AuthPicker: redirect oauth client to grant page

[kinolaev]

Hello!

This PR skips auth picker page for oauth clients.

For now nextcloud redirects user from /apps/oauth2/authorize to /login/flow where user sees only login button that redirects user to /login/flow/grant where user allows access to account. In other cases /login/flow page is used to suggest authorization by application password but this is hidden for oauth clients, so this page is actually useless. With this PR ClientFlowLogin#showAuthPickerPage returns redirect to /login/flow/grant instead of auth picker page and oauthState removed from auth picker template because it will always be empty.

[antonkarliner]

Great idea! Completely agree.

[kinolaev]

Conflict resolved.
@rullzer and @skjnldsv, have you any idea why authpicker page must be shown to user?

[rullzer]

@kinolaev so it is a leftover from an older time ;)
The reason we show it is legacy. We had/have no way to show the message on the login page. And I like that the users know why they have to login before just entering their username and password ;)

[kinolaev]

Sorry, @rullzer, I didn't understand your position. Do you still like that the users see that message or do you want to simplify oauth login flow now?
Need I move this message directly to login form?
Personally, I did not even notice message on authpicker page) So, I think it can be safely removed.

[rullzer]

@kinolaev so after some thinking I'm not a huge fan of this. I'd rather make sure that we fix it for all properly. (so also for the normal flow). Let me discuss a bit with @ChristophWurst as well as he moved the login page over to a webpacked thing so maybe we can do something more fancy these days.

[jancborchardt]

Just for reference, design-wise I totally agree with @kinolaev that this needs to be simplified.

• The first page duplicates the 3rd page. If we need some sort of notice, we could put it above the log in fields, if at all.
• 3rd page only needs to be shown once indeed, as it does for other "Sign in with" systems.

Since this is sign in and also connecting to mobile and desktop clients – thus happening a lot, I’d say we should look into this for 19?

[rullzer]

Yeah and witht he improved login page to vue we might now finally be able to tackle it properly.

[kinolaev]

Hello @rullzer, I resolved merge conflict and moved 'Please log in before granting %1$s access to your %2$s account.' and 'If you are not trying to set up a new device or app, someone is trying to trick you into granting them access to your data. In this case do not proceed and instead contact your system administrator.' messages to LoginForm. Can you review it?

[kinolaev]

Hello @rullzer,
I also moved login by app password to login page and completely removed authPickerPage (v1 and v2)!
Now LoginController checks redirect_url and if it is grant page url (v1 or v2) then it adds client name (oauth client name for oauth flow, browser user agent for v1 flow, app user-agent for v2 flow) and instance name to initial state, so Login.vue can show “login to grant” message. Login.vue also checks redirect_url and shows link to AppTokenLoginForm if url is login/flow and has no clientIdentifier.
What do you think about it?

[skjnldsv]

As there is no feedback since a while I will close this ticket.
If you will decide to work on this feature again and if it hasn't been fixed or implemented already, feel free to re-open and solve the various conflicts.

Thanks for the interest in Nextcloud and the effort put into this! 🙇