Add an option to set oAuth2 applications as trusted, for own external apps which uses oAuth2 sessions

[T0mWz]

Is your feature request related to a problem? Please describe.
For connecting proprietary apps, exchanging a user session via oAuth2 is convenient.
However, now a user must explicitly always grant permission to external apps via oAuth2.
Would be nice that for own apps, for example, you can say they are trusted and you do not have to give explicit permission.

Describe the solution you'd like
Maybe an option to extend the oauth2 clients with an extra field; trusted, which is by default false and can be enabled if client is trusted by default.

[jancborchardt]

Seems sensible for a smoother experience to have some sort of allowlist. @sorbaugh @AndyScherzinger for Files planning.

[AndyScherzinger]

Also looping in @nickvergessen and @julien-nc for a security perspective since I believe this is basically a trade off situation treating security for convinience (which doesn't invalidate the idea, just something to be clear about)

[julien-nc]

As far as I know (and checked), skipping the step which asks for the user's consent is not part of the OAuth "Authorization Code Grant" specifications.

Anyway, this would only be beneficial if the browser already has a valid Nextcloud session. But if the user is not authenticated yet, the login phase interrupts the flow anyway. So there is no guaranty that the flow will be transparent (require no user interaction) even if we allow to remove the consent step (grant access confirmation).

I think we should stick to the Oauth2 specifications.
@nickvergessen Wdyt?

[julien-nc]

Security concern: Any entity in possession of the client ID and secret can silently connect as a user who currently has an active NC session in the browser.

[sorbaugh]

@T0mWz regarding the comments from julien-nc, it might be worth to re-discuss this issue.