Add an option to set oAuth2 applications as trusted, for own external apps which uses oAuth2 sessions

[T0mWz]

Is your feature request related to a problem? Please describe.
For connecting proprietary apps, exchanging a user session via oAuth2 is convenient.
However, now a user must explicitly always grant permission to external apps via oAuth2.
Would be nice that for own apps, for example, you can say they are trusted and you do not have to give explicit permission.

Describe the solution you'd like
Maybe an option to extend the oauth2 clients with an extra field; trusted, which is by default false and can be enabled if client is trusted by default.

[jancborchardt]

Seems sensible for a smoother experience to have some sort of allowlist. @sorbaugh @AndyScherzinger for Files planning.

[AndyScherzinger]

Also looping in @nickvergessen and @julien-nc for a security perspective since I believe this is basically a trade off situation treating security for convinience (which doesn't invalidate the idea, just something to be clear about)

[julien-nc]

As far as I know (and checked), skipping the step which asks for the user's consent is not part of the OAuth "Authorization Code Grant" specifications.

Anyway, this would only be beneficial if the browser already has a valid Nextcloud session. But if the user is not authenticated yet, the login phase interrupts the flow anyway. So there is no guaranty that the flow will be transparent (require no user interaction) even if we allow to remove the consent step (grant access confirmation).

I think we should stick to the Oauth2 specifications.
@nickvergessen Wdyt?

[julien-nc]

Security concern: Any entity in possession of the client ID and secret can silently connect as a user who currently has an active NC session in the browser.

[sorbaugh]

@T0mWz regarding the comments from julien-nc, it might be worth to re-discuss this issue.

[T0mWz]

That's correct what @julien-nc mentioned. For that, they are the trusted clients and that choice should also be made very consciously. By default, you should not make a client trusted, but only if you're really sure who the client is and based on callback url.
We use it to implement integrated apps more seemless, where we retrieve user details via oAuth2.
Therefore, we deliberately want some (internal apps) as trusted, but also some (external) applications/clients certainly not.

[sorbaugh]

Adding an option to specifically define an app as trusted while everything else needs confirmation by default would be reasonable.

As discussed, our compromise for remaining security concerns, in order to avoid "novice users" or "accidental users" clicking it, we would only allow changing that via OCC command as a tool for admins.

[come-nc]

Questions:

• Does the oauth protocol allow skipping the validation from backend or will we need a frontend change to autovalidate?
• What is the code path for the oauth confirmation in the backend? Which endpoints are used?

[julien-nc]

Does the oauth protocol allow skipping the validation from backend or will we need a frontend change to autovalidate?

Not sure what you mean.

• This can be done with a frontend autovalidate (trigger the form validation in core/templates/loginflow/grant.php). We can pass the trust flag via initial state.
• I think this could also be done in the backend directly in https://github.com/nextcloud/server/blob/master/core/Controller/ClientFlowLoginController.php#L160 but it's not straightforward as the next step is a POST request to /login/flow so it can't be simply done by returning a redirect response in ClientFlowLoginController::grantPage

What is the code path for the oauth confirmation in the backend? Which endpoints are used?

It uses the login flow:

• entry point is the authorize page: /apps/oauth2/authorize
• redirect to /login/flow
• leads to login/flow/grant
• click on "grant access" makes a POST request to /login/flow