Refactor scope usage to make it optional.

The GitHub auth provider had been implemented with no scope.
Thus only public information is used, the user needs to provide
his or her mail address on first login page.

Relates to IQSS#5991.

src/main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/AbstractOAuth2AuthenticationProvider.java

@@ -14,11 +14,7 @@
 
 import javax.validation.constraints.NotNull;
 import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-import java.util.Objects;
-import java.util.Optional;
+import java.util.*;
 import java.util.concurrent.ExecutionException;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -93,7 +89,11 @@ public String toString() {
     protected String clientSecret;
     protected String baseUserEndpoint;
     protected String redirectUrl;
-    protected List<String> scope;
+    /**
+     * List of scopes to be requested for authorization at identity provider.
+     * Defaults to empty so no scope will be requested (use case: public info from GitHub)
+     */
+    protected List<String> scope = Arrays.asList("");
 
     public abstract DefaultApi20 getApiInstance();
 
@@ -107,10 +107,9 @@ public String toString() {
      */
     public OAuth20Service getService(String callbackUrl) {
         return new ServiceBuilder(getClientId())
-                      .apiSecret(getClientSecret())
-                      .defaultScope(getSpacedScope())
-                      .callback(callbackUrl)
-                      .build(getApiInstance());
+                    .apiSecret(getClientSecret())
+                    .callback(callbackUrl)
+                    .build(getApiInstance());
     }
 
     /**
@@ -129,7 +128,9 @@ public OAuth2UserRecord getUserRecord(String code, @NotNull OAuth20Service servi
 
         OAuth2AccessToken accessToken = service.getAccessToken(code);
 
-        if ( !getScope().stream().allMatch(accessToken.getScope()::contains) ) {
+        // We need to check if scope is null first: GitHub is used without scope, so the responses scope is null.
+        // Checking scopes via Stream to be independent from order.
+        if ( accessToken.getScope() != null && !getScope().stream().allMatch(accessToken.getScope()::contains) ) {
             // We did not get the permissions on the scope(s) we need. Abort and inform the user.
             throw new OAuth2Exception(200, BundleUtil.getStringFromBundle("auth.providers.orcid.insufficientScope"), "");
         }
@@ -234,7 +235,7 @@ public String getSubTitle() {
 
     public List<String> getScope() { return scope; }
 
-    public String getSpacedScope() { return String.join(" ", scope); }
+    public String getSpacedScope() { return String.join(" ", getScope()); }
 
     @Override
     public int hashCode() {

src/main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/OAuth2LoginBackingBean.java

@@ -1,5 +1,6 @@
 package edu.harvard.iq.dataverse.authorization.providers.oauth2;
 
+import com.github.scribejava.core.oauth.AuthorizationUrlBuilder;
 import com.github.scribejava.core.oauth.OAuth20Service;
 import edu.harvard.iq.dataverse.DataverseSession;
 import edu.harvard.iq.dataverse.authorization.AuthenticationServiceBean;
@@ -73,10 +74,13 @@ public String linkFor(String idpId, String redirectPage) {
         OAuth20Service svc = idp.getService(systemConfig.getOAuth2CallbackUrl());
         String state = createState(idp, toOption(redirectPage));
 
-        return svc.createAuthorizationUrlBuilder()
-                  .state(state)
-                  .scope(idp.getSpacedScope())
-                  .build();
+        AuthorizationUrlBuilder aub = svc.createAuthorizationUrlBuilder()
+                                         .state(state);
+
+        // Do not include scope if empty string (necessary for GitHub)
+        if (!idp.getSpacedScope().isEmpty()) { aub.scope(idp.getSpacedScope()); }
+
+        return aub.build();
     }
 
     /**