());
         Config.getPref().put("oauth.settings.consumer-secret", getConsumerSecret());
@@ -182 +320 @@
      * Gets the access token URL.
      * @return The access token URL
      */
+    @Override
     public String getAccessTokenUrl() {
         return accessTokenUrl;
     }
 
+    @Override
+    public String getAuthorizationUrl() {
+        return this.authoriseUrl;
+    }
+
+    @Override
+    public OAuthVersion getOAuthVersion() {
+        return OAuthVersion.OAuth10a;
+    }
+
+    @Override
+    public String getClientId() {
+        return this.consumerKey;
+    }
+
+    @Override
+    public String getClientSecret() {
+        return this.consumerSecret;
+    }
+
     /**
      * Gets the authorise URL.
      * @return The authorise URL
      */
     public String getAuthoriseUrl() {
-        return authoriseUrl;
+        return this.getAuthorizationUrl();
     }
 
     /**

new file src/org/openstreetmap/josm/data/oauth/OAuthVersion.java

@@ +1 @@
+// License: GPL. For details, see LICENSE file.
+package org.openstreetmap.josm.data.oauth;
+
+/**
+ * The OAuth versions ordered oldest to newest
+ * @author Taylor Smock
+ * @since xxx
+ */
+public enum OAuthVersion {
+    /** <a href="https://oauth.net/core/1.0a/">OAuth 1.0a</a> */
+    OAuth10a,
+    /** <a href="https://datatracker.ietf.org/doc/html/rfc6749">OAuth 2.0</a> */
+    OAuth20,
+    /** <a href="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-06">OAuth 2.1 (draft)</a> */
+    OAuth21
+}

new file src/org/openstreetmap/josm/data/oauth/osm/OsmScopes.java

@@ +1 @@
+// License: GPL. For details, see LICENSE file.
+package org.openstreetmap.josm.data.oauth.osm;
+
+/**
+ * The possible scopes for OSM
+ * @author Taylor Smock
+ * @since xxx
+ */
+public enum OsmScopes {
+    /** Read user preferences */
+    read_prefs,
+    /** Modify user preferences */
+    write_prefs,
+    /** Write diary posts */
+    write_diary,
+    /** Modify the map */
+    write_api,
+    /** Read private GPS traces */
+    read_gpx,
+    /** Upload GPS traces */
+    write_gpx,
+    /** Modify notes */
+    write_notes
+}

new file src/org/openstreetmap/josm/data/oauth/osm/package-info.java

@@ +1 @@
+// License: GPL. For details, see LICENSE file.
+
+/**
+ * Provides the classes for OAuth authentication to OSM.
+ */
+package org.openstreetmap.josm.data.oauth.osm;

src/org/openstreetmap/josm/data/UserIdentityManager.java

@@ -4 +4 @@
 import static org.openstreetmap.josm.tools.I18n.tr;
 
 import java.text.MessageFormat;
+import java.util.Arrays;
+import java.util.Objects;
 
 import org.openstreetmap.josm.data.oauth.OAuthAccessTokenHolder;
+import org.openstreetmap.josm.data.oauth.OAuthVersion;
 import org.openstreetmap.josm.data.osm.User;
 import org.openstreetmap.josm.data.osm.UserInfo;
 import org.openstreetmap.josm.gui.progress.NullProgressMonitor;
@@ -68 +71 @@
     public static synchronized UserIdentityManager getInstance() {
         if (instance == null) {
             instance = new UserIdentityManager();
-            if (OsmApi.isUsingOAuth() && OAuthAccessTokenHolder.getInstance().containsAccessToken() &&
-                    !NetworkManager.isOffline(OnlineResource.OSM_API)) {
+            if (OsmApi.isUsingOAuthAndOAuthSetUp(OsmApi.getOsmApi()) && !NetworkManager.isOffline(OnlineResource.OSM_API)) {
                 try {
                     instance.initFromOAuth();
                 } catch (JosmRuntimeException | IllegalArgumentException | IllegalStateException e) {
@@ -305 +307 @@
             accessTokenSecretChanged = true;
             break;
         default: // Do nothing
+            if (evt.getKey() != null && evt.getKey().equals("oauth.access-token.parameters.OAuth20." + OsmApi.getOsmApi().getHost())) {
+                accessTokenKeyChanged = true;
+                accessTokenSecretChanged = true;
+            }
         }
+        // oauth.access-token.parameters.OAuth20.api.openstreetmap.org
 
         if (accessTokenKeyChanged && accessTokenSecretChanged) {
             accessTokenKeyChanged = false;

src/org/openstreetmap/josm/gui/oauth/AbstractAuthorizationUI.java

@@ -3 +3 @@
 
 import java.util.Objects;
 
+import org.openstreetmap.josm.data.oauth.IOAuthParameters;
 import org.openstreetmap.josm.data.oauth.OAuthParameters;
 import org.openstreetmap.josm.data.oauth.OAuthToken;
+import org.openstreetmap.josm.data.oauth.OAuthVersion;
 import org.openstreetmap.josm.gui.widgets.VerticallyScrollablePanel;
 import org.openstreetmap.josm.tools.CheckParameterUtil;
 
@@ -20 +22 @@
     public static final String ACCESS_TOKEN_PROP = AbstractAuthorizationUI.class.getName() + ".accessToken";
 
     private String apiUrl;
-    private final AdvancedOAuthPropertiesPanel pnlAdvancedProperties = new AdvancedOAuthPropertiesPanel();
+    private final AdvancedOAuthPropertiesPanel pnlAdvancedProperties = new AdvancedOAuthPropertiesPanel(OAuthVersion.OAuth10a);
     private transient OAuthToken accessToken;
 
     /**
@@ -79 +81 @@
      *
      * @return the current set of advanced OAuth parameters in this UI
      */
-    public OAuthParameters getOAuthParameters() {
+    public IOAuthParameters getOAuthParameters() {
         return pnlAdvancedProperties.getAdvancedParameters();
     }
 

src/org/openstreetmap/josm/gui/oauth/AdvancedOAuthPropertiesPanel.java

@@ -15 +15 @@
 import javax.swing.JLabel;
 import javax.swing.JOptionPane;
 
+import org.openstreetmap.josm.data.oauth.IOAuthParameters;
+import org.openstreetmap.josm.data.oauth.OAuth20Parameters;
 import org.openstreetmap.josm.data.oauth.OAuthParameters;
+import org.openstreetmap.josm.data.oauth.OAuthVersion;
 import org.openstreetmap.josm.gui.HelpAwareOptionPane;
 import org.openstreetmap.josm.gui.HelpAwareOptionPane.ButtonSpec;
 import org.openstreetmap.josm.gui.help.HelpUtil;
@@ -51 +54 @@
     private final JosmTextField tfAuthoriseURL = new JosmTextField();
     private final JosmTextField tfOsmLoginURL = new JosmTextField();
     private final JosmTextField tfOsmLogoutURL = new JosmTextField();
+    private final OAuthVersion oauthVersion;
     private transient UseDefaultItemListener ilUseDefault;
     private String apiUrl;
 
     /**
      * Constructs a new {@code AdvancedOAuthPropertiesPanel}.
+     * @param oauthVersion The OAuth version to make the panel for
      */
-    public AdvancedOAuthPropertiesPanel() {
+    public AdvancedOAuthPropertiesPanel(OAuthVersion oauthVersion) {
+        this.oauthVersion = oauthVersion;
         build();
     }
 
@@ -70 +76 @@
         gc.fill = GridBagConstraints.HORIZONTAL;
         gc.weightx = 1.0;
         gc.insets = new Insets(0, 0, 3, 3);
-        gc.gridwidth = 2;
+        gc.gridwidth = 3;
         add(cbUseDefaults, gc);
 
         // -- consumer key
         gc.gridy = 1;
         gc.weightx = 0.0;
         gc.gridwidth = 1;
-        add(new JLabel(tr("Consumer Key:")), gc);
+        if (this.oauthVersion == OAuthVersion.OAuth10a) {
+            add(new JLabel(tr("Consumer Key:")), gc);
+        } else {
+            add(new JLabel(tr("Client ID:")), gc);
+        }
 
         gc.gridx = 1;
         gc.weightx = 1.0;
@@ -85 +95 @@
         SelectAllOnFocusGainedDecorator.decorate(tfConsumerKey);
 
         // -- consumer secret
-        gc.gridy = 2;
+        gc.gridy++;
         gc.gridx = 0;
         gc.weightx = 0.0;
-        add(new JLabel(tr("Consumer Secret:")), gc);
+        if (this.oauthVersion == OAuthVersion.OAuth10a) {
+            add(new JLabel(tr("Consumer Secret:")), gc);
+        } else {
+            add(new JLabel(tr("Client Secret:")), gc);
+        }
 
         gc.gridx = 1;
         gc.weightx = 1.0;
@@ -96 +110 @@
         SelectAllOnFocusGainedDecorator.decorate(tfConsumerSecret);
 
         // -- request token URL
-        gc.gridy = 3;
+        gc.gridy++;
         gc.gridx = 0;
         gc.weightx = 0.0;
-        add(new JLabel(tr("Request Token URL:")), gc);
+        if (this.oauthVersion == OAuthVersion.OAuth10a) {
+            add(new JLabel(tr("Request Token URL:")), gc);
+        } else {
+            add(new JLabel(tr("Redirect URL:")), gc);
+        }
 
         gc.gridx = 1;
         gc.weightx = 1.0;
@@ -107 +125 @@
         SelectAllOnFocusGainedDecorator.decorate(tfRequestTokenURL);
 
         // -- access token URL
-        gc.gridy = 4;
+        gc.gridy++;
         gc.gridx = 0;
         gc.weightx = 0.0;
         add(new JLabel(tr("Access Token URL:")), gc);
@@ -118 +136 @@
         SelectAllOnFocusGainedDecorator.decorate(tfAccessTokenURL);
 
         // -- authorise URL
-        gc.gridy = 5;
+        gc.gridy++;
         gc.gridx = 0;
         gc.weightx = 0.0;
         add(new JLabel(tr("Authorize URL:")), gc);
@@ -128 +146 @@
         add(tfAuthoriseURL, gc);
         SelectAllOnFocusGainedDecorator.decorate(tfAuthoriseURL);
 
-        // -- OSM login URL
-        gc.gridy = 6;
-        gc.gridx = 0;
-        gc.weightx = 0.0;
-        add(new JLabel(tr("OSM login URL:")), gc);
+        if (this.oauthVersion == OAuthVersion.OAuth10a) {
+            // -- OSM login URL
+            gc.gridy++;
+            gc.gridx = 0;
+            gc.weightx = 0.0;
+            add(new JLabel(tr("OSM login URL:")), gc);
 
-        gc.gridx = 1;
-        gc.weightx = 1.0;
-        add(tfOsmLoginURL, gc);
-        SelectAllOnFocusGainedDecorator.decorate(tfOsmLoginURL);
+            gc.gridx = 1;
+            gc.weightx = 1.0;
+            add(tfOsmLoginURL, gc);
+            SelectAllOnFocusGainedDecorator.decorate(tfOsmLoginURL);
 
-        // -- OSM logout URL
-        gc.gridy = 7;
-        gc.gridx = 0;
-        gc.weightx = 0.0;
-        add(new JLabel(tr("OSM logout URL:")), gc);
+            // -- OSM logout URL
+            gc.gridy++;
+            gc.gridx = 0;
+            gc.weightx = 0.0;
+            add(new JLabel(tr("OSM logout URL:")), gc);
 
-        gc.gridx = 1;
-        gc.weightx = 1.0;
-        add(tfOsmLogoutURL, gc);
-        SelectAllOnFocusGainedDecorator.decorate(tfOsmLogoutURL);
+            gc.gridx = 1;
+            gc.weightx = 1.0;
+            add(tfOsmLogoutURL, gc);
+            SelectAllOnFocusGainedDecorator.decorate(tfOsmLogoutURL);
+        }
 
         ilUseDefault = new UseDefaultItemListener();
         cbUseDefaults.addItemListener(ilUseDefault);
@@ -191 +211 @@
 
     protected void resetToDefaultSettings() {
         cbUseDefaults.setSelected(true);
-        OAuthParameters params = OAuthParameters.createDefault(apiUrl);
-        tfConsumerKey.setText(params.getConsumerKey());
-        tfConsumerSecret.setText(params.getConsumerSecret());
-        tfRequestTokenURL.setText(params.getRequestTokenUrl());
-        tfAccessTokenURL.setText(params.getAccessTokenUrl());
-        tfAuthoriseURL.setText(params.getAuthoriseUrl());
-        tfOsmLoginURL.setText(params.getOsmLoginUrl());
-        tfOsmLogoutURL.setText(params.getOsmLogoutUrl());
+        IOAuthParameters iParams = OAuthParameters.createDefault(apiUrl, this.oauthVersion);
+        switch (this.oauthVersion) {
+            case OAuth10a:
+                OAuthParameters params = (OAuthParameters) iParams;
+                tfConsumerKey.setText(params.getConsumerKey());
+                tfConsumerSecret.setText(params.getConsumerSecret());
+                tfRequestTokenURL.setText(params.getRequestTokenUrl());
+                tfAccessTokenURL.setText(params.getAccessTokenUrl());
+                tfAuthoriseURL.setText(params.getAuthoriseUrl());
+                tfOsmLoginURL.setText(params.getOsmLoginUrl());
+                tfOsmLogoutURL.setText(params.getOsmLogoutUrl());
+                break;
+            case OAuth20:
+            case OAuth21:
+                OAuth20Parameters params20 = (OAuth20Parameters) iParams;
+                tfConsumerKey.setText(params20.getClientId());
+                tfConsumerSecret.setText(params20.getClientSecret());
+                tfAccessTokenURL.setText(params20.getAccessTokenUrl());
+                tfAuthoriseURL.setText(params20.getAuthorizationUrl());
+                tfRequestTokenURL.setText(params20.getRedirectUri());
+        }
 
         setChildComponentsEnabled(false);
     }
@@ -216 +249 @@
      *
      * @return the OAuth parameters
      */
-    public OAuthParameters getAdvancedParameters() {
+    public IOAuthParameters getAdvancedParameters() {
         if (cbUseDefaults.isSelected())
-            return OAuthParameters.createDefault(apiUrl);
-        return new OAuthParameters(
-            tfConsumerKey.getText(),
-            tfConsumerSecret.getText(),
-            tfRequestTokenURL.getText(),
-            tfAccessTokenURL.getText(),
-            tfAuthoriseURL.getText(),
-            tfOsmLoginURL.getText(),
-            tfOsmLogoutURL.getText());
+            return OAuthParameters.createDefault(apiUrl, this.oauthVersion);
+        if (this.oauthVersion == OAuthVersion.OAuth10a) {
+            return new OAuthParameters(
+                    tfConsumerKey.getText(),
+                    tfConsumerSecret.getText(),
+                    tfRequestTokenURL.getText(),
+                    tfAccessTokenURL.getText(),
+                    tfAuthoriseURL.getText(),
+                    tfOsmLoginURL.getText(),
+                    tfOsmLogoutURL.getText());
+        }
+        return new OAuth20Parameters(
+                tfConsumerKey.getText(),
+                tfConsumerSecret.getText(),
+                tfAuthoriseURL.getText(),
+                tfAccessTokenURL.getText(),
+                tfRequestTokenURL.getText()
+                );
     }
 
     /**
@@ -235 +277 @@
      * @param parameters the advanced parameters. Must not be null.
      * @throws IllegalArgumentException if parameters is null.
      */
-    public void setAdvancedParameters(OAuthParameters parameters) {
+    public void setAdvancedParameters(IOAuthParameters parameters) {
         CheckParameterUtil.ensureParameterNotNull(parameters, "parameters");
-        if (parameters.equals(OAuthParameters.createDefault(apiUrl))) {
+        if (parameters.equals(OAuthParameters.createDefault(apiUrl, parameters.getOAuthVersion()))) {
             cbUseDefaults.setSelected(true);
             setChildComponentsEnabled(false);
         } else {
             cbUseDefaults.setSelected(false);
             setChildComponentsEnabled(true);
-            tfConsumerKey.setText(parameters.getConsumerKey() == null ? "" : parameters.getConsumerKey());
-            tfConsumerSecret.setText(parameters.getConsumerSecret() == null ? "" : parameters.getConsumerSecret());
-            tfRequestTokenURL.setText(parameters.getRequestTokenUrl() == null ? "" : parameters.getRequestTokenUrl());
-            tfAccessTokenURL.setText(parameters.getAccessTokenUrl() == null ? "" : parameters.getAccessTokenUrl());
-            tfAuthoriseURL.setText(parameters.getAuthoriseUrl() == null ? "" : parameters.getAuthoriseUrl());
-            tfOsmLoginURL.setText(parameters.getOsmLoginUrl() == null ? "" : parameters.getOsmLoginUrl());
-            tfOsmLogoutURL.setText(parameters.getOsmLogoutUrl() == null ? "" : parameters.getOsmLogoutUrl());
+            if (parameters instanceof OAuthParameters) {
+                OAuthParameters parameters10 = (OAuthParameters) parameters;
+                tfConsumerKey.setText(parameters10.getConsumerKey() == null ? "" : parameters10.getConsumerKey());
+                tfConsumerSecret.setText(parameters10.getConsumerSecret() == null ? "" : parameters10.getConsumerSecret());
+                tfRequestTokenURL.setText(parameters10.getRequestTokenUrl() == null ? "" : parameters10.getRequestTokenUrl());
+                tfAccessTokenURL.setText(parameters10.getAccessTokenUrl() == null ? "" : parameters10.getAccessTokenUrl());
+                tfAuthoriseURL.setText(parameters10.getAuthoriseUrl() == null ? "" : parameters10.getAuthoriseUrl());
+                tfOsmLoginURL.setText(parameters10.getOsmLoginUrl() == null ? "" : parameters10.getOsmLoginUrl());
+                tfOsmLogoutURL.setText(parameters10.getOsmLogoutUrl() == null ? "" : parameters10.getOsmLogoutUrl());
+            } else if (parameters instanceof OAuth20Parameters) {
+                OAuth20Parameters parameters20 = (OAuth20Parameters) parameters;
+                tfConsumerKey.setText(parameters20.getClientId());
+                tfConsumerSecret.setText(parameters20.getClientSecret());
+                tfAccessTokenURL.setText(parameters20.getAccessTokenUrl());
+                tfAuthoriseURL.setText(parameters20.getAuthorizationUrl());
+                tfRequestTokenURL.setText(parameters20.getRedirectUri());
+            }
         }
     }
 

src/org/openstreetmap/josm/gui/oauth/FullyAutomaticAuthorizationUI.java

@@ -28 +28 @@
 import javax.swing.text.JTextComponent;
 import javax.swing.text.html.HTMLEditorKit;
 
+import org.openstreetmap.josm.data.oauth.OAuthParameters;
 import org.openstreetmap.josm.data.oauth.OAuthToken;
 import org.openstreetmap.josm.gui.HelpAwareOptionPane;
 import org.openstreetmap.josm.gui.PleaseWaitRunnable;
@@ -384 +385 @@
             executor.execute(new TestAccessTokenTask(
                     FullyAutomaticAuthorizationUI.this,
                     getApiUrl(),
-                    getAdvancedPropertiesPanel().getAdvancedParameters(),
+                    (OAuthParameters) getAdvancedPropertiesPanel().getAdvancedParameters(),
                     getAccessToken()
             ));
         }
@@ -437 +438 @@
                             + "a valid login URL from the OAuth Authorize Endpoint URL ''{0}''.<br><br>"
                             + "Please check your advanced setting and try again."
                             + "</html>",
-                            getAdvancedPropertiesPanel().getAdvancedParameters().getAuthoriseUrl()),
+                            ((OAuthParameters) getAdvancedPropertiesPanel().getAdvancedParameters()).getAuthoriseUrl()),
                     tr("OAuth authorization failed"),
                     JOptionPane.ERROR_MESSAGE,
                     HelpUtil.ht("/Dialog/OAuthAuthorisationWizard#FullyAutomaticProcessFailed")
@@ -445 +446 @@
         }
 
         protected void alertLoginFailed() {
-            final String loginUrl = getAdvancedPropertiesPanel().getAdvancedParameters().getOsmLoginUrl();
+            final String loginUrl = ((OAuthParameters) getAdvancedPropertiesPanel().getAdvancedParameters()).getOsmLoginUrl();
             HelpAwareOptionPane.showOptionDialog(
                     FullyAutomaticAuthorizationUI.this,
                     tr("<html>"
@@ -479 +480 @@
             try {
                 getProgressMonitor().setTicksCount(3);
                 OsmOAuthAuthorizationClient authClient = new OsmOAuthAuthorizationClient(
-                        getAdvancedPropertiesPanel().getAdvancedParameters()
+                        (OAuthParameters) getAdvancedPropertiesPanel().getAdvancedParameters()
                 );
                 OAuthToken requestToken = authClient.getRequestToken(
                         getProgressMonitor().createSubTaskMonitor(1, false)

src/org/openstreetmap/josm/gui/oauth/ManualAuthorizationUI.java

@@ -25 +25 @@
 import javax.swing.text.JTextComponent;
 
 import org.openstreetmap.josm.data.oauth.OAuthAccessTokenHolder;
+import org.openstreetmap.josm.data.oauth.OAuthParameters;
 import org.openstreetmap.josm.data.oauth.OAuthToken;
 import org.openstreetmap.josm.gui.widgets.DefaultTextComponentValidator;
 import org.openstreetmap.josm.gui.widgets.HtmlPanel;
@@ -232 +233 @@
             TestAccessTokenTask task = new TestAccessTokenTask(
                     ManualAuthorizationUI.this,
                     getApiUrl(),
-                    getAdvancedPropertiesPanel().getAdvancedParameters(),
+                    (OAuthParameters) getAdvancedPropertiesPanel().getAdvancedParameters(),
                     getAccessToken()
             );
             executor.execute(task);

src/org/openstreetmap/josm/gui/oauth/OAuthAuthorizationWizard.java

@@ -255 +255 @@
      * @return the current OAuth parameters.
      */
     public OAuthParameters getOAuthParameters() {
-        return getCurrentAuthorisationUI().getOAuthParameters();
+        return (OAuthParameters) getCurrentAuthorisationUI().getOAuthParameters();
     }
 
     /**

src/org/openstreetmap/josm/gui/oauth/SemiAutomaticAuthorizationUI.java

@@ -22 +22 @@
 import javax.swing.JPanel;
 
 import org.openstreetmap.josm.data.oauth.OAuthAccessTokenHolder;
+import org.openstreetmap.josm.data.oauth.OAuthParameters;
 import org.openstreetmap.josm.data.oauth.OAuthToken;
 import org.openstreetmap.josm.gui.util.GuiHelper;
 import org.openstreetmap.josm.gui.widgets.HtmlPanel;
@@ -78 +79 @@
 
     protected void transitionToRetrieveAccessToken() {
         OsmOAuthAuthorizationClient client = new OsmOAuthAuthorizationClient(
-                getAdvancedPropertiesPanel().getAdvancedParameters()
+                (OAuthParameters) getAdvancedPropertiesPanel().getAdvancedParameters()
         );
         String authoriseUrl = client.getAuthoriseUrl(requestToken);
         OpenBrowser.displayUrl(authoriseUrl);
@@ -183 +184 @@
                     + "Please click on <strong>{0}</strong> to retrieve an OAuth Request Token from "
                     + "''{1}''.</html>",
                     tr("Retrieve Request Token"),
-                    getAdvancedPropertiesPanel().getAdvancedParameters().getRequestTokenUrl()
+                    ((OAuthParameters) getAdvancedPropertiesPanel().getAdvancedParameters()).getRequestTokenUrl()
             ));
             pnl.add(h, gc);
 
@@ -390 +391 @@
         public void actionPerformed(ActionEvent evt) {
             final RetrieveRequestTokenTask task = new RetrieveRequestTokenTask(
                     SemiAutomaticAuthorizationUI.this,
-                    getAdvancedPropertiesPanel().getAdvancedParameters()
+                    (OAuthParameters) getAdvancedPropertiesPanel().getAdvancedParameters()
             );
             executor.execute(task);
             Runnable r = () -> {
@@ -418 +419 @@
         public void actionPerformed(ActionEvent evt) {
             final RetrieveAccessTokenTask task = new RetrieveAccessTokenTask(
                     SemiAutomaticAuthorizationUI.this,
-                    getAdvancedPropertiesPanel().getAdvancedParameters(),
+                    (OAuthParameters) getAdvancedPropertiesPanel().getAdvancedParameters(),
                     requestToken
             );
             executor.execute(task);
@@ -450 +451 @@
             TestAccessTokenTask task = new TestAccessTokenTask(
                     SemiAutomaticAuthorizationUI.this,
                     getApiUrl(),
-                    getAdvancedPropertiesPanel().getAdvancedParameters(),
+                    (OAuthParameters) getAdvancedPropertiesPanel().getAdvancedParameters(),
                     getAccessToken()
             );
             executor.execute(task);

src/org/openstreetmap/josm/gui/preferences/advanced/AdvancedPreference.java

@@ -235 +235 @@
         Map<String, Setting<?>> loaded;
         Map<String, Setting<?>> orig = Preferences.main().getAllSettings();
         Map<String, Setting<?>> defaults = tmpPrefs.getAllDefaults();
-        orig.remove("osm-server.password");
-        defaults.remove("osm-server.password");
+        Preferences.main().getSensitive().forEach(orig::remove);
+        tmpPrefs.getSensitive().forEach(defaults::remove);
         if (tmpPrefs != Preferences.main()) {
             loaded = tmpPrefs.getAllSettings();
             // plugins preference keys may be changed directly later, after plugins are downloaded

src/org/openstreetmap/josm/gui/preferences/server/AuthenticationPreferencesPanel.java

@@ -4 +4 @@
 import static org.openstreetmap.josm.tools.I18n.tr;
 
 import java.awt.BorderLayout;
+import java.awt.FlowLayout;
 import java.awt.GridBagConstraints;
 import java.awt.GridBagLayout;
 import java.awt.Insets;
@@ -17 +18 @@
 import javax.swing.JRadioButton;
 
 import org.openstreetmap.josm.data.oauth.OAuthAccessTokenHolder;
+import org.openstreetmap.josm.data.oauth.OAuthVersion;
 import org.openstreetmap.josm.gui.help.HelpUtil;
 import org.openstreetmap.josm.gui.widgets.VerticallyScrollablePanel;
 import org.openstreetmap.josm.io.OsmApi;
 import org.openstreetmap.josm.io.auth.CredentialsManager;
 import org.openstreetmap.josm.spi.preferences.Config;
+import org.openstreetmap.josm.tools.GBC;
 import org.openstreetmap.josm.tools.Logging;
 
 /**
@@ -32 +35 @@
 
     /** indicates whether we use basic authentication */
     private final JRadioButton rbBasicAuthentication = new JRadioButton();
-    /** indicates whether we use OAuth as authentication scheme */
+    /** indicates whether we use OAuth 1.0a as authentication scheme */
     private final JRadioButton rbOAuth = new JRadioButton();
+    /** indicates whether we use OAuth 2.0 as authentication scheme */
+    private final JRadioButton rbOAuth20 = new JRadioButton();
     /** the panel which contains the authentication parameters for the respective authentication scheme */
     private final JPanel pnlAuthenticationParameters = new JPanel(new BorderLayout());
     /** the panel for the basic authentication parameters */
     private BasicAuthenticationPreferencesPanel pnlBasicAuthPreferences;
-    /** the panel for the OAuth authentication parameters */
+    /** the panel for the OAuth 1.0a authentication parameters */
     private OAuthAuthenticationPreferencesPanel pnlOAuthPreferences;
+    /** the panel for the OAuth 2.0 authentication parameters */
+    private OAuthAuthenticationPreferencesPanel pnlOAuth20Preferences;
 
     /**
      * Constructs a new {@code AuthenticationPreferencesPanel}.
@@ -55 +62 @@
      */
     protected final void build() {
         setLayout(new GridBagLayout());
-        GridBagConstraints gc = new GridBagConstraints();
 
         AuthenticationMethodChangeListener authChangeListener = new AuthenticationMethodChangeListener();
 
+        JPanel buttonPanel = new JPanel(new FlowLayout(FlowLayout.LEADING));
         // -- radio button for basic authentication
-        gc.anchor = GridBagConstraints.NORTHWEST;
-        gc.fill = GridBagConstraints.HORIZONTAL;
-        gc.gridx = 1;
-        gc.weightx = 1.0;
-        gc.insets = new Insets(0, 0, 0, 3);
-        add(rbBasicAuthentication, gc);
+        buttonPanel.add(rbBasicAuthentication);
         rbBasicAuthentication.setText(tr("Use Basic Authentication"));
         rbBasicAuthentication.setToolTipText(tr("Select to use HTTP basic authentication with your OSM username and password"));
         rbBasicAuthentication.addItemListener(authChangeListener);
 
-        //-- radio button for OAuth
-        gc.gridx = 0;
-        gc.weightx = 0.0;
-        add(rbOAuth, gc);
-        rbOAuth.setText(tr("Use OAuth"));
-        rbOAuth.setToolTipText(tr("Select to use OAuth as authentication mechanism"));
+        //-- radio button for OAuth 1.0a
+        buttonPanel.add(rbOAuth);
+        rbOAuth.setText(tr("Use OAuth {0}", "1.0a"));
+        rbOAuth.setToolTipText(tr("Select to use OAuth {0} as authentication mechanism", "1.0a"));
         rbOAuth.addItemListener(authChangeListener);
 
+        //-- radio button for OAuth 2.0
+        buttonPanel.add(rbOAuth20);
+        rbOAuth20.setText(tr("Use OAuth {0}", "2.0"));
+        rbOAuth20.setToolTipText(tr("Select to use OAuth {0} as authentication mechanism", "2.0"));
+        rbOAuth20.addItemListener(authChangeListener);
+
+        add(buttonPanel, GBC.eol());
         //-- radio button for OAuth
         ButtonGroup bg = new ButtonGroup();
         bg.add(rbBasicAuthentication);
         bg.add(rbOAuth);
+        bg.add(rbOAuth20);
 
         //-- add the panel which will hold the authentication parameters
+        GridBagConstraints gc = new GridBagConstraints();
+        gc.anchor = GridBagConstraints.NORTHWEST;
+        gc.insets = new Insets(0, 0, 0, 3);
         gc.gridx = 0;
         gc.gridy = 1;
         gc.gridwidth = 2;
@@ -94 +105 @@
 
         //-- the two panels for authentication parameters
         pnlBasicAuthPreferences = new BasicAuthenticationPreferencesPanel();
-        pnlOAuthPreferences = new OAuthAuthenticationPreferencesPanel();
+        pnlOAuthPreferences = new OAuthAuthenticationPreferencesPanel(OAuthVersion.OAuth10a);
+        pnlOAuth20Preferences = new OAuthAuthenticationPreferencesPanel(OAuthVersion.OAuth20);
 
         rbBasicAuthentication.setSelected(true);
         pnlAuthenticationParameters.add(pnlBasicAuthPreferences, BorderLayout.CENTER);
@@ -109 +121 @@
             rbBasicAuthentication.setSelected(true);
         } else if ("oauth".equals(authMethod)) {
             rbOAuth.setSelected(true);
+        } else if ("oauth20".equals(authMethod)) {
+            rbOAuth20.setSelected(true);
         } else {
             Logging.warn(tr("Unsupported value in preference ''{0}'', got ''{1}''. Using authentication method ''Basic Authentication''.",
                     "osm-server.auth-method", authMethod));
@@ -116 +130 @@
         }
         pnlBasicAuthPreferences.initFromPreferences();
         pnlOAuthPreferences.initFromPreferences();
+        pnlOAuth20Preferences.initFromPreferences();
     }
 
     /**
@@ -126 +141 @@
         String authMethod;
         if (rbBasicAuthentication.isSelected()) {
             authMethod = "basic";
-        } else {
+        } else if (rbOAuth.isSelected()) {
             authMethod = "oauth";
+        } else if (rbOAuth20.isSelected()) {
+            authMethod = "oauth20";
+        } else {
+            throw new IllegalStateException("One of OAuth 2.0, OAuth 1.0a, or Basic authentication must be checked");
         }
         Config.getPref().put("osm-server.auth-method", authMethod);
         if ("basic".equals(authMethod)) {
@@ -140 +159 @@
             pnlBasicAuthPreferences.clearPassword();
             pnlBasicAuthPreferences.saveToPreferences();
             pnlOAuthPreferences.saveToPreferences();
+        } else { // oauth20
+            // clear the password in the preferences
+            pnlBasicAuthPreferences.clearPassword();
+            pnlBasicAuthPreferences.saveToPreferences();
+            pnlOAuth20Preferences.saveToPreferences();
         }
     }
 
@@ -149 +173 @@
     class AuthenticationMethodChangeListener implements ItemListener {
         @Override
         public void itemStateChanged(ItemEvent e) {
-            if (rbBasicAuthentication.isSelected()) {
-                pnlAuthenticationParameters.removeAll();
+            pnlAuthenticationParameters.removeAll();
+            if (rbBasicAuthentication.isSelected()) {
                 pnlAuthenticationParameters.add(pnlBasicAuthPreferences, BorderLayout.CENTER);
                 pnlBasicAuthPreferences.revalidate();
-            } else {
-                pnlAuthenticationParameters.removeAll();
+            } else if (rbOAuth.isSelected()) {
                 pnlAuthenticationParameters.add(pnlOAuthPreferences, BorderLayout.CENTER);
                 pnlOAuthPreferences.revalidate();
+            } else if (rbOAuth20.isSelected()) {
+                pnlAuthenticationParameters.add(pnlOAuth20Preferences, BorderLayout.CENTER);
+                pnlOAuth20Preferences.revalidate();
             }
             repaint();
         }

src/org/openstreetmap/josm/gui/preferences/server/OAuthAuthenticationPreferencesPanel.java

@@ -23 +23 @@
 import javax.swing.JPanel;
 
 import org.openstreetmap.josm.actions.ExpertToggleAction;
+import org.openstreetmap.josm.data.oauth.IOAuthToken;
+import org.openstreetmap.josm.data.oauth.OAuth20Authorization;
+import org.openstreetmap.josm.data.oauth.OAuth20Token;
 import org.openstreetmap.josm.data.oauth.OAuthAccessTokenHolder;
 import org.openstreetmap.josm.data.oauth.OAuthParameters;
 import org.openstreetmap.josm.data.oauth.OAuthToken;
+import org.openstreetmap.josm.data.oauth.OAuthVersion;
+import org.openstreetmap.josm.data.oauth.osm.OsmScopes;
 import org.openstreetmap.josm.gui.MainApplication;
 import org.openstreetmap.josm.gui.oauth.AdvancedOAuthPropertiesPanel;
 import org.openstreetmap.josm.gui.oauth.AuthorizationProcedure;
 import org.openstreetmap.josm.gui.oauth.OAuthAuthorizationWizard;
 import org.openstreetmap.josm.gui.oauth.TestAccessTokenTask;
+import org.openstreetmap.josm.gui.util.GuiHelper;
 import org.openstreetmap.josm.gui.widgets.JMultilineLabel;
 import org.openstreetmap.josm.gui.widgets.JosmTextField;
 import org.openstreetmap.josm.io.OsmApi;
 import org.openstreetmap.josm.io.auth.CredentialsManager;
+import org.openstreetmap.josm.io.remotecontrol.RemoteControl;
 import org.openstreetmap.josm.tools.GBC;
 import org.openstreetmap.josm.tools.ImageProvider;
 import org.openstreetmap.josm.tools.Logging;
 import org.openstreetmap.josm.tools.UserCancelException;
 
 /**
- * The preferences panel for the OAuth preferences. This just a summary panel
+ * The preferences panel for the OAuth 1.0a preferences. This just a summary panel
  * showing the current Access Token Key and Access Token Secret, if the
  * user already has an Access Token.
- *
+ * <br>
  * For initial authorisation see {@link OAuthAuthorizationWizard}.
  * @since 2745
  */
@@ -53 +60 @@
     private final JCheckBox cbShowAdvancedParameters = new JCheckBox(tr("Display Advanced OAuth Parameters"));
     private final JCheckBox cbSaveToPreferences = new JCheckBox(tr("Save to preferences"));
     private final JPanel pnlAuthorisationMessage = new JPanel(new BorderLayout());
-    private final NotYetAuthorisedPanel pnlNotYetAuthorised = new NotYetAuthorisedPanel();
-    private final AdvancedOAuthPropertiesPanel pnlAdvancedProperties = new AdvancedOAuthPropertiesPanel();
-    private final AlreadyAuthorisedPanel pnlAlreadyAuthorised = new AlreadyAuthorisedPanel();
+    private final NotYetAuthorisedPanel pnlNotYetAuthorised;
+    private final AdvancedOAuthPropertiesPanel pnlAdvancedProperties;
+    private final AlreadyAuthorisedPanel pnlAlreadyAuthorised;
+    private final OAuthVersion oAuthVersion;
     private String apiUrl;
 
     /**
-     * Create the panel
+     * Create the panel. Uses {@link OAuthVersion#OAuth10a}.
      */
     public OAuthAuthenticationPreferencesPanel() {
+        this(OAuthVersion.OAuth10a);
+    }
+
+    /**
+     * Create the panel.
+     * @param oAuthVersion The OAuth version to use
+     */
+    public OAuthAuthenticationPreferencesPanel(OAuthVersion oAuthVersion) {
+        this.oAuthVersion = oAuthVersion;
+        // These must come after we set the oauth version
+        this.pnlNotYetAuthorised = new NotYetAuthorisedPanel();
+        this.pnlAdvancedProperties = new AdvancedOAuthPropertiesPanel(this.oAuthVersion);
+        this.pnlAlreadyAuthorised = new AlreadyAuthorisedPanel();
         build();
-        refreshView();
     }
 
     /**
@@ -117 +137 @@
 
     protected void refreshView() {
         pnlAuthorisationMessage.removeAll();
-        if (OAuthAccessTokenHolder.getInstance().containsAccessToken()) {
+        if ((this.oAuthVersion == OAuthVersion.OAuth10a &&
+                OAuthAccessTokenHolder.getInstance().containsAccessToken())
+        || OAuthAccessTokenHolder.getInstance().getAccessToken(this.apiUrl, this.oAuthVersion) != null) {
             pnlAuthorisationMessage.add(pnlAlreadyAuthorised, BorderLayout.CENTER);
             pnlAlreadyAuthorised.refreshView();
             pnlAlreadyAuthorised.revalidate();
@@ -180 +202 @@
             lbl.setFont(lbl.getFont().deriveFont(Font.PLAIN));
 
             // Action for authorising now
-            add(new JButton(new AuthoriseNowAction(AuthorizationProcedure.FULLY_AUTOMATIC)), GBC.eol());
+            if (oAuthVersion == OAuthVersion.OAuth10a) {
+                add(new JButton(new AuthoriseNowAction(AuthorizationProcedure.FULLY_AUTOMATIC)), GBC.eol());
+            }
             add(new JButton(new AuthoriseNowAction(AuthorizationProcedure.SEMI_AUTOMATIC)), GBC.eol());
-            JButton authManually = new JButton(new AuthoriseNowAction(AuthorizationProcedure.MANUALLY));
-            add(authManually, GBC.eol());
-            ExpertToggleAction.addVisibilitySwitcher(authManually);
+            if (oAuthVersion == OAuthVersion.OAuth10a) {
+                JButton authManually = new JButton(new AuthoriseNowAction(AuthorizationProcedure.MANUALLY));
+                add(authManually, GBC.eol());
+                ExpertToggleAction.addVisibilitySwitcher(authManually);
+            }
 
             // filler - grab remaining space
             add(new JPanel(), GBC.std().fill(GBC.BOTH));
@@ -253 +279 @@
 
             // -- action buttons
             JPanel btns = new JPanel(new FlowLayout(FlowLayout.LEFT));
-            btns.add(new JButton(new RenewAuthorisationAction(AuthorizationProcedure.FULLY_AUTOMATIC)));
-            btns.add(new JButton(new TestAuthorisationAction()));
+            if (oAuthVersion == OAuthVersion.OAuth10a) {
+                // these want the OAuth 1.0 token information
+                btns.add(new JButton(new RenewAuthorisationAction(AuthorizationProcedure.FULLY_AUTOMATIC)));
+                btns.add(new JButton(new TestAuthorisationAction()));
+            }
+            btns.add(new JButton(new RemoveAuthorisationAction()));
             gc.gridy = 4;
             gc.gridx = 0;
             gc.gridwidth = 2;
@@ -277 +307 @@
         }
 
         protected final void refreshView() {
-            String v = OAuthAccessTokenHolder.getInstance().getAccessTokenKey();
-            tfAccessTokenKey.setText(v == null ? "" : v);
-            v = OAuthAccessTokenHolder.getInstance().getAccessTokenSecret();
-            tfAccessTokenSecret.setText(v == null ? "" : v);
+            switch (oAuthVersion) {
+                case OAuth10a:
+                    String v = OAuthAccessTokenHolder.getInstance().getAccessTokenKey();
+                    tfAccessTokenKey.setText(v == null ? "" : v);
+                    v = OAuthAccessTokenHolder.getInstance().getAccessTokenSecret();
+                    tfAccessTokenSecret.setText(v == null ? "" : v);
+                    tfAccessTokenSecret.setVisible(true);
+                    break;
+                case OAuth20:
+                case OAuth21:
+                    String token = "";
+                    if (apiUrl != null) {
+                        OAuth20Token bearerToken = (OAuth20Token) OAuthAccessTokenHolder.getInstance().getAccessToken(apiUrl, oAuthVersion);
+                        token = bearerToken == null ? "" : bearerToken.getBearerToken();
+                    }
+                    tfAccessTokenKey.setText(token == null ? "" : token);
+                    tfAccessTokenSecret.setVisible(false);
+            }
             cbSaveToPreferences.setSelected(OAuthAccessTokenHolder.getInstance().isSaveToPreferences());
         }
     }
@@ -295 +339 @@
             this.procedure = procedure;
             putValue(NAME, tr("{0} ({1})", tr("Authorize now"), procedure.getText()));
             putValue(SHORT_DESCRIPTION, procedure.getDescription());
-            if (procedure == AuthorizationProcedure.FULLY_AUTOMATIC) {
+            if (procedure == AuthorizationProcedure.FULLY_AUTOMATIC
+            || OAuthAuthenticationPreferencesPanel.this.oAuthVersion != OAuthVersion.OAuth10a) {
                 new ImageProvider("oauth", "oauth-small").getResource().attachImageIcon(this);
             }
         }
 
         @Override
         public void actionPerformed(ActionEvent arg0) {
-            OAuthAuthorizationWizard wizard = new OAuthAuthorizationWizard(
-                    OAuthAuthenticationPreferencesPanel.this,
-                    procedure,
-                    apiUrl,
-                    MainApplication.worker);
-            try {
-                wizard.showDialog();
-            } catch (UserCancelException ignore) {
-                Logging.trace(ignore);
-                return;
-            }
-            pnlAdvancedProperties.setAdvancedParameters(wizard.getOAuthParameters());
+            if (OAuthAuthenticationPreferencesPanel.this.oAuthVersion == OAuthVersion.OAuth10a) {
+                OAuthAuthorizationWizard wizard = new OAuthAuthorizationWizard(
+                        OAuthAuthenticationPreferencesPanel.this,
+                        procedure,
+                        apiUrl,
+                        MainApplication.worker);
+                try {
+                    wizard.showDialog();
+                } catch (UserCancelException ignore) {
+                    Logging.trace(ignore);
+                    return;
+                }
+                pnlAdvancedProperties.setAdvancedParameters(wizard.getOAuthParameters());
+                refreshView();
+            } else {
+                final boolean remoteControlIsRunning = Boolean.TRUE.equals(RemoteControl.PROP_REMOTECONTROL_ENABLED.get());
+                // TODO: Ask user if they want to start remote control?
+                if (!remoteControlIsRunning) {
+                    RemoteControl.start();
+                }
+                new OAuth20Authorization().authorize(OAuthParameters.createDefault(OsmApi.getOsmApi().getServerUrl(), oAuthVersion), token -> {
+                    if (!remoteControlIsRunning) {
+                        RemoteControl.stop();
+                    }
+                    // Clean up old token/password
+                    OAuthAccessTokenHolder.getInstance().setAccessToken(null);
+                    OAuthAccessTokenHolder.getInstance().setAccessToken(OsmApi.getOsmApi().getServerUrl(), token);
+                    OAuthAccessTokenHolder.getInstance().save(CredentialsManager.getInstance());
+                    GuiHelper.runInEDT(OAuthAuthenticationPreferencesPanel.this::refreshView);
+                }, OsmScopes.read_gpx, OsmScopes.write_gpx,
+                        OsmScopes.read_prefs, OsmScopes.write_prefs,
+                        OsmScopes.write_api, OsmScopes.write_notes);
+            }
+        }
+    }
+
+    /**
+     * Remove the OAuth authorization token
+     */
+    private class RemoveAuthorisationAction extends AbstractAction {
+        RemoveAuthorisationAction() {
+            putValue(NAME, tr("Remove token"));
+            putValue(SHORT_DESCRIPTION, tr("Remove token from JOSM. This does not revoke the token."));
+            new ImageProvider("cancel").getResource().attachImageIcon(this);
+        }
+
+        @Override
+        public void actionPerformed(ActionEvent e) {
+            if (oAuthVersion == OAuthVersion.OAuth10a) {
+                OAuthAccessTokenHolder.getInstance().setAccessToken(null);
+            } else {
+                OAuthAccessTokenHolder.getInstance().setAccessToken(apiUrl, (IOAuthToken) null);
+            }
+            OAuthAccessTokenHolder.getInstance().save(CredentialsManager.getInstance());
             refreshView();
         }
     }

src/org/openstreetmap/josm/io/auth/CredentialsAgent.java

@@ -5 +5 @@
 import java.net.Authenticator.RequestorType;
 import java.net.PasswordAuthentication;
 
+import javax.annotation.Nullable;
+
+import org.openstreetmap.josm.data.oauth.IOAuthToken;
 import org.openstreetmap.josm.data.oauth.OAuthToken;
 
 /**
@@ -64 +67 @@
      */
     OAuthToken lookupOAuthAccessToken() throws CredentialsAgentException;
 
+    /**
+     * Lookup the current OAuth Access Token to access the specified server. Replies null, if no
+     * Access Token is currently managed by this CredentialAgent.
+     *
+     * @param host The host to get OAuth credentials for
+     * @return the current OAuth Access Token to access the specified server.
+     * @throws CredentialsAgentException if something goes wrong
+     * @since xxx
+     */
+    @Nullable
+    IOAuthToken lookupOAuthAccessToken(String host) throws CredentialsAgentException;
+
     /**
      * Stores the OAuth Access Token <code>accessToken</code>.
      *
@@ -72 +87 @@
      */
     void storeOAuthAccessToken(OAuthToken accessToken) throws CredentialsAgentException;
 
+    /**
+     * Stores the OAuth Access Token <code>accessToken</code>.
+     *
+     * @param host The host the access token is for
+     * @param accessToken the access Token. null, to remove the Access Token. This will remove all IOAuthTokens <i>not</i> managed by
+     *                    {@link #storeOAuthAccessToken(OAuthToken)}.
+     * @throws CredentialsAgentException if something goes wrong
+     * @since xxx
+     */
+    void storeOAuthAccessToken(String host, IOAuthToken accessToken) throws CredentialsAgentException;
+
     /**
      * Purges the internal credentials cache for the given requestor type.
      * @param requestorType the type of service.

src/org/openstreetmap/josm/io/auth/CredentialsManager.java

@@ -7 +7 @@
 import java.util.Objects;
 
 import org.openstreetmap.josm.data.UserIdentityManager;
+import org.openstreetmap.josm.data.oauth.IOAuthToken;
 import org.openstreetmap.josm.data.oauth.OAuthToken;
 import org.openstreetmap.josm.io.OsmApi;
 import org.openstreetmap.josm.tools.CheckParameterUtil;
@@ -160 +161 @@
         return delegate.lookupOAuthAccessToken();
     }
 
+    @Override
+    public IOAuthToken lookupOAuthAccessToken(String host) throws CredentialsAgentException {
+        return delegate.lookupOAuthAccessToken(host);
+    }
+
     @Override
     public void storeOAuthAccessToken(OAuthToken accessToken) throws CredentialsAgentException {
         delegate.storeOAuthAccessToken(accessToken);
     }
 
+    @Override
+    public void storeOAuthAccessToken(String host, IOAuthToken accessToken) throws CredentialsAgentException {
+        delegate.storeOAuthAccessToken(host, accessToken);
+    }
+
     @Override
     public Component getPreferencesDecorationPanel() {
         return delegate.getPreferencesDecorationPanel();

src/org/openstreetmap/josm/io/auth/JosmPreferencesCredentialAgent.java

@@ -6 +6 @@
 import java.awt.Component;
 import java.net.Authenticator.RequestorType;
 import java.net.PasswordAuthentication;
+import java.util.HashSet;
 import java.util.Objects;
+import java.util.Set;
 
+import javax.json.JsonException;
 import javax.swing.text.html.HTMLEditorKit;
 
+import org.openstreetmap.josm.data.oauth.IOAuthToken;
+import org.openstreetmap.josm.data.oauth.OAuth20Exception;
+import org.openstreetmap.josm.data.oauth.OAuth20Parameters;
+import org.openstreetmap.josm.data.oauth.OAuth20Token;
 import org.openstreetmap.josm.data.oauth.OAuthToken;
+import org.openstreetmap.josm.data.oauth.OAuthVersion;
 import org.openstreetmap.josm.gui.widgets.HtmlPanel;
 import org.openstreetmap.josm.io.DefaultProxySelector;
 import org.openstreetmap.josm.io.OsmApi;
 import org.openstreetmap.josm.spi.preferences.Config;
+import org.openstreetmap.josm.tools.Utils;
 
 /**
  * This is the default credentials agent in JOSM. It keeps username and password for both
@@ -68 +77 @@
         case SERVER:
             if (Objects.equals(OsmApi.getOsmApi().getHost(), host)) {
                 Config.getPref().put("osm-server.username", credentials.getUserName());
-                if (credentials.getPassword() == null) {
+                if (credentials.getPassword().length == 0) { // PasswordAuthentication#getPassword cannot be null
                     Config.getPref().put("osm-server.password", null);
                 } else {
                     Config.getPref().put("osm-server.password", String.valueOf(credentials.getPassword()));
                 }
             } else if (host != null) {
                 Config.getPref().put("server.username."+host, credentials.getUserName());
-                if (credentials.getPassword() == null) {
+                if (credentials.getPassword().length == 0) {
                     Config.getPref().put("server.password."+host, null);
                 } else {
                     Config.getPref().put("server.password."+host, String.valueOf(credentials.getPassword()));
@@ -84 +93 @@
             break;
         case PROXY:
             Config.getPref().put(DefaultProxySelector.PROXY_USER, credentials.getUserName());
-            if (credentials.getPassword() == null) {
+            if (credentials.getPassword().length == 0) {
                 Config.getPref().put(DefaultProxySelector.PROXY_PASS, null);
             } else {
                 Config.getPref().put(DefaultProxySelector.PROXY_PASS, String.valueOf(credentials.getPassword()));
@@ -109 +118 @@
         return new OAuthToken(accessTokenKey, accessTokenSecret);
     }
 
+    @Override
+    public IOAuthToken lookupOAuthAccessToken(String host) throws CredentialsAgentException {
+        Set<String> keySet = new HashSet<>(Config.getPref().getKeySet());
+        keySet.addAll(Config.getPref().getSensitive()); // Just in case we decide to not return sensitive keys in getKeySet
+        for (OAuthVersion oauthType : OAuthVersion.values()) {
+            final String hostKey = "oauth.access-token.object." + oauthType + "." + host;
+            final String parametersKey = "oauth.access-token.parameters." + oauthType + "." + host;
+            if (!keySet.contains(hostKey) || !keySet.contains(parametersKey)) {
+                continue; // Avoid adding empty temporary entries to preferences
+            }
+            String token = Config.getPref().get(hostKey, null);
+            String parameters = Config.getPref().get(parametersKey, null);
+            if (!Utils.isBlank(token) && !Utils.isBlank(parameters) && OAuthVersion.OAuth20 == oauthType) {
+                try {
+                    OAuth20Parameters oAuth20Parameters = new OAuth20Parameters(parameters);
+                    return new OAuth20Token(oAuth20Parameters, token);
+                } catch (OAuth20Exception | JsonException e) {
+                    throw new CredentialsAgentException(e);
+                }
+            }
+        }
+        return null;
+    }
+
     /**
      * Stores the OAuth Access Token <code>accessToken</code>.
      *
@@ -126 +159 @@
         }
     }
 
+    @Override
+    public void storeOAuthAccessToken(String host, IOAuthToken accessToken) throws CredentialsAgentException {
+        Objects.requireNonNull(host, "host");
+        if (accessToken == null) {
+            Set<String> keySet = new HashSet<>(Config.getPref().getKeySet());
+            keySet.addAll(Config.getPref().getSensitive()); // Just in case we decide to not return sensitive keys in getKeySet
+            // Assume we want to remove all access tokens
+            for (OAuthVersion oauthType : OAuthVersion.values()) {
+                final String hostKey = "oauth.access-token.parameters." + oauthType + "." + host;
+                final String parametersKey = "oauth.access-token.parameters." + oauthType + "." + host;
+                if (keySet.contains(hostKey)) {
+                    Config.getPref().removeSensitive(hostKey);
+                }
+                if (keySet.contains(parametersKey)) {
+                    Config.getPref().removeSensitive(parametersKey);
+                }
+            }
+        } else {
+            final String hostKey = "oauth.access-token.object." + accessToken.getOAuthType() + "." + host;
+            final String parametersKey = "oauth.access-token.parameters." + accessToken.getOAuthType() + "." + host;
+            Config.getPref().put(hostKey, accessToken.toPreferencesString());
+            Config.getPref().put(parametersKey, accessToken.getParameters().toPreferencesString());
+            Config.getPref().addSensitive(this, hostKey);
+            Config.getPref().addSensitive(this, parametersKey);
+        }
+    }
+
     @Override
     public Component getPreferencesDecorationPanel() {
         HtmlPanel pnlMessage = new HtmlPanel();

new file src/org/openstreetmap/josm/io/remotecontrol/handler/AuthorizationHandler.java

@@ +1 @@
+// License: GPL. For details, see LICENSE file.
+package org.openstreetmap.josm.io.remotecontrol.handler;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Optional;
+import java.util.stream.Collectors;
+
+import org.openstreetmap.josm.data.preferences.BooleanProperty;
+import org.openstreetmap.josm.io.remotecontrol.PermissionPrefWithDefault;
+
+/**
+ * Handle authorization requests (mostly OAuth)
+ * @since xxx
+ */
+public class AuthorizationHandler extends RequestHandler {
+
+    /**
+     * The actual authorization consumer/handler
+     */
+    public interface AuthorizationConsumer {
+        /**
+         * Validate the request
+         * @param args The GET request arguments
+         * @param request The request URL without "GET".
+         * @param sender who sent the request? the host from referer header or IP of request sender
+         * @throws RequestHandlerBadRequestException if the request is invalid
+         * @see RequestHandler#validateRequest()
+         */
+        void validateRequest(String sender, String request, Map<String, String> args)
+                throws RequestHandlerBadRequestException;
+
+        /**
+         * Handle the request. Any time-consuming operation must be performed asynchronously to avoid delaying the HTTP response.
+         * @param args The GET request arguments
+         * @param request The request URL without "GET".
+         * @param sender who sent the request? the host from referer header or IP of request sender
+         * @return The response to show the user. May be {@code null}.
+         * @throws RequestHandlerErrorException if an error occurs while processing the request
+         * @throws RequestHandlerBadRequestException if the request is invalid
+         * @see RequestHandler#handleRequest()
+         */
+        ResponseRecord handleRequest(String sender, String request, Map<String, String> args)
+                throws RequestHandlerErrorException, RequestHandlerBadRequestException;
+    }
+
+    /**
+     * A basic record for changing responses
+     */
+    public static final class ResponseRecord {
+        private final String content;
+        private final String type;
+
+        /**
+         * Create a new record
+         * @param content The content to show the user
+         * @param type The content mime type
+         */
+        public ResponseRecord(String content, String type) {
+            this.content = content;
+            this.type = type;
+        }
+
+        /**
+         * Get the content for the response
+         * @return The content as a string
+         */
+        public String content() {
+            return this.content;
+        }
+
+        /**
+         * Get the type for the response
+         * @return The response mime type
+         */
+        public String type() {
+            return this.type;
+        }
+    }
+
+    /**
+     * The remote control command
+     */
+    public static final String command = "oauth_authorization";
+
+    private static final BooleanProperty PROPERTY = new BooleanProperty("remotecontrol.permission.authorization", false);
+    private static final Map<String, AuthorizationConsumer> AUTHORIZATION_CONSUMERS = new HashMap<>();
+
+    private AuthorizationConsumer consumer;
+    /**
+     * Add an authorization consumer.
+     * @param state The unique state for each request (for OAuth, this would be the {@code state} parameter)
+     * @param consumer The consumer of the response
+     */
+    public static synchronized void addAuthorizationConsumer(String state, AuthorizationConsumer consumer) {
+        if (AUTHORIZATION_CONSUMERS.containsKey(state)) {
+            throw new IllegalArgumentException("Cannot add multiple consumers for one authorization state");
+        }
+        AUTHORIZATION_CONSUMERS.put(state, consumer);
+    }
+
+    @Override
+    protected void validateRequest() throws RequestHandlerBadRequestException {
+        boolean clearAll = false;
+        for (Map.Entry<String, AuthorizationConsumer> entry : AUTHORIZATION_CONSUMERS.entrySet()) {
+            if (Objects.equals(this.args.get("state"), entry.getKey())) {
+                if (this.consumer == null) {
+                    this.consumer = entry.getValue();
+                } else {
+                    // Remove all authorization consumers. Someone might be playing games.
+                    clearAll = true;
+                }
+            }
+        }
+        if (clearAll) {
+            AUTHORIZATION_CONSUMERS.clear();
+            this.consumer = null;
+            throw new RequestHandlerBadRequestException("Multiple states for authorization");
+        }
+
+        if (this.consumer == null) {
+            throw new RequestHandlerBadRequestException("Unknown state for authorization");
+        }
+        this.consumer.validateRequest(this.sender, this.request, this.args);
+    }
+
+    @Override
+    protected void handleRequest() throws RequestHandlerErrorException, RequestHandlerBadRequestException {
+        ResponseRecord response = this.consumer.handleRequest(this.sender, this.request, this.args);
+        if (response != null) {
+            this.content = Optional.ofNullable(response.content()).orElse(this.content);
+            this.contentType = Optional.ofNullable(response.type()).orElse(this.contentType);
+        }
+        // Only ever allow a consumer to be used once
+        AUTHORIZATION_CONSUMERS.entrySet().stream().filter(entry -> Objects.equals(this.consumer, entry.getValue()))
+                .map(Map.Entry::getKey).collect(Collectors.toList()).forEach(AUTHORIZATION_CONSUMERS::remove);
+        this.consumer = null;
+    }
+
+    @Override
+    public String getPermissionMessage() {
+        return "Allow OAuth remote control to set credentials";
+    }
+
+    @Override
+    public PermissionPrefWithDefault getPermissionPref() {
+        return null;
+    }
+
+    public BooleanProperty getPermissionPreference() {
+        return PROPERTY;
+    }
+
+    @Override
+    public String[] getMandatoryParams() {
+        return new String[] {"code", "state"};
+    }
+}

src/org/openstreetmap/josm/io/remotecontrol/RequestProcessor.java

@@ -30 +30 @@
 import org.openstreetmap.josm.gui.help.HelpUtil;
 import org.openstreetmap.josm.io.remotecontrol.handler.AddNodeHandler;
 import org.openstreetmap.josm.io.remotecontrol.handler.AddWayHandler;
+import org.openstreetmap.josm.io.remotecontrol.handler.AuthorizationHandler;
 import org.openstreetmap.josm.io.remotecontrol.handler.FeaturesHandler;
 import org.openstreetmap.josm.io.remotecontrol.handler.ImageryHandler;
 import org.openstreetmap.josm.io.remotecontrol.handler.ImportHandler;
@@ -171 +172 @@
             addRequestHandlerClass(VersionHandler.command, VersionHandler.class, true);
             addRequestHandlerClass(FeaturesHandler.command, FeaturesHandler.class, true);
             addRequestHandlerClass(OpenApiHandler.command, OpenApiHandler.class, true);
+            addRequestHandlerClass(AuthorizationHandler.command, AuthorizationHandler.class, true);
         }
     }
 

src/org/openstreetmap/josm/io/MessageNotifier.java

@@ -10 +10 @@
 import java.util.concurrent.TimeUnit;
 
 import org.openstreetmap.josm.data.UserIdentityManager;
+import org.openstreetmap.josm.data.oauth.OAuthVersion;
 import org.openstreetmap.josm.data.osm.UserInfo;
 import org.openstreetmap.josm.data.preferences.BooleanProperty;
 import org.openstreetmap.josm.data.preferences.IntegerProperty;
@@ -143 +144 @@
             CredentialsManager credManager = CredentialsManager.getInstance();
             try {
                 if (JosmPreferencesCredentialAgent.class.equals(credManager.getCredentialsAgentClass())) {
-                    if (OsmApi.isUsingOAuth()) {
+                    if (OsmApi.isUsingOAuth(OAuthVersion.OAuth10a)) {
                         return credManager.lookupOAuthAccessToken() != null;
+                    } else if (OsmApi.isUsingOAuth(OAuthVersion.OAuth20) || OsmApi.isUsingOAuth(OAuthVersion.OAuth21)) {
+                        return credManager.lookupOAuthAccessToken(OsmApi.getOsmApi().getHost()) != null;
+                    } else if (OsmApi.isUsingOAuth()) {
+                        // Ensure we do not forget to update this section
+                        throw new IllegalStateException("Unknown oauth version: " + OsmApi.getAuthMethod());
                     } else {
                         String username = Config.getPref().get("osm-server.username", null);
                         String password = Config.getPref().get("osm-server.password", null);

src/org/openstreetmap/josm/io/OsmApi.java

@@ -29 +29 @@
 
 import org.openstreetmap.josm.data.coor.LatLon;
 import org.openstreetmap.josm.data.notes.Note;
+import org.openstreetmap.josm.data.oauth.OAuthAccessTokenHolder;
+import org.openstreetmap.josm.data.oauth.OAuthVersion;
 import org.openstreetmap.josm.data.osm.Changeset;
 import org.openstreetmap.josm.data.osm.IPrimitive;
 import org.openstreetmap.josm.data.osm.OsmPrimitive;
@@ -37 +39 @@
 import org.openstreetmap.josm.gui.progress.NullProgressMonitor;
 import org.openstreetmap.josm.gui.progress.ProgressMonitor;
 import org.openstreetmap.josm.io.Capabilities.CapabilitiesParser;
+import org.openstreetmap.josm.io.auth.CredentialsAgentException;
 import org.openstreetmap.josm.io.auth.CredentialsManager;
 import org.openstreetmap.josm.spi.preferences.Config;
 import org.openstreetmap.josm.tools.CheckParameterUtil;
@@ -645 +648 @@
      * @since 6349
      */
     public static boolean isUsingOAuth() {
-        return "oauth".equals(getAuthMethod());
+        return isUsingOAuth(OAuthVersion.OAuth10a)
+                || isUsingOAuth(OAuthVersion.OAuth20)
+                || isUsingOAuth(OAuthVersion.OAuth21);
+    }
+
+    /**
+     * Determines if JOSM is configured to access OSM API via OAuth
+     * @param version The OAuth version
+     * @return {@code true} if JOSM is configured to access OSM API via OAuth, {@code false} otherwise
+     * @since xxx
+     */
+    public static boolean isUsingOAuth(OAuthVersion version) {
+        if (version == OAuthVersion.OAuth10a) {
+            return "oauth".equalsIgnoreCase(getAuthMethod());
+        } else if (version == OAuthVersion.OAuth20 || version == OAuthVersion.OAuth21) {
+            return "oauth20".equalsIgnoreCase(getAuthMethod());
+        }
+        return false;
+    }
+
+    /**
+     * Ensure that OAuth is set up
+     * @param api The api for which we need OAuth keys
+     * @return {@code true} if we are using OAuth and there are keys for the specified API
+     */
+    public static boolean isUsingOAuthAndOAuthSetUp(OsmApi api) {
+        if (OsmApi.isUsingOAuth()) {
+            if (OsmApi.isUsingOAuth(OAuthVersion.OAuth10a)) {
+                return OAuthAccessTokenHolder.getInstance().containsAccessToken();
+            }
+            if (OsmApi.isUsingOAuth(OAuthVersion.OAuth20)) {
+                return OAuthAccessTokenHolder.getInstance().getAccessToken(api.getBaseUrl(), OAuthVersion.OAuth20) != null;
+            }
+            if (OsmApi.isUsingOAuth(OAuthVersion.OAuth21)) {
+                return OAuthAccessTokenHolder.getInstance().getAccessToken(api.getBaseUrl(), OAuthVersion.OAuth21) != null;
+            }
+        }
+        return false;
     }
 
     /**
@@ -653 +693 @@
      * @return the authentication method
      */
     public static String getAuthMethod() {
-        return Config.getPref().get("osm-server.auth-method", "oauth");
+        return Config.getPref().get("osm-server.auth-method", "oauth"); // fixme switch to oauth20 by default
     }
 
     protected final String sendPostRequest(String urlSuffix, String requestBody, ProgressMonitor monitor) throws OsmTransferException {

src/org/openstreetmap/josm/io/OsmConnection.java

@@ -10 +10 @@
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 import java.util.Objects;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.function.Consumer;
 
+import javax.swing.JOptionPane;
+
+import org.openstreetmap.josm.data.oauth.IOAuthParameters;
+import org.openstreetmap.josm.data.oauth.IOAuthToken;
+import org.openstreetmap.josm.data.oauth.OAuth20Authorization;
 import org.openstreetmap.josm.data.oauth.OAuthAccessTokenHolder;
 import org.openstreetmap.josm.data.oauth.OAuthParameters;
+import org.openstreetmap.josm.data.oauth.OAuthVersion;
+import org.openstreetmap.josm.data.oauth.osm.OsmScopes;
+import org.openstreetmap.josm.gui.ConditionalOptionPaneUtil;
+import org.openstreetmap.josm.gui.MainApplication;
+import org.openstreetmap.josm.gui.util.GuiHelper;
 import org.openstreetmap.josm.io.auth.CredentialsAgentException;
 import org.openstreetmap.josm.io.auth.CredentialsAgentResponse;
 import org.openstreetmap.josm.io.auth.CredentialsManager;
+import org.openstreetmap.josm.io.remotecontrol.RemoteControl;
 import org.openstreetmap.josm.tools.HttpClient;
 import org.openstreetmap.josm.tools.JosmRuntimeException;
 import org.openstreetmap.josm.tools.Logging;
@@ -36 +50 @@
     protected boolean cancel;
     protected HttpClient activeConnection;
     protected OAuthParameters oauthParameters;
+    protected IOAuthParameters oAuth20Parameters;
 
     /**
      * Retrieves OAuth access token.
@@ -171 +186 @@
             fetcher.obtainAccessToken(apiUrl);
             OAuthAccessTokenHolder.getInstance().setSaveToPreferences(true);
             OAuthAccessTokenHolder.getInstance().save(CredentialsManager.getInstance());
-        } catch (MalformedURLException | InterruptedException | InvocationTargetException e) {
+        } catch (MalformedURLException | InvocationTargetException e) {
             throw new MissingOAuthAccessTokenException(e);
+        } catch (InterruptedException e) {
+            Thread.currentThread().interrupt();
+            throw new MissingOAuthAccessTokenException(e);
+        }
+    }
+
+    /**
+     * Obtains an OAuth access token for the connection.
+     * Afterwards, the token is accessible via {@link OAuthAccessTokenHolder} / {@link CredentialsManager}.
+     * @throws MissingOAuthAccessTokenException if the process cannot be completed successfully
+     */
+    private void obtainOAuth20Token() throws MissingOAuthAccessTokenException {
+        if (!Boolean.TRUE.equals(GuiHelper.runInEDTAndWaitAndReturn(() ->
+                ConditionalOptionPaneUtil.showConfirmationDialog("oauth.oauth20.obtain.automatically",
+                    MainApplication.getMainFrame(),
+                    tr("Obtain OAuth 2.0 token for authentication?"),
+                    tr("Obtain authentication to OSM servers"),
+                    JOptionPane.YES_NO_CANCEL_OPTION,
+                    JOptionPane.QUESTION_MESSAGE, JOptionPane.YES_OPTION)))) {
+            return; // User doesn't want to perform auth
+        }
+        final boolean remoteControlIsRunning = Boolean.TRUE.equals(RemoteControl.PROP_REMOTECONTROL_ENABLED.get());
+        if (!remoteControlIsRunning) {
+            RemoteControl.start();
+        }
+        AtomicBoolean done = new AtomicBoolean();
+        Consumer<IOAuthToken> consumer = authToken -> {
+                    if (!remoteControlIsRunning) {
+                        RemoteControl.stop();
+                    }
+                    // Clean up old token/password
+                    OAuthAccessTokenHolder.getInstance().setAccessToken(null);
+                    OAuthAccessTokenHolder.getInstance().setAccessToken(OsmApi.getOsmApi().getServerUrl(), authToken);
+                    OAuthAccessTokenHolder.getInstance().save(CredentialsManager.getInstance());
+                    synchronized (done) {
+                        done.set(true);
+                        done.notifyAll();
+                    }
+                };
+        new OAuth20Authorization().authorize(oAuth20Parameters,
+                consumer, OsmScopes.read_gpx, OsmScopes.write_gpx,
+                OsmScopes.read_prefs, OsmScopes.write_prefs,
+                OsmScopes.write_api, OsmScopes.write_notes);
+        synchronized (done) {
+            // Only wait at most 5 minutes
+            int counter = 0;
+            while (!done.get() && counter < 5) {
+                try {
+                    done.wait(TimeUnit.MINUTES.toMillis(1));
+                } catch (InterruptedException e) {
+                    Thread.currentThread().interrupt();
+                    Logging.trace(e);
+                    consumer.accept(null);
+                    throw new MissingOAuthAccessTokenException(e);
+                }
+                counter++;
+            }
         }
     }
+
+    /**
+     * Signs the connection with an OAuth authentication header
+     *
+     * @param connection the connection
+     *
+     * @throws MissingOAuthAccessTokenException if there is currently no OAuth Access Token configured
+     * @throws OsmTransferException if signing fails
+     */
+    protected void addOAuth20AuthorizationHeader(HttpClient connection) throws OsmTransferException {
+        if (this.oAuth20Parameters == null) {
+            this.oAuth20Parameters = OAuthParameters.createFromApiUrl(connection.getURL().getHost(), OAuthVersion.OAuth20);
+        }
+        OAuthAccessTokenHolder holder = OAuthAccessTokenHolder.getInstance();
+        IOAuthToken token = holder.getAccessToken(connection.getURL().toExternalForm(), OAuthVersion.OAuth20);
+        if (token == null) {
+            obtainOAuth20Token();
+            token = holder.getAccessToken(connection.getURL().toExternalForm(), OAuthVersion.OAuth20);
+        }
+        if (token == null) { // check if wizard completed
+            throw new MissingOAuthAccessTokenException();
+        }
+        try {
+            token.sign(connection);
+        } catch (org.openstreetmap.josm.data.oauth.OAuthException e) {
+            throw new OsmTransferException(tr("Failed to sign a HTTP connection with an OAuth Authentication header"), e);
+        }
+    }
 
     protected void addAuth(HttpClient connection) throws OsmTransferException {
         final String authMethod = OsmApi.getAuthMethod();
-        if ("basic".equals(authMethod)) {
-            addBasicAuthorizationHeader(connection);
-        } else if ("oauth".equals(authMethod)) {
-            addOAuthAuthorizationHeader(connection);
-        } else {
-            String msg = tr("Unexpected value for preference ''{0}''. Got ''{1}''.", "osm-server.auth-method", authMethod);
-            Logging.warn(msg);
-            throw new OsmTransferException(msg);
+        switch (authMethod) {
+            case "basic":
+                addBasicAuthorizationHeader(connection);
+                return;
+            case "oauth":
+                addOAuthAuthorizationHeader(connection);
+                return;
+            case "oauth20":
+                addOAuth20AuthorizationHeader(connection);
+                return;
+            default:
+                String msg = tr("Unexpected value for preference ''{0}''. Got ''{1}''.", "osm-server.auth-method", authMethod);
+                Logging.warn(msg);
+                throw new OsmTransferException(msg);
         }
     }
 

src/org/openstreetmap/josm/io/OsmServerReader.java

@@ -10 +10 @@
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.List;
+import java.util.Objects;
 
 import javax.xml.parsers.ParserConfigurationException;
 
 import org.openstreetmap.josm.data.gpx.GpxData;
 import org.openstreetmap.josm.data.notes.Note;
+import org.openstreetmap.josm.data.oauth.OAuthVersion;
 import org.openstreetmap.josm.data.osm.DataSet;
 import org.openstreetmap.josm.gui.progress.ProgressMonitor;
 import org.openstreetmap.josm.io.auth.CredentialsAgentException;
@@ -38 +40 @@
  * @author imi
  */
 public abstract class OsmServerReader extends OsmConnection {
-    private final OsmApi api = OsmApi.getOsmApi();
+    private final OsmApi api;
     private boolean doAuthenticate;
     protected boolean gpxParsedProperly;
     protected String contentType;
@@ -47 +49 @@
      * Constructs a new {@code OsmServerReader}.
      */
     protected OsmServerReader() {
-        try {
-            doAuthenticate = OsmApi.isUsingOAuth()
-                    && CredentialsManager.getInstance().lookupOAuthAccessToken() != null
-                    && OsmApi.USE_OAUTH_FOR_ALL_REQUESTS.get();
-        } catch (CredentialsAgentException e) {
-            Logging.warn(e);
-        }
+        this(OsmApi.getOsmApi());
+    }
+
+    /**
+     * Constructs a new {@code OsmServerReader}.
+     * @param osmApi The API to use for this call
+     * @since xxx
+     */
+    protected OsmServerReader(OsmApi osmApi) {
+        this.api = osmApi;
+        this.doAuthenticate = OsmApi.isUsingOAuthAndOAuthSetUp(osmApi) && OsmApi.USE_OAUTH_FOR_ALL_REQUESTS.get();
     }
 
     /**
@@ -184 +190 @@
                     .setRequestBody(requestBody);
             activeConnection = client;
             adaptRequest(client);
-            if (doAuthenticate) {
+            if (doAuthenticate && Objects.equals(this.api.getHost(), client.getURL().getHost())) {
                 addAuth(client);
             }
             if (cancel)

src/org/openstreetmap/josm/spi/preferences/AbstractPreferences.java

@@ -1 +1 @@
 // License: GPL. For details, see LICENSE file.
 package org.openstreetmap.josm.spi.preferences;
 
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
+import java.util.Set;
 import java.util.TreeMap;
 import java.util.stream.Collectors;
 
+import org.openstreetmap.josm.io.DefaultProxySelector;
+import org.openstreetmap.josm.io.auth.CredentialsAgent;
+import org.openstreetmap.josm.io.auth.CredentialsManager;
 import org.openstreetmap.josm.tools.Logging;
 import org.openstreetmap.josm.tools.Utils;
 
@@ -16 +24 @@
  * @since 12847
  */
 public abstract class AbstractPreferences implements IPreferences {
+    /** The preference key for sensitive keys */
+    private static final String KEY_SENSITIVE_KEYS = "sensitive.keys";
+
+    /** A set of sensitive keys that should not be seen/distributed outside of specific callers (like a {@link CredentialsAgent}) */
+    private static final Set<String> SENSITIVE_KEYS = new HashSet<>();
 
     @Override
     public synchronized String get(final String key, final String def) {
@@ -175 +188 @@
                 .map(Entry::getKey)
                 .collect(Collectors.toCollection(LinkedList::new));
     }
+
+    @Override
+    public void addSensitive(CredentialsAgent caller, String key) {
+        if (SENSITIVE_KEYS.isEmpty()) {
+            populateSensitiveKeys();
+        }
+        if (CredentialsManager.getInstance().getCredentialsAgentClass().equals(caller.getClass())) {
+            SENSITIVE_KEYS.add(key);
+            putList("sensitive.keys", SENSITIVE_KEYS.stream().sorted().collect(Collectors.toList()));
+        }
+    }
+
+    @Override
+    public Collection<String> getSensitive() {
+        if (SENSITIVE_KEYS.isEmpty()) {
+            populateSensitiveKeys();
+        }
+        return Collections.unmodifiableSet(SENSITIVE_KEYS);
+    }
+
+    @Override
+    public void removeSensitive(String key) {
+        if (KEY_SENSITIVE_KEYS.equals(key)) {
+            throw new IllegalArgumentException(KEY_SENSITIVE_KEYS + " cannot be removed from the sensitive key list.");
+        }
+        // Reset the key first -- avoid race conditions where a sensitive value might be visible if we start restricting access in the future.
+        put(key, null);
+        SENSITIVE_KEYS.remove(key);
+        putList(KEY_SENSITIVE_KEYS, SENSITIVE_KEYS.stream().sorted().collect(Collectors.toList()));
+    }
+
+    /**
+     * Populate the sensitive key set from preferences
+     */
+    private void populateSensitiveKeys() {
+        SENSITIVE_KEYS.addAll(getList(KEY_SENSITIVE_KEYS, Arrays.asList("sensitive.keys", "osm-server.username", "osm-server.password",
+                DefaultProxySelector.PROXY_USER, DefaultProxySelector.PROXY_PASS,
+                "oauth.access-token.key", "oauth.access-token.secret")));
+    }
 }

src/org/openstreetmap/josm/spi/preferences/IPreferences.java

@@ -1 +1 @@
 // License: GPL. For details, see LICENSE file.
 package org.openstreetmap.josm.spi.preferences;
 
+import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
+import org.openstreetmap.josm.io.auth.CredentialsAgent;
+
 /**
  * Interface for preference handling.
  *
@@ -239 +242 @@
      * @return the set of all keys
      */
     Set<String> getKeySet();
+
+    /**
+     * Add sensitive keys
+     * @param caller The calling agent
+     * @param key The key that may contain sensitive information
+     * @since xxx
+     */
+    void addSensitive(CredentialsAgent caller, String key);
+
+    /**
+     * Get sensitive keys
+     * @return The sensitive keys
+     * @since xxx
+     */
+    Collection<String> getSensitive();
+
+    /**
+     * Remove sensitive keys. This removes the key from the sensitive list <i>and</i>
+     * removes the stored preference value.
+     * @param key The key to remove
+     * @since xxx
+     */
+    void removeSensitive(String key);
 }

new file test/unit/org/openstreetmap/josm/data/oauth/OAuth20AuthorizationTest.java

@@ +1 @@
+// License: GPL. For details, see LICENSE file.
+package org.openstreetmap.josm.data.oauth;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.atomic.AtomicReference;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+import com.github.tomakehurst.wiremock.client.WireMock;
+import com.github.tomakehurst.wiremock.common.FileSource;
+import com.github.tomakehurst.wiremock.core.WireMockConfiguration;
+import com.github.tomakehurst.wiremock.extension.Parameters;
+import com.github.tomakehurst.wiremock.extension.ResponseTransformer;
+import com.github.tomakehurst.wiremock.http.HttpHeader;
+import com.github.tomakehurst.wiremock.http.HttpHeaders;
+import com.github.tomakehurst.wiremock.http.QueryParameter;
+import com.github.tomakehurst.wiremock.http.Request;
+import com.github.tomakehurst.wiremock.http.Response;
+import com.github.tomakehurst.wiremock.junit5.WireMockExtension;
+import com.github.tomakehurst.wiremock.junit5.WireMockRuntimeInfo;
+import com.github.tomakehurst.wiremock.matching.AnythingPattern;
+import com.github.tomakehurst.wiremock.matching.EqualToPattern;
+import com.github.tomakehurst.wiremock.matching.StringValuePattern;
+import mockit.Mock;
+import mockit.MockUp;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+import org.openstreetmap.josm.data.oauth.osm.OsmScopes;
+import org.openstreetmap.josm.data.preferences.JosmUrls;
+import org.openstreetmap.josm.io.OsmApi;
+import org.openstreetmap.josm.io.remotecontrol.RemoteControl;
+import org.openstreetmap.josm.spi.preferences.Config;
+import org.openstreetmap.josm.testutils.annotations.BasicPreferences;
+import org.openstreetmap.josm.testutils.annotations.HTTP;
+import org.openstreetmap.josm.testutils.mockers.OpenBrowserMocker;
+import org.openstreetmap.josm.tools.HttpClient;
+import org.openstreetmap.josm.tools.Logging;
+
+@BasicPreferences
+@HTTP
+class OAuth20AuthorizationTest {
+    private static final String RESPONSE_TYPE = "response_type";
+    private static final String RESPONSE_TYPE_VALUE = "code";
+    private static final String CLIENT_ID = "client_id";
+    private static final String CLIENT_ID_VALUE = "edPII614Lm0_0zEpc_QzEltA9BUll93-Y-ugRQUoHMI";
+    private static final String REDIRECT_URI = "redirect_uri";
+    private static final String REDIRECT_URI_VALUE = "http://127.0.0.1:8111/oauth_authorization";
+    private static final String SCOPE = "scope";
+    private static final String STATE = "state";
+    private static final String CODE_CHALLENGE_METHOD = "code_challenge_method";
+    private static final String CODE_CHALLENGE_METHOD_VALUE = "S256";
+    private static final String CODE_CHALLENGE = "code_challenge";
+
+    private static class OAuthServerWireMock extends ResponseTransformer {
+        String stateToReturn;
+        @Override
+        public Response transform(Request request, Response response, FileSource files, Parameters parameters) {
+            try {
+                if (request.getUrl().startsWith("/oauth2/authorize")) {
+                    return authorizationRequest(request, response);
+                } else if (request.getUrl().startsWith("/oauth2/token")) {
+                    return tokenRequest(request, response);
+                }
+                return response;
+            } catch (Exception e) {
+                // Make certain we actually see the exception in logs -- WireMock returns the error, but then our code needs to print it
+                Logging.error(e);
+                throw e;
+            }
+        }
+
+        private Response tokenRequest(Request request, Response response) {
+            Map<String, String> queryParameters = Stream.of(request.getBodyAsString().split("&", -1))
+                    .map(string -> string.split("=", -1))
+                    .collect(Collectors.toMap(strings -> strings[0], strings -> strings[1]));
+            if (!queryParameters.containsKey("grant_type")
+                    || !queryParameters.containsKey(REDIRECT_URI) || !queryParameters.containsKey(CLIENT_ID)
+                    || !queryParameters.containsKey("code") || !queryParameters.containsKey("code_verifier")) {
+                return Response.Builder.like(response).but().status(500).build();
+            }
+            return Response.Builder.like(response).but().body("{\"token_type\": \"bearer\", \"access_token\": \"test_access_token\"}").build();
+        }
+
+        private Response authorizationRequest(Request request, Response response) {
+            final QueryParameter state = request.queryParameter(STATE);
+            final QueryParameter codeChallenge = request.queryParameter(CODE_CHALLENGE);
+            final QueryParameter redirectUri = request.queryParameter(REDIRECT_URI);
+            final QueryParameter responseType = request.queryParameter(RESPONSE_TYPE);
+            final QueryParameter scope = request.queryParameter(SCOPE);
+            final QueryParameter clientId = request.queryParameter(CLIENT_ID);
+            final QueryParameter codeChallengeMethod = request.queryParameter(CODE_CHALLENGE_METHOD);
+            final boolean badRequest = !(state.isPresent() && state.isSingleValued());
+            if (badRequest || checkQueryParameter(redirectUri, REDIRECT_URI_VALUE) || checkQueryParameter(responseType, RESPONSE_TYPE_VALUE)
+                    || checkQueryParameter(clientId, CLIENT_ID_VALUE) || checkQueryParameter(codeChallengeMethod, CODE_CHALLENGE_METHOD_VALUE)
+                    || checkQueryParameter(scope, "read_gpx")
+                    || !codeChallenge.isPresent()) {
+                return Response.Builder.like(response).but().status(500).build();
+            }
+            return Response.Builder.like(response).but().status(307)
+                    .headers(new HttpHeaders(new HttpHeader("Location",
+                            redirectUri.values().get(0)
+                                    + "?state=" + (this.stateToReturn != null ? stateToReturn : state.firstValue())
+                                    + "&code=test_code"))).build();
+        }
+
+        private static boolean checkQueryParameter(QueryParameter parameter, String expected) {
+            return !parameter.isPresent() || !parameter.isSingleValued() || !parameter.containsValue(expected);
+        }
+
+        @Override
+        public String getName() {
+            return "OAuthServerWireMock";
+        }
+    }
+
+    private static final OAuthServerWireMock oauthServer = new OAuthServerWireMock();
+    @RegisterExtension
+    static WireMockExtension wml = WireMockExtension.newInstance()
+            .options(WireMockConfiguration.wireMockConfig().dynamicPort().dynamicHttpsPort().extensions(oauthServer))
+            .build();
+    @BeforeEach
+    @AfterEach
+    void setup() {
+        // Reset the mocker
+        OpenBrowserMocker.getCalledURIs().clear();
+        RemoteControl.stop(); // Ensure remote control is stopped
+        oauthServer.stateToReturn = null;
+    }
+
+    /**
+     * Set up the default wiremock information
+     * @param wireMockRuntimeInfo The info to set up
+     */
+    @BeforeEach
+    void setupWireMock(WireMockRuntimeInfo wireMockRuntimeInfo) {
+        Config.getPref().put("osm-server.url", wireMockRuntimeInfo.getHttpBaseUrl() + "/api/");
+        new MockUp<JosmUrls>() {
+            @Mock
+            public String getDefaultOsmApiUrl() {
+                return wireMockRuntimeInfo.getHttpBaseUrl() + "/api/";
+            }
+        };
+        new OpenBrowserMocker();
+        final Map<String, StringValuePattern> queryParams = new HashMap<>();
+        queryParams.put(RESPONSE_TYPE, new EqualToPattern(RESPONSE_TYPE_VALUE));
+        queryParams.put(CLIENT_ID, new EqualToPattern(CLIENT_ID_VALUE));
+        queryParams.put(REDIRECT_URI, new EqualToPattern(REDIRECT_URI_VALUE));
+        queryParams.put(SCOPE, new EqualToPattern("read_gpx"));
+        queryParams.put(STATE, new AnythingPattern()); // This is generated via a random UUID, and we have to return this in the redirect
+        queryParams.put(CODE_CHALLENGE_METHOD, new EqualToPattern(CODE_CHALLENGE_METHOD_VALUE));
+        queryParams.put(CODE_CHALLENGE, new AnythingPattern()); // This is generated via a random UUID
+        wireMockRuntimeInfo.getWireMock().register(WireMock.get(WireMock.urlPathEqualTo("/oauth2/authorize")).withQueryParams(queryParams));
+        wireMockRuntimeInfo.getWireMock().register(WireMock.post(WireMock.urlPathEqualTo("/oauth2/token")));
+    }
+
+    @Test
+    void testAuthorize(WireMockRuntimeInfo wireMockRuntimeInfo) throws IOException {
+        final OAuth20Authorization authorization = new OAuth20Authorization();
+        final AtomicReference<IOAuthToken> consumer = new AtomicReference<>();
+        OAuth20Parameters parameters = (OAuth20Parameters) OAuthParameters.createDefault(OsmApi.getOsmApi().getBaseUrl(), OAuthVersion.OAuth20);
+        RemoteControl.start();
+        authorization.authorize(new OAuth20Parameters(parameters.getClientId(), parameters.getClientSecret(),
+                wireMockRuntimeInfo.getHttpBaseUrl() + "/oauth2", wireMockRuntimeInfo.getHttpBaseUrl() + "/api",
+                parameters.getRedirectUri()), consumer::set, OsmScopes.read_gpx);
+        assertEquals(1, OpenBrowserMocker.getCalledURIs().size());
+        HttpClient client = HttpClient.create(OpenBrowserMocker.getCalledURIs().get(0).toURL());
+        try {
+            HttpClient.Response response = client.connect();
+            assertEquals(200, response.getResponseCode());
+        } finally {
+            client.disconnect();
+        }
+        assertNotNull(consumer.get());
+        assertEquals(OAuthVersion.OAuth20, consumer.get().getOAuthType());
+        OAuth20Token token = (OAuth20Token) consumer.get();
+        assertEquals("test_access_token", token.getBearerToken());
+    }
+
+    @Test
+    void testAuthorizeBadState(WireMockRuntimeInfo wireMockRuntimeInfo) throws IOException {
+        oauthServer.stateToReturn = "Bad_State";
+        final OAuth20Authorization authorization = new OAuth20Authorization();
+        final AtomicReference<IOAuthToken> consumer = new AtomicReference<>();
+        OAuth20Parameters parameters = (OAuth20Parameters) OAuthParameters.createDefault(OsmApi.getOsmApi().getBaseUrl(), OAuthVersion.OAuth20);
+        RemoteControl.start();
+        authorization.authorize(new OAuth20Parameters(parameters.getClientId(), parameters.getClientSecret(),
+                wireMockRuntimeInfo.getHttpBaseUrl() + "/oauth2", wireMockRuntimeInfo.getHttpBaseUrl() + "/api",
+                parameters.getRedirectUri()), consumer::set, OsmScopes.read_gpx);
+        assertEquals(1, OpenBrowserMocker.getCalledURIs().size());
+        HttpClient client = HttpClient.create(OpenBrowserMocker.getCalledURIs().get(0).toURL());
+        try {
+            HttpClient.Response response = client.connect();
+            assertEquals(400, response.getResponseCode());
+            String content = response.fetchContent();
+            assertTrue(content.contains("Unknown state for authorization"));
+        } finally {
+            client.disconnect();
+        }
+        assertNull(consumer.get());
+    }
+}

new file test/unit/org/openstreetmap/josm/io/auth/CredentialsAgentTest.java

@@ +1 @@
+// License: GPL. For details, see LICENSE file.
+package org.openstreetmap.josm.io.auth;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
+
+import java.net.Authenticator;
+import java.net.PasswordAuthentication;
+import java.util.Arrays;
+import java.util.List;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.MethodSource;
+import org.openstreetmap.josm.data.oauth.OAuth20Exception;
+import org.openstreetmap.josm.data.oauth.OAuth20Parameters;
+import org.openstreetmap.josm.data.oauth.OAuth20Token;
+import org.openstreetmap.josm.data.oauth.OAuthToken;
+import org.openstreetmap.josm.io.OsmApi;
+import org.openstreetmap.josm.testutils.annotations.BasicPreferences;
+
+/**
+ * Test interface for {@link CredentialsAgent} implementations.
+ */
+@BasicPreferences
+public interface CredentialsAgentTest<T extends CredentialsAgent> {
+    /**
+     * Create the agent to test
+     * @return The agent to test
+     */
+    T createAgent();
+
+    static List<String> getHosts() {
+        return Arrays.asList("https://somewhere.random", OsmApi.getOsmApi().getHost());
+    }
+
+    @ParameterizedTest
+    @MethodSource("getHosts")
+    @BasicPreferences // We need to reset preferences between runs
+    default void testLookUpAndStorePasswordAuthentication(final String host) throws CredentialsAgentException {
+        final T agent = createAgent();
+        for (Authenticator.RequestorType type : Authenticator.RequestorType.values()) {
+            PasswordAuthentication passwordAuthentication = agent.lookup(type, host);
+            assertNull(passwordAuthentication, "Password authentication should not be set up yet");
+            PasswordAuthentication toStore = new PasswordAuthentication("hunter", "password".toCharArray());
+            agent.store(type, host, toStore);
+            passwordAuthentication = agent.lookup(type, host);
+            assertNotNull(passwordAuthentication);
+            // We can't just use equals, since PasswordAuthentication does not override the default equals method
+            assertEquals(toStore.getUserName(), passwordAuthentication.getUserName());
+            assertArrayEquals(toStore.getPassword(), passwordAuthentication.getPassword());
+            // This is what sets the Config values. Note that PasswordAuthentication cannot take a null password.
+            agent.store(type, host, new PasswordAuthentication("hunter", new char[0]));
+            // Now we need to purge the cache
+            agent.purgeCredentialsCache(type);
+            passwordAuthentication = agent.lookup(type, host);
+            assertEquals(toStore.getUserName(), passwordAuthentication.getUserName());
+            assertArrayEquals(new char[0], passwordAuthentication.getPassword());
+            // We don't currently have a way to fully remove credentials, but that ought to be tested here.
+        }
+    }
+
+    @Test
+    default void testLookUpAndStorePasswordAuthenticationNull() throws CredentialsAgentException {
+        final T agent = createAgent();
+        assertDoesNotThrow(() -> agent.store(null, "https://somewhere.random", new PasswordAuthentication("random", new char[0])));
+        assertNull(agent.lookup(null, "https://somewhere.random"));
+        assertDoesNotThrow(() -> agent.store(Authenticator.RequestorType.SERVER, null, new PasswordAuthentication("random", new char[0])));
+        for (Authenticator.RequestorType type : Authenticator.RequestorType.values()) {
+            assertNull(agent.lookup(type, null));
+        }
+        assertNull(agent.lookup(null, null));
+    }
+
+    @Test
+    default void testLookUpAndStoreOAuth10() throws CredentialsAgentException {
+        final T agent = createAgent();
+        assertNull(agent.lookupOAuthAccessToken());
+        final OAuthToken token = new OAuthToken("foo", "bar");
+        agent.storeOAuthAccessToken(token);
+        final OAuthToken actual = agent.lookupOAuthAccessToken();
+        assertEquals(token, actual);
+        agent.storeOAuthAccessToken(null);
+        assertNull(agent.lookupOAuthAccessToken());
+    }
+
+    @ParameterizedTest
+    @MethodSource("getHosts")
+    default void testLookupAndStoreOAuthTokens(final String host) throws CredentialsAgentException, OAuth20Exception {
+        final T agent = createAgent();
+        assertNull(agent.lookupOAuthAccessToken(host));
+        agent.storeOAuthAccessToken(host, new OAuth20Token(new OAuth20Parameters("clientId", "clientSecret",
+                "tokenUrl", "authorizeUrl", "apiUrl", "redirectUrl"),
+                "{\"access_token\": \"test_token\", \"token_type\": \"bearer\"}"));
+        OAuth20Token token = (OAuth20Token) agent.lookupOAuthAccessToken(host);
+        assertNotNull(token);
+        assertEquals("test_token", token.getBearerToken());
+        agent.storeOAuthAccessToken(host, null);
+        assertNull(agent.lookupOAuthAccessToken(host));
+    }
+}

new file test/unit/org/openstreetmap/josm/io/auth/CredentialsManagerTest.java

@@ +1 @@
+// License: GPL. For details, see LICENSE file.
+package org.openstreetmap.josm.io.auth;
+
+import org.openstreetmap.josm.testutils.annotations.HTTP;
+
+/**
+ * Test class for {@link CredentialsManager}
+ */
+@HTTP
+class CredentialsManagerTest implements CredentialsAgentTest<CredentialsManager> {
+    @Override
+    public CredentialsManager createAgent() {
+        return new CredentialsManager(new JosmPreferencesCredentialAgent());
+    }
+}

new file test/unit/org/openstreetmap/josm/io/auth/JosmPreferencesCredentialAgentTest.java

@@ +1 @@
+// License: GPL. For details, see LICENSE file.
+package org.openstreetmap.josm.io.auth;
+
+/**
+ * Test {@link JosmPreferencesCredentialAgent}
+ */
+class JosmPreferencesCredentialAgentTest implements CredentialsAgentTest<JosmPreferencesCredentialAgent> {
+
+    @Override
+    public JosmPreferencesCredentialAgent createAgent() {
+        return new JosmPreferencesCredentialAgent();
+    }
+}

new file test/unit/org/openstreetmap/josm/io/remotecontrol/handler/AuthorizationHandlerTest.java

@@ +1 @@
+// License: GPL. For details, see LICENSE file.
+package org.openstreetmap.josm.io.remotecontrol.handler;
+
+import static org.junit.jupiter.api.Assertions.assertAll;
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.util.Map;
+
+import org.junit.jupiter.api.Test;
+import org.openstreetmap.josm.data.preferences.BooleanProperty;
+
+/**
+ * Test class for {@link AuthorizationHandler}
+ */
+class AuthorizationHandlerTest {
+    private static class TestAuthorizationConsumer implements AuthorizationHandler.AuthorizationConsumer {
+        boolean validated;
+        boolean handled;
+        @Override
+        public void validateRequest(String sender, String request, Map<String, String> args)
+                throws RequestHandler.RequestHandlerBadRequestException {
+            this.validated = true;
+        }
+
+        @Override
+        public AuthorizationHandler.ResponseRecord handleRequest(String sender, String request, Map<String, String> args)
+                throws RequestHandler.RequestHandlerErrorException, RequestHandler.RequestHandlerBadRequestException {
+            this.handled = true;
+            return null;
+        }
+    }
+
+    @Test
+    void testValidateAndHandleRequest() {
+        final AuthorizationHandler handler = new AuthorizationHandler();
+        handler.request = "test_state";
+        TestAuthorizationConsumer consumer = new TestAuthorizationConsumer();
+        AuthorizationHandler.addAuthorizationConsumer("test_state", consumer);
+        assertAll(() -> assertDoesNotThrow(handler::validateRequest),
+                () -> assertDoesNotThrow(handler::handleRequest),
+                () -> assertTrue(consumer.validated),
+                () -> assertTrue(consumer.handled));
+        // The consumer should only ever be called once
+        consumer.validated = false;
+        consumer.handled = false;
+        assertAll(() -> assertThrows(RequestHandler.RequestHandlerBadRequestException.class, handler::validateRequest),
+                () -> assertThrows(NullPointerException.class, handler::handleRequest),
+                () -> assertFalse(consumer.validated),
+                () -> assertFalse(consumer.handled));
+        // Check to make certain that a bad state doesn't work
+        AuthorizationHandler.addAuthorizationConsumer("testState", consumer);
+        AuthorizationHandler.addAuthorizationConsumer("test_state", consumer);
+        assertThrows(IllegalArgumentException.class, () -> AuthorizationHandler.addAuthorizationConsumer("test_state", consumer));
+        handler.request = "testState test_state";
+        assertAll(() -> assertThrows(RequestHandler.RequestHandlerBadRequestException.class, handler::validateRequest),
+                () -> assertThrows(NullPointerException.class, handler::handleRequest),
+                () -> assertFalse(consumer.validated),
+                () -> assertFalse(consumer.handled));
+    }
+
+    @Test
+    void testGetPermissionMessage() {
+        assertEquals("Allow OAuth remote control to set credentials", new AuthorizationHandler().getPermissionMessage());
+    }
+
+    @Test
+    void testGetPermissionPref() {
+        assertNull(new AuthorizationHandler().getPermissionPref());
+    }
+
+    @Test
+    void testGetPermissionPreference() {
+        final BooleanProperty property = new AuthorizationHandler().getPermissionPreference();
+        assertEquals("remotecontrol.permission.authorization", property.getKey());
+        assertFalse(property.getDefaultValue());
+    }
+
+    @Test
+    void testGetMandatoryParams() {
+        assertArrayEquals(new String[0], new AuthorizationHandler().getMandatoryParams());
+    }
+}