Simplify OAuth2 login flow

[kinolaev]

Is your feature request related to a problem? Please describe.
When user trying to login using OAuth2 client, he sees three screens:

• authpicker page
• login page
• grant page

First is completely useless (#17136), third must be showed only one time.

Describe the solution you'd like
I suggest to create table to store scopes that user has granted to client and skip grant page if no new scopes were requested. Also user must be able to revoke access to some or all scopes through web ui.

Describe alternatives you've considered
Alternatively we can check scopes from previous sessions (column scope in authtoken table).

I would like to create PR, but firstly I want to discuss need I create new table or use authtoken. Personally I prefer first variant because (1) authtoken doesn't have client id (only name) (2) even if user revokes all sessions it doesn't mean that user want to revoke access for client, so sessions and scopes must be stored separately (3) oauth sessions have small expiration period (1 hour, column expires in authtoken) and it is strange to check expired sessions.

Additional context

[sunjam]

Perhaps @jancborchardt could advise you about a pull request. See this active pr for polishing the login process for reference

[kesselb]

@sunjam there is already some discussion over here: #17136

[skjnldsv]

Shall we close then?

[kinolaev]

Hello @skjnldsv,
it is not critical for me now because I decided to create nextcloud app instead of separate app that can authenticate through nextcloud.
But I still think that if you want to promote nextcloud as identity provider for other apps, you need to simplify oauth2 flow. Ideally a user that already authenticated on nextcloud and previously grants permissions to oauth2 client schould only see loader and redirection to client page instead of dialogs above.
I you don't agree, then you can close this. Otherwise, I want to see your recommendations about things mentioned in the first message and I think I will have free time in January to make PR for this.
Anyway - thank you for the great opensource software!)

[skjnldsv]

Hey :)
I have really no strong preferences as I'm realy not specialised in this area.
But since there was some discussion overlapping this thread here: #17136
I assumed we should maybe close to avoid duplicate topics ;)

[kinolaev]

Yes, there is some overlapping with #17136 (mentioned in the first message), but PR #17136 is about skiping authpicker page and this issue is also about skiping grant page (when user previously grants persmissions). So we can use this issue as central discussion about oauth2 flow, PR #17136 - for authpicker page and new PR - for grant page.

[skjnldsv]

Let's leave it opened then :)

[jancborchardt]

Totally agree that the first screen is completely useless, always confuses me as it basically duplicates the 3rd screen.