extract login URL from JSON object returned in step 1
visit login URL from step 2 with your browser (no login required, just grant access)
visit /login/v2/poll and send the token → receive expected response - returns the object only once!!
optional: verify new session created “User > Security” - in my case the UA was "PowerShell…* - which I use for the initial request to /index.php/login/v2
surprisingly step 4 didn’t work with PowerShell invoke-webRequest for some reason, but Linux curl was just fine…
Thank you @wwe for staying here with me, I have made progress and understood the login flow v2 better, Now when I try to open the login URL to authenticate the webview opens , I put my credentials and then we reach on grant clicking the grant button nothing happens.
I tested the same URL on other devices as well and got the same result. I am not able to navigate beyond that point. Googling a bit I found this: App "stuck" in webview after login? · Issue #7075 · nextcloud/android · GitHub
which is more like what I just faced. However they discussed to upgrade and the problem went away, I already have Nextcloud and all apps up to date.
I checked the browser console when I click on the Grant button and I spotted this:
you are accessing the original website with https:// but the URL /login/v2/grant redirecting to plain http:// which is not allowed by the browser. Most likely something is wrong with you reverse proxy config