Browser Authentication via HttpURLConnection

I'm not familiar with TmDB, but I've read that page on their user authentication process and I think you've misunderstood it.

They specifically say they do not want third-party applications to store a username/password credential, or to pass it in a request ("The benefit to this system is that we're never passing a users username or password through the air or requiring a 3rd party app to store it locally"). The page at callbackUrl is not something you, the third-party app, are supposed to post anything to; it's for human use. The user sees this page, which asks "Do you want to grant access to [name of third-party app]? If so, log in here". Your application doesn't get to control that process; it is intentionally separate from you, so that the user's credentials can never be intercepted or stored by you. Once the user has approved you, you'll be able to get an opaque token (session ID) that you use instead of the credentials.

This is basically the same idea as three-legged OAuth; the main difference is that OAuth requires some extra fields and signature computation, so this is simpler. But it has nothing to do with HTTP basicauth.

I believe what you want to do is this:

  1. Do step 1, just as you're doing. But don't just grab the Authentication-Callback header; also parse the JSON response and get the value of "request_token".

  2. Check whether the user has already authorized you, by calling the new session API, passing your API key again along with the previously acquired "request_token". If you get a successful response with a "session_id", you are already authorized and you can skip the rest of the steps.

  3. Otherwise, redirect the user (or open a browser if you're not already in one) to the URL specified in Authentication-Callback.

  4. Now, since the login/approval process is separate from your app, how do you know when it's finished? The documentation is unclear on this, and doesn't describe any way for you to get a notification about it (or to make TMDb redirect back to your app). It may be that you need to just poll for the result (that is, go back to step 2) at some reasonable interval.