From 203f74449c23ab78d0e35bd6fcd026438fa08bac Mon Sep 17 00:00:00 2001
From: Sergey Nikolaev <kinolaev@gmail.com>
Date: Sat, 19 Sep 2020 21:14:45 +0000
Subject: [PATCH] remove authPickerPage (v1 and v2)

---
 .../Controller/LoginRedirectorController.php  |   2 +-
 .../LoginRedirectorControllerTest.php         |   2 +-
 core/Controller/ClientFlowLoginController.php | 113 ++++------------
 .../ClientFlowLoginV2Controller.php           |  39 +-----
 core/Controller/LoginController.php           |  43 ++++--
 core/routes.php                               |   6 +-
 .../components/login/AppTokenLoginForm.vue    | 112 ++++++++++++++++
 core/src/views/Login.vue                      |  28 +++-
 core/templates/loginflow/authpicker.php       |  66 ---------
 core/templates/loginflow/grant.php            |   6 +
 core/templates/loginflowv2/authpicker.php     |  50 -------
 .../ClientFlowLoginControllerTest.php         | 125 ------------------
 .../ClientFlowLoginV2ControllerTest.php       |  45 +------
 tests/Core/Controller/LoginControllerTest.php |  10 +-
 14 files changed, 217 insertions(+), 430 deletions(-)
 create mode 100644 core/src/components/login/AppTokenLoginForm.vue
 delete mode 100644 core/templates/loginflow/authpicker.php
 delete mode 100644 core/templates/loginflowv2/authpicker.php

diff --git a/apps/oauth2/lib/Controller/LoginRedirectorController.php b/apps/oauth2/lib/Controller/LoginRedirectorController.php
index 4254c9880bc8c..49b4de09373d3 100644
--- a/apps/oauth2/lib/Controller/LoginRedirectorController.php
+++ b/apps/oauth2/lib/Controller/LoginRedirectorController.php
@@ -101,7 +101,7 @@ public function authorize($client_id,
 		$this->session->set('oauth.state', $state);
 
 		$targetUrl = $this->urlGenerator->linkToRouteAbsolute(
-			'core.ClientFlowLogin.showAuthPickerPage',
+			'core.ClientFlowLogin.grantPage',
 			[
 				'clientIdentifier' => $client->getClientIdentifier(),
 			]
diff --git a/apps/oauth2/tests/Controller/LoginRedirectorControllerTest.php b/apps/oauth2/tests/Controller/LoginRedirectorControllerTest.php
index c3dfa4114b312..9ca99bd4a2e9e 100644
--- a/apps/oauth2/tests/Controller/LoginRedirectorControllerTest.php
+++ b/apps/oauth2/tests/Controller/LoginRedirectorControllerTest.php
@@ -90,7 +90,7 @@ public function testAuthorize() {
 			->expects($this->once())
 			->method('linkToRouteAbsolute')
 			->with(
-				'core.ClientFlowLogin.showAuthPickerPage',
+				'core.ClientFlowLogin.grantPage',
 				[
 					'clientIdentifier' => 'MyClientIdentifier',
 				]
diff --git a/core/Controller/ClientFlowLoginController.php b/core/Controller/ClientFlowLoginController.php
index c88c44f142370..084b88d66d958 100644
--- a/core/Controller/ClientFlowLoginController.php
+++ b/core/Controller/ClientFlowLoginController.php
@@ -161,101 +161,21 @@ private function stateTokenForbiddenResponse() {
 	}
 
 	/**
-	 * @PublicPage
+	 * @NoAdminRequired
 	 * @NoCSRFRequired
+	 * @NoSameSiteCookieRequired
 	 * @UseSession
 	 *
 	 * @param string $clientIdentifier
-	 *
-	 * @return StandaloneTemplateResponse|RedirectResponse
+	 * @return StandaloneTemplateResponse
 	 */
-	public function showAuthPickerPage($clientIdentifier = '') {
-		$clientName = $this->getClientName();
-		$client = null;
-		if ($clientIdentifier !== '') {
-			$client = $this->clientMapper->getByIdentifier($clientIdentifier);
-			$clientName = $client->getName();
-		}
-
-		// No valid clientIdentifier given and no valid API Request (APIRequest header not set)
-		$clientRequest = $this->request->getHeader('OCS-APIREQUEST');
-		if ($clientRequest !== 'true' && $client === null) {
-			return new StandaloneTemplateResponse(
-				$this->appName,
-				'error',
-				[
-					'errors' =>
-					[
-						[
-							'error' => 'Access Forbidden',
-							'hint' => 'Invalid request',
-						],
-					],
-				],
-				'guest'
-			);
-		}
-
+	public function grantPage($clientIdentifier = '') {
 		$stateToken = $this->random->generate(
 			64,
 			ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS
 		);
 		$this->session->set(self::STATE_NAME, $stateToken);
 
-		$oauthState = $this->session->get('oauth.state');
-		if (!empty($oauthState)) {
-			$targetUrl = $this->urlGenerator->linkToRoute(
-				'core.ClientFlowLogin.grantPage',
-				[
-					'stateToken' => $stateToken,
-					'clientIdentifier' => $clientIdentifier,
-					'oauthState' => $oauthState
-				]
-			);
-			return new RedirectResponse($targetUrl);
-		}
-
-		$csp = new Http\ContentSecurityPolicy();
-		if ($client) {
-			$csp->addAllowedFormActionDomain($client->getRedirectUri());
-		} else {
-			$csp->addAllowedFormActionDomain('nc://*');
-		}
-
-		$response = new StandaloneTemplateResponse(
-			$this->appName,
-			'loginflow/authpicker',
-			[
-				'client' => $clientName,
-				'clientIdentifier' => $clientIdentifier,
-				'instanceName' => $this->defaults->getName(),
-				'urlGenerator' => $this->urlGenerator,
-				'stateToken' => $stateToken,
-				'serverHost' => $this->getServerPath(),
-			],
-			'guest'
-		);
-
-		$response->setContentSecurityPolicy($csp);
-		return $response;
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @NoCSRFRequired
-	 * @NoSameSiteCookieRequired
-	 * @UseSession
-	 *
-	 * @param string $stateToken
-	 * @param string $clientIdentifier
-	 * @return StandaloneTemplateResponse
-	 */
-	public function grantPage($stateToken = '',
-								 $clientIdentifier = '') {
-		if (!$this->isValidToken($stateToken)) {
-			return $this->stateTokenForbiddenResponse();
-		}
-
 		$clientName = $this->getClientName();
 		$client = null;
 		if ($clientIdentifier !== '') {
@@ -386,11 +306,7 @@ public function generateAppPassword($stateToken,
 	/**
 	 * @PublicPage
 	 */
-	public function apptokenRedirect(string $stateToken, string $user, string $password) {
-		if (!$this->isValidToken($stateToken)) {
-			return $this->stateTokenForbiddenResponse();
-		}
-
+	public function apptokenRedirect(string $user, string $password) {
 		try {
 			$token = $this->tokenProvider->getToken($password);
 			if ($token->getLoginName() !== $user) {
@@ -410,7 +326,24 @@ public function apptokenRedirect(string $stateToken, string $user, string $passw
 		}
 
 		$redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($user) . '&password:' . urlencode($password);
-		return new Http\RedirectResponse($redirectUri);
+
+		$csp = new Http\ContentSecurityPolicy();
+		$csp->addAllowedFormActionDomain('nc://*');
+
+		$response = new StandaloneTemplateResponse(
+			$this->appName,
+			'loginflow/grant',
+			[
+				'client' => $token->getName(),
+				'instanceName' => $this->defaults->getName(),
+				'urlGenerator' => $this->urlGenerator,
+				'redirectUri' => $redirectUri,
+			],
+			'guest'
+		);
+
+		$response->setContentSecurityPolicy($csp);
+		return $response;
 	}
 
 	private function getServerPath(): string {
diff --git a/core/Controller/ClientFlowLoginV2Controller.php b/core/Controller/ClientFlowLoginV2Controller.php
index 103d659ecd2ba..f3c96a8674174 100644
--- a/core/Controller/ClientFlowLoginV2Controller.php
+++ b/core/Controller/ClientFlowLoginV2Controller.php
@@ -109,16 +109,17 @@ public function landing(string $token): Response {
 		$this->session->set(self::TOKEN_NAME, $token);
 
 		return new RedirectResponse(
-			$this->urlGenerator->linkToRouteAbsolute('core.ClientFlowLoginV2.showAuthPickerPage')
+			$this->urlGenerator->linkToRouteAbsolute('core.ClientFlowLoginV2.grantPage')
 		);
 	}
 
 	/**
-	 * @NoCSRFRequired
-	 * @PublicPage
+	 * @NoAdminRequired
 	 * @UseSession
+	 * @NoCSRFRequired
+	 * @NoSameSiteCookieRequired
 	 */
-	public function showAuthPickerPage(): StandaloneTemplateResponse {
+	public function grantPage(): StandaloneTemplateResponse {
 		try {
 			$flow = $this->getFlowByLoginToken();
 		} catch (LoginFlowV2NotFoundException $e) {
@@ -131,36 +132,6 @@ public function showAuthPickerPage(): StandaloneTemplateResponse {
 		);
 		$this->session->set(self::STATE_NAME, $stateToken);
 
-		return new StandaloneTemplateResponse(
-			$this->appName,
-			'loginflowv2/authpicker',
-			[
-				'client' => $flow->getClientName(),
-				'instanceName' => $this->defaults->getName(),
-				'urlGenerator' => $this->urlGenerator,
-				'stateToken' => $stateToken,
-			],
-			'guest'
-		);
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @UseSession
-	 * @NoCSRFRequired
-	 * @NoSameSiteCookieRequired
-	 */
-	public function grantPage(string $stateToken): StandaloneTemplateResponse {
-		if (!$this->isValidStateToken($stateToken)) {
-			return $this->stateTokenForbiddenResponse();
-		}
-
-		try {
-			$flow = $this->getFlowByLoginToken();
-		} catch (LoginFlowV2NotFoundException $e) {
-			return $this->loginTokenForbiddenResponse();
-		}
-
 		return new StandaloneTemplateResponse(
 			$this->appName,
 			'loginflowv2/grant',
diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php
index 9cf3a678c78f2..2cff83df7263d 100644
--- a/core/Controller/LoginController.php
+++ b/core/Controller/LoginController.php
@@ -36,6 +36,7 @@
 use OC\Authentication\Login\Chain;
 use OC\Authentication\Login\LoginData;
 use OC\Authentication\WebAuthn\Manager as WebAuthnManager;
+use OC\Core\Service\LoginFlowV2Service;
 use OC\Security\Bruteforce\Throttler;
 use OC\User\Session;
 use OC_App;
@@ -86,6 +87,8 @@ class LoginController extends Controller {
 	private $webAuthnManager;
 	/** @var ClientMapper */
 	private $clientMapper;
+	/** @var LoginFlowV2Service */
+	private $loginFlowV2Service;
 
 	public function __construct(?string $appName,
 								IRequest $request,
@@ -100,7 +103,8 @@ public function __construct(?string $appName,
 								Chain $loginChain,
 								IInitialStateService $initialStateService,
 								WebAuthnManager $webAuthnManager,
-								ClientMapper $clientMapper) {
+								ClientMapper $clientMapper,
+								LoginFlowV2Service $loginFlowV2Service) {
 		parent::__construct($appName, $request);
 		$this->userManager = $userManager;
 		$this->config = $config;
@@ -114,6 +118,7 @@ public function __construct(?string $appName,
 		$this->initialStateService = $initialStateService;
 		$this->webAuthnManager = $webAuthnManager;
 		$this->clientMapper = $clientMapper;
+		$this->loginFlowV2Service = $loginFlowV2Service;
 	}
 
 	/**
@@ -182,19 +187,11 @@ public function showLoginForm(string $user = null, string $redirect_url = null):
 		if (!empty($redirect_url)) {
 			$this->initialStateService->provideInitialState('core', 'loginRedirectUrl', $redirect_url);
 
-			$grant_url = $this->urlGenerator->linkToRoute('core.ClientFlowLogin.grantPage');
-			if (strpos($redirect_url, $grant_url) === 0) {
-				parse_str(parse_url($redirect_url, PHP_URL_QUERY), $grant_query);
-				if (empty($grant_query['clientIdentifier'])) {
-					$userAgent = $this->request->getHeader('USER_AGENT');
-					$clientName = $userAgent !== '' ? $userAgent : 'unknown';
-				} else {
-					$client = $this->clientMapper->getByIdentifier($grant_query['clientIdentifier']);
-					$clientName = $client->getName();
-				}
+			$client = $this->getClientName($redirect_url);
+			if ($client) {
 				$this->initialStateService->provideInitialState('core', 'loginGrantParams', [
 					'client' => Util::sanitizeHTML($clientName),
-					'instanceName' => Util::sanitizeHTML($this->defaults->getName())
+					'instanceName' => Util::sanitizeHTML($this->defaults->getName()),
 				]);
 			}
 		}
@@ -393,4 +390,26 @@ public function confirmPassword($password) {
 		$this->session->set('last-password-confirm', $confirmTimestamp);
 		return new DataResponse(['lastLogin' => $confirmTimestamp], Http::STATUS_OK);
 	}
+
+	/**
+	 * @param string $redirect_url
+	 * @return null|string
+	 */
+	private function getClientName($redirect_url) {
+		if (strpos($redirect_url, $this->urlGenerator->linkToRoute('core.ClientFlowLogin.grantPage')) === 0) {
+			parse_str(parse_url($redirect_url, PHP_URL_QUERY), $clientFlowQuery);
+			if (isset($clientFlowQuery['clientIdentifier'])) {
+				$client = $this->clientMapper->getByIdentifier($clientFlowQuery['clientIdentifier']);
+				return $client->getName();
+			} else {
+				$userAgent = $this->request->getHeader('USER_AGENT');
+				return $userAgent !== '' ? $userAgent : 'unknown';
+			}
+		} else if (strpos($redirect_url, $this->urlGenerator->linkToRoute('core.ClientFlowLoginV2.grantPage')) === 0) {
+			$flowV2Token = $this->session->get(ClientFlowLoginV2Controller::TOKEN_NAME);
+			$flowV2 = $this->loginFlowV2Service->getByLoginToken($flowV2Token);
+			return $flowV2->getClientName();
+		} 
+		return null;
+	}
 }
diff --git a/core/routes.php b/core/routes.php
index 9fa378dc1d8ed..2e224dc3aa426 100644
--- a/core/routes.php
+++ b/core/routes.php
@@ -54,15 +54,13 @@
 		['name' => 'login#showLoginForm', 'url' => '/login', 'verb' => 'GET'],
 		['name' => 'login#logout', 'url' => '/logout', 'verb' => 'GET'],
 		// Original login flow used by all clients
-		['name' => 'ClientFlowLogin#showAuthPickerPage', 'url' => '/login/flow', 'verb' => 'GET'],
+		['name' => 'ClientFlowLogin#grantPage', 'url' => '/login/flow', 'verb' => 'GET'],
 		['name' => 'ClientFlowLogin#generateAppPassword', 'url' => '/login/flow', 'verb' => 'POST'],
-		['name' => 'ClientFlowLogin#grantPage', 'url' => '/login/flow/grant', 'verb' => 'GET'],
 		['name' => 'ClientFlowLogin#apptokenRedirect', 'url' => '/login/flow/apptoken', 'verb' => 'POST'],
 		// NG login flow used by desktop client in case of Kerberos/fancy 2fa (smart cards for example)
 		['name' => 'ClientFlowLoginV2#poll', 'url' => '/login/v2/poll', 'verb' => 'POST'],
-		['name' => 'ClientFlowLoginV2#showAuthPickerPage', 'url' => '/login/v2/flow', 'verb' => 'GET'],
+		['name' => 'ClientFlowLoginV2#grantPage', 'url' => '/login/v2/flow', 'verb' => 'GET'],
 		['name' => 'ClientFlowLoginV2#landing', 'url' => '/login/v2/flow/{token}', 'verb' => 'GET'],
-		['name' => 'ClientFlowLoginV2#grantPage', 'url' => '/login/v2/grant', 'verb' => 'GET'],
 		['name' => 'ClientFlowLoginV2#generateAppPassword', 'url' => '/login/v2/grant', 'verb' => 'POST'],
 		['name' => 'ClientFlowLoginV2#init', 'url' => '/login/v2', 'verb' => 'POST'],
 		['name' => 'TwoFactorChallenge#selectChallenge', 'url' => '/login/selectchallenge', 'verb' => 'GET'],
diff --git a/core/src/components/login/AppTokenLoginForm.vue b/core/src/components/login/AppTokenLoginForm.vue
new file mode 100644
index 0000000000000..ac730eab01313
--- /dev/null
+++ b/core/src/components/login/AppTokenLoginForm.vue
@@ -0,0 +1,112 @@
+<template>
+	<form name="login"
+		method="post"
+		:action="loginActionUrl"
+		@submit="submit">
+		<fieldset>
+			<p class="grouptop">
+				<input id="user"
+					ref="user"
+					v-model="user"
+					type="text"
+					name="user"
+					autocapitalize="off"
+					:autocomplete="autoCompleteAllowed ? 'on' : 'off'"
+					:placeholder="t('core', 'Username')"
+					:aria-label="t('core', 'Username')"
+					required
+					@change="updateUsername">
+				<label for="user" class="infield">{{ t('core', 'Username') }}</label>
+			</p>
+
+			<p class="groupbottom">
+				<input id="password"
+					ref="password"
+					:type="passwordInputType"
+					class="password-with-toggle"
+					name="password"
+					:autocomplete="autoCompleteAllowed ? 'on' : 'off'"
+					:placeholder="t('core', 'App token')"
+					:aria-label="t('core', 'Password')"
+					required>
+				<label for="password"
+					class="infield">{{ t('Password') }}</label>
+				<a href="#" class="toggle-password" @click.stop.prevent="togglePassword">
+					<img :src="toggleIcon">
+				</a>
+			</p>
+
+			<LoginButton :loading="loading" :inverted-colors="invertedColors" />
+
+			<input type="hidden"
+				name="requesttoken"
+				:value="OC.requestToken">
+		</fieldset>
+	</form>
+</template>
+
+<script>
+import LoginButton from './LoginButton'
+import { generateUrl, imagePath } from '@nextcloud/router'
+
+export default {
+	name: 'AppTokenLoginForm',
+	components: { LoginButton },
+	props: {
+		username: {
+			type: String,
+			default: '',
+		},
+		invertedColors: {
+			type: Boolean,
+			default: false,
+		},
+		autoCompleteAllowed: {
+			type: Boolean,
+			default: true,
+		},
+	},
+	data() {
+		return {
+			loading: false,
+			user: this.username,
+			password: '',
+			passwordInputType: 'password',
+		}
+	},
+	computed: {
+		toggleIcon() {
+			return imagePath('core', 'actions/toggle.svg')
+		},
+		loginActionUrl() {
+			return generateUrl('login/flow/apptoken')
+		},
+	},
+	mounted() {
+		if (this.username === '') {
+			this.$refs.user.focus()
+		} else {
+			this.$refs.password.focus()
+		}
+	},
+	methods: {
+		togglePassword() {
+			if (this.passwordInputType === 'password') {
+				this.passwordInputType = 'text'
+			} else {
+				this.passwordInputType = 'password'
+			}
+		},
+		updateUsername() {
+			this.$emit('update:username', this.user)
+		},
+		submit() {
+			this.loading = true
+		},
+	},
+}
+</script>
+
+<style scoped>
+
+</style>
diff --git a/core/src/views/Login.vue b/core/src/views/Login.vue
index d4d87c57f9853..a7ddded492516 100644
--- a/core/src/views/Login.vue
+++ b/core/src/views/Login.vue
@@ -27,7 +27,7 @@
 			<p class="info">{{ t('core', 'If you are not trying to set up a new device or app, someone is trying to trick you into granting them access to your data. In this case do not proceed and instead contact your system administrator.') }}</p>
 		</div>
 		<transition name="fade" mode="out-in">
-			<div v-if="!passwordlessLogin && !resetPassword && resetPasswordTarget === ''"
+			<div v-if="!passwordlessLogin && !appTokenLogin && !resetPassword && resetPasswordTarget === ''"
 				key="login">
 				<LoginForm
 					:username.sync="user"
@@ -54,6 +54,10 @@
 				<a v-if="hasPasswordless" @click.prevent="passwordlessLogin = true">
 					{{ t('core', 'Log in with a device') }}
 				</a>
+				<br>
+				<a v-if="hasAppToken" @click.prevent="appTokenLogin = true">
+					{{ t('core', 'Alternative log in using app token') }}
+				</a>
 			</div>
 			<div v-else-if="!loading && passwordlessLogin"
 				key="reset"
@@ -70,6 +74,17 @@
 					{{ t('core', 'Back') }}
 				</a>
 			</div>
+			<div v-else-if="!loading && appTokenLogin"
+				key="app-token"
+				class="login-additional">
+				<AppTokenLoginForm
+					:username.sync="user"
+					:inverted-colors="invertedColors"
+					:auto-complete-allowed="autoCompleteAllowed" />
+				<a @click.prevent="appTokenLogin = false">
+					{{ t('core', 'Back') }}
+				</a>
+			</div>
 			<div v-else-if="!loading && canResetPassword"
 				key="reset"
 				class="login-additional">
@@ -94,14 +109,17 @@
 <script>
 import LoginForm from '../components/login/LoginForm.vue'
 import PasswordLessLoginForm from '../components/login/PasswordLessLoginForm.vue'
+import AppTokenLoginForm from '../components/login/AppTokenLoginForm.vue'
 import ResetPassword from '../components/login/ResetPassword.vue'
 import UpdatePassword from '../components/login/UpdatePassword.vue'
+import { generateUrl } from '@nextcloud/router'
 
 export default {
 	name: 'Login',
 	components: {
 		LoginForm,
 		PasswordLessLoginForm,
+		AppTokenLoginForm,
 		ResetPassword,
 		UpdatePassword,
 	},
@@ -169,6 +187,14 @@ export default {
 			user: this.username,
 			passwordlessLogin: false,
 			resetPassword: false,
+			appTokenLogin: false,
+		}
+	},
+	computed: {
+		hasAppToken() {
+			return this.redirectUrl
+				&& this.redirectUrl.indexOf(generateUrl('login/flow')) === 0
+				&& new URL(this.redirectUrl, window.location.origin).searchParams.has('clientIdentifier') === false
 		}
 	},
 	methods: {
diff --git a/core/templates/loginflow/authpicker.php b/core/templates/loginflow/authpicker.php
deleted file mode 100644
index d114f55be31fb..0000000000000
--- a/core/templates/loginflow/authpicker.php
+++ /dev/null
@@ -1,66 +0,0 @@
-<?php
-/**
- * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
- *
- * @license GNU AGPL version 3 or any later version
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as
- * published by the Free Software Foundation, either version 3 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-script('core', 'login/authpicker');
-style('core', 'login/authpicker');
-
-/** @var array $_ */
-/** @var \OCP\IURLGenerator $urlGenerator */
-$urlGenerator = $_['urlGenerator'];
-?>
-
-<div class="picker-window">
-	<h2><?php p($l->t('Connect to your account')) ?></h2>
-	<p class="info">
-		<?php print_unescaped($l->t('Please log in before granting %1$s access to your %2$s account.', [
-			'<strong>' . \OCP\Util::sanitizeHTML($_['client']) . '</strong>',
-			\OCP\Util::sanitizeHTML($_['instanceName'])
-		])) ?>
-	</p>
-
-	<p class="info">
-		<?php print_unescaped($l->t('If you are not trying to set up a new device or app, someone is trying to trick you into granting them access to your data. In this case do not proceed and instead contact your system administrator.')) ?>
-	</p>
-
-	<br/>
-
-	<p id="redirect-link">
-		<a href="<?php p($urlGenerator->linkToRoute('core.ClientFlowLogin.grantPage', ['stateToken' => $_['stateToken'], 'clientIdentifier' => $_['clientIdentifier']])) ?>">
-			<input type="submit" class="login primary icon-confirm-white" value="<?php p($l->t('Log in')) ?>">
-		</a>
-	</p>
-
-	<form action="<?php p($urlGenerator->linkToRouteAbsolute('core.ClientFlowLogin.apptokenRedirect')); ?>" method="post" id="app-token-login-field" class="hidden">
-		<p class="grouptop">
-			<input type="text" name="user" id="user" placeholder="<?php p($l->t('Username')) ?>">
-			<label for="user" class="infield"><?php p($l->t('Username')) ?></label>
-		</p>
-		<p class="groupbottom">
-			<input type="password" name="password" id="password" placeholder="<?php p($l->t('App token')) ?>">
-			<label for="password" class="infield"><?php p($l->t('Password')) ?></label>
-		</p>
-		<input type="hidden" name="stateToken" value="<?php p($_['stateToken']) ?>" />
-		<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>">
-		<input id="submit-app-token-login" type="submit" class="login primary icon-confirm-white" value="<?php p($l->t('Grant access')) ?>">
-	</form>
-</div>
-
-<a id="app-token-login" class="warning" href="#"><?php p($l->t('Alternative log in using app token')) ?></a>
diff --git a/core/templates/loginflow/grant.php b/core/templates/loginflow/grant.php
index 0f1b9235a8971..3331c64de02c3 100644
--- a/core/templates/loginflow/grant.php
+++ b/core/templates/loginflow/grant.php
@@ -39,6 +39,11 @@
 	<br/>
 
 	<p id="redirect-link">
+		<?php if (isset($_['redirectUri'])): ?>
+		<a href="<?php p($_['redirectUri']) ?>">
+			<input type="submit" class="login primary icon-confirm-white" title="" value="<?php p($l->t('Grant access')) ?>">
+		</a>
+		<?php else: ?>
 		<form method="POST" action="<?php p($urlGenerator->linkToRouteAbsolute('core.ClientFlowLogin.generateAppPassword')) ?>">	
 			<input type="hidden" name="clientIdentifier" value="<?php p($_['clientIdentifier']) ?>" />	
 			<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />	
@@ -48,5 +53,6 @@
 				<input type="submit" class="login primary icon-confirm-white" title="" value="<?php p($l->t('Grant access')); ?>" />
 			</div>	
 		</form>
+		<?php endif; ?>
 	</p>
 </div>
diff --git a/core/templates/loginflowv2/authpicker.php b/core/templates/loginflowv2/authpicker.php
deleted file mode 100644
index a32787f22b890..0000000000000
--- a/core/templates/loginflowv2/authpicker.php
+++ /dev/null
@@ -1,50 +0,0 @@
-<?php
-/**
- * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
- *
- * @license GNU AGPL version 3 or any later version
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as
- * published by the Free Software Foundation, either version 3 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-style('core', 'login/authpicker');
-
-/** @var array $_ */
-/** @var \OCP\IURLGenerator $urlGenerator */
-$urlGenerator = $_['urlGenerator'];
-?>
-
-<div class="picker-window">
-	<h2><?php p($l->t('Connect to your account')) ?></h2>
-	<p class="info">
-		<?php print_unescaped($l->t('Please log in before granting %1$s access to your %2$s account.', [
-			'<strong>' . \OCP\Util::sanitizeHTML($_['client']) . '</strong>',
-			\OCP\Util::sanitizeHTML($_['instanceName'])
-		])) ?>
-	</p>
-
-	<p class="info">
-		<?php print_unescaped($l->t('If you are not trying to set up a new device or app, someone is trying to trick you into granting them access to your data. In this case do not proceed and instead contact your system administrator.')) ?>
-	</p>
-
-	<br/>
-
-	<p id="redirect-link">
-		<a href="<?php p($urlGenerator->linkToRouteAbsolute('core.ClientFlowLoginV2.grantPage', ['stateToken' => $_['stateToken']])) ?>">
-			<input type="submit" class="login primary icon-confirm-white" value="<?php p($l->t('Log in')) ?>">
-		</a>
-	</p>
-
-</div>
diff --git a/tests/Core/Controller/ClientFlowLoginControllerTest.php b/tests/Core/Controller/ClientFlowLoginControllerTest.php
index b45af34b6d370..5490f2b14c4b2 100644
--- a/tests/Core/Controller/ClientFlowLoginControllerTest.php
+++ b/tests/Core/Controller/ClientFlowLoginControllerTest.php
@@ -113,131 +113,6 @@ protected function setUp(): void {
 		);
 	}
 
-	public function testShowAuthPickerPageNoClientOrOauthRequest() {
-		$expected = new StandaloneTemplateResponse(
-			'core',
-			'error',
-			[
-				'errors' =>
-					[
-						[
-							'error' => 'Access Forbidden',
-							'hint' => 'Invalid request',
-						],
-					],
-			],
-			'guest'
-		);
-
-		$this->assertEquals($expected, $this->clientFlowLoginController->showAuthPickerPage());
-	}
-
-	public function testShowAuthPickerPageWithOcsHeader() {
-		$this->request
-			->expects($this->at(0))
-			->method('getHeader')
-			->with('USER_AGENT')
-			->willReturn('Mac OS X Sync Client');
-		$this->request
-			->expects($this->at(1))
-			->method('getHeader')
-			->with('OCS-APIREQUEST')
-			->willReturn('true');
-		$this->random
-			->expects($this->once())
-			->method('generate')
-			->with(
-				64,
-				ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS
-			)
-			->willReturn('StateToken');
-		$this->session
-			->expects($this->once())
-			->method('set')
-			->with('client.flow.state.token', 'StateToken');
-		$this->session
-			->expects($this->once())
-			->method('get')
-			->with('oauth.state')
-			->willReturn(null);
-		$this->defaults
-			->expects($this->once())
-			->method('getName')
-			->willReturn('ExampleCloud');
-		$this->request
-			->expects($this->once())
-			->method('getServerHost')
-			->willReturn('example.com');
-		$this->request
-			->method('getServerProtocol')
-			->willReturn('https');
-
-		$expected = new StandaloneTemplateResponse(
-			'core',
-			'loginflow/authpicker',
-			[
-				'client' => 'Mac OS X Sync Client',
-				'clientIdentifier' => '',
-				'instanceName' => 'ExampleCloud',
-				'urlGenerator' => $this->urlGenerator,
-				'stateToken' => 'StateToken',
-				'serverHost' => 'https://example.com',
-			],
-			'guest'
-		);
-		$csp = new Http\ContentSecurityPolicy();
-		$csp->addAllowedFormActionDomain('nc://*');
-		$expected->setContentSecurityPolicy($csp);
-		$this->assertEquals($expected, $this->clientFlowLoginController->showAuthPickerPage());
-	}
-
-	public function testShowAuthPickerPageWithOauth() {
-		$this->request
-			->expects($this->at(0))
-			->method('getHeader')
-			->with('USER_AGENT')
-			->willReturn('Mac OS X Sync Client');
-		$client = new Client();
-		$client->setName('My external service');
-		$client->setRedirectUri('https://example.com/redirect.php');
-		$this->clientMapper
-			->expects($this->once())
-			->method('getByIdentifier')
-			->with('MyClientIdentifier')
-			->willReturn($client);
-		$this->random
-			->expects($this->once())
-			->method('generate')
-			->with(
-				64,
-				ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS
-			)
-			->willReturn('StateToken');
-		$this->session
-			->expects($this->once())
-			->method('set')
-			->with('client.flow.state.token', 'StateToken');
-		$this->session
-			->expects($this->once())
-			->method('get')
-			->with('oauth.state')
-			->willReturn('OauthStateToken');
-		$this->urlGenerator
-			->expects($this->once())
-			->method('linkToRoute')
-			->with(
-				'core.ClientFlowLogin.grantPage',
-				[
-					'stateToken' => 'StateToken',
-					'clientIdentifier' => 'MyClientIdentifier',
-					'oauthState' => 'OauthStateToken'
-				])
-			->willReturn('grantURL');
-
-		$expected = new Http\RedirectResponse('grantURL');
-		$this->assertEquals($expected, $this->clientFlowLoginController->showAuthPickerPage('MyClientIdentifier'));
-	}
-
 	public function testGenerateAppPasswordWithInvalidToken() {
 		$this->session
 			->expects($this->once())
diff --git a/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php b/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php
index 1e35dc71c3f0b..984aff4b4bf46 100644
--- a/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php
+++ b/tests/Core/Controller/ClientFlowLoginV2ControllerTest.php
@@ -129,7 +129,7 @@ public function testLandingValid() {
 			->willReturn(true);
 
 		$this->urlGenerator->method('linkToRouteAbsolute')
-			->with('core.ClientFlowLoginV2.showAuthPickerPage')
+			->with('core.ClientFlowLoginV2.grantPage')
 			->willReturn('https://server/path');
 
 		$result = $this->controller->landing('token');
@@ -139,49 +139,6 @@ public function testLandingValid() {
 		$this->assertSame('https://server/path', $result->getRedirectURL());
 	}
 
-	public function testShowAuthPickerNoLoginToken() {
-		$this->session->method('get')
-			->willReturn(null);
-
-		$result = $this->controller->showAuthPickerPage();
-
-		$this->assertSame(Http::STATUS_FORBIDDEN, $result->getStatus());
-	}
-
-	public function testShowAuthPickerInvalidLoginToken() {
-		$this->session->method('get')
-			->with('client.flow.v2.login.token')
-			->willReturn('loginToken');
-
-		$this->loginFlowV2Service->method('getByLoginToken')
-			->with('loginToken')
-			->willThrowException(new LoginFlowV2NotFoundException());
-
-		$result = $this->controller->showAuthPickerPage();
-
-		$this->assertSame(Http::STATUS_FORBIDDEN, $result->getStatus());
-	}
-
-	public function testShowAuthPickerValidLoginToken() {
-		$this->session->method('get')
-			->with('client.flow.v2.login.token')
-			->willReturn('loginToken');
-
-		$flow = new LoginFlowV2();
-		$this->loginFlowV2Service->method('getByLoginToken')
-			->with('loginToken')
-			->willReturn($flow);
-
-		$this->random->method('generate')
-			->with(64, ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS)
-			->willReturn('random');
-		$this->session->expects($this->once())
-			->method('set')
-			->with('client.flow.v2.state.token', 'random');
-
-		$this->controller->showAuthPickerPage();
-	}
-
 	public function testGrantPageInvalidStateToken() {
 		$this->session->method('get')
 			->willReturnCallback(function ($name) {
diff --git a/tests/Core/Controller/LoginControllerTest.php b/tests/Core/Controller/LoginControllerTest.php
index 6f5eeeacc624f..704c839cc5f0f 100644
--- a/tests/Core/Controller/LoginControllerTest.php
+++ b/tests/Core/Controller/LoginControllerTest.php
@@ -26,6 +26,7 @@
 use OC\Authentication\Login\LoginResult;
 use OC\Authentication\TwoFactorAuth\Manager;
 use OC\Core\Controller\LoginController;
+use OC\Core\Service\LoginFlowV2Service;
 use OC\Security\Bruteforce\Throttler;
 use OC\User\Session;
 use OCA\OAuth2\Db\ClientMapper;
@@ -90,6 +91,9 @@ class LoginControllerTest extends TestCase {
 	/** @var ClientMapper|MockObject */
 	private $clientMapper;
 
+	/** @var LoginFlowV2Service|MockObject */
+	private $loginFlowV2Service;
+
 	protected function setUp(): void {
 		parent::setUp();
 		$this->request = $this->createMock(IRequest::class);
@@ -106,6 +110,7 @@ protected function setUp(): void {
 		$this->initialStateService = $this->createMock(IInitialStateService::class);
 		$this->webAuthnManager = $this->createMock(\OC\Authentication\WebAuthn\Manager::class);
 		$this->clientMapper = $this->createMock(ClientMapper::class);
+		$this->loginFlowV2Service = $this->createMock(LoginFlowV2Service::class);
 
 
 		$this->request->method('getRemoteAddress')
@@ -130,7 +135,8 @@ protected function setUp(): void {
 			$this->chain,
 			$this->initialStateService,
 			$this->webAuthnManager,
-			$this->clientMapper
+			$this->clientMapper,
+			$this->loginFlowV2Service,
 		);
 	}
 
@@ -290,7 +296,7 @@ public function testShowLoginFormForFlowAuth() {
 		$this->urlGenerator
 			->expects($this->once())
 			->method('linkToRoute')
-			->willReturn('login/flow/grant');
+			->willReturn('login/flow');
 
 		$expectedResponse = new TemplateResponse(
 			'core',