Adapt to OCM spec for remote shares

[enriquepablo]

See #57152 #57166

Summary

This is a preliminary PR for discussion. If this goes through there are some things missing with which we'll be grateful to get some guidance:

• docs and tests
• keeping retrieved access tokens in the db
• removing tokens when removing shares

There is also the question that for access tokens, we are keeping a reference to the corresponding refresh token in the uid field of the access token db record.

[github-actions]

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!

(If you believe you should not receive this message, you can add yourself to the blocklist.)

[enriquepablo]

Disclaimer: Some of the code in this PR (mainly regarding the tests) was generated by Claude Opus 4.5. I have provided it with very specific prompts, and thoroughly reviewed the output.

[enriquepablo]

Things we think need discussion.

1. The request to get a new access token from the token endpoint needs to be signed. If signing fails, token exchange fails, and access to federated shares is blocked. What should we do instead?

1. https://github.com/enriquepablo/server/blob/master/apps/federatedfilesharing/lib/OCM/CloudFederationProviderFiles.php#L759

2. At this point we are keeping the access token in the UID field of the db token (on the sharing side). Where should we keep it?

1. https://github.com/enriquepablo/server/blob/master/apps/dav/lib/Controller/TokenController.php#L147
2. https://github.com/enriquepablo/server/blob/master/apps/cloud_federation_api/lib/Controller/RequestHandlerController.php#L522

3. At this point we are keeping the access token in the password field of the remote share (on the sharee side). Where should we keep it?

1. https://github.com/enriquepablo/server/blob/master/apps/files_sharing/lib/External/Storage.php#L129

4. Also, once we know where to keep the access tokens, in addition to a db migration, we'll need a migration of the current shares so they do not break;

5. Also, once we know where to keep the tokens, we need to clean up stale tokens?

6. Should we verify somehow the received access token?

1. https://github.com/enriquepablo/server/blob/master/lib/private/Files/Storage/DAV.php#L311

7. More tests, what is the policy here?