Its would be nice if the app could either ask the files client for using the accounts (as it is possible on android), but that might be tricky with the different tech stack.

Besides that using Login Flow might be a good enhancement to directly obtain an app token for the user account

https://docs.nextcloud.com/server/latest/developer_manual/client_apis/LoginFlow/index.html#login-flow-v2

Thank you. I'm with you: using the Login Flow (v2) will be better.

But always if I execute the POST Request in the app (aka browser) I will run into a CORS policy issue.
Here a example message for my local dev environment and local nextcloud docker at http://localhost:8100 :
Access to XMLHttpRequest at 'http://localhost:8080/index.php/login/v2' from origin 'http://localhost:8100' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

If i copy this request as cURL from my chrome and paste into a bash to execute this curl statement, the curl request is working fine. Perhaps it's a security thing for chrome. I'm not sure currently.

same behavior on a production nextcloud instance.

I see, I'm not too deep into the CORS topic, but it seems that this may be an issue because the request is performed in a web view on the apps. It might be feasible to allow CORS requests on the Nextcloud server for the login flow POST request, but I'll need to think about if that may have negative impact on the security then.

hi @juliushaertl,
is there any progress here? Can I help or support you anywhere?

nextcloud/server#34898

hi, in version 1.2.0 I use native HTTP request. So we bypass the CORS issues. For me it's just a workaround and no clean development, but it must be handled by the nextcloud server . see nextcloud/server#34898