add oauth authentication support

[Udhay-Adithya]

PR Description

This PR adds support for both OAuth1 and OAuth2 authentication.

Supported OAuth2 Grant types:

• Authorization Code(working)
• Client Credentials(working)
• Resource Owner Password(working)

OAuth1(working)

To Test OAuth1 and OAuth2

• OAuth1:

  • Testing URL: https://postman-echo.com/oauth1
  • Consumer Key: RKCGzna7bv9YD57c
  • Consumer Secret: D+EdQ-gs$-%@2Nu7

• OAuth2:
  Github OAuth Api
  (or)
  mock-oauth2-server this repository has a mock-oauth2-server which can run locally.

  • Download: docker pull ghcr.io/navikt/mock-oauth2-server:2.2.1
  • Run: docker run --rm -p 8080:8080 ghcr.io/navikt/mock-oauth2-server:2.2.1

All links required for oauth2 will be available at: http://localhost:8080/{username}/.well-known/openid-configuration
OAuth2 Client Debugger: http://localhost:8080/{username}/debugger

Related Issues

• Closes Implement OAuth 2.0 authentication #481 Add API Auth: OAuth 1.0 #615

Checklist

• I have gone through the contributing guide
• I have updated my branch and synced it with project main branch before making this PR
• I am using the latest Flutter stable branch (run flutter upgrade and verify)
• I have run the tests (flutter test) and all tests are passing

Added/updated tests?

• Yes
• No, and this is why: please replace this line with details on why tests have not been included

OS on which you have developed and tested the feature?

• Windows
• macOS
• Linux

[Udhay-Adithya]

The current implementation has been tested and works on Android, iOS, and macOS. I currently don't have access to a Windows machine, so it's not yet tested on that platform.

OAuth2 authentication works across supported platforms. However, it requires a platform-specific setup to handle custom scheme redirects. The app must register a custom scheme named apidash with the host oauth2, as documented in the flutter_web_auth_2 package. This is essential because the default redirect URI used after OAuth2 authentication is apidash://oauth2.
OAuth2 only support `json/application' responses(rfc6749#section-5.1)

A pending enhancement for OAuth2 is to support http and https redirect URIs in addition to the current custom scheme-based URI.

As for OAuth1, this implementation does not handle the complete OAuth1 flow. It assumes that the necessary steps to obtain the access token have already been performed manually or through a backend service. This approach aligns with the behavior in other API clients such as Postman and Insomnia, where users provide the access tokens directly to make authenticated requests.

[Udhay-Adithya]

I’ve documented the different OAuth 2.0 redirect URI handling approaches (custom scheme, localhost loopback, HTTPS server callbacks, manual paste) and how they apply to our API client.
This includes why Postman/Insomnia handle localhost URIs differently from a Flutter app, and what changes are needed to support each method.

Detailed notes: OAuth2 Redirect URI Handling — Gist

[Udhay-Adithya]

Screen.Recording.2025-08-07.at.10.22.57.PM.mov

With ListView and No Scroll Physics

Screen.Recording.2025-08-07.at.10.23.26.PM.mov

With ListView and ClampingScrollPhysics

Unexpected Scroll behaviour

[animator]

@DenserMeerkat Can you please review this PR and add your feedback.

[DenserMeerkat]

@Udhay-Adithya

The OAuth 1.0 dropdowns and implementation works fine.

The Grant Type dropdown in OAuth 2.0 still doesn't automatically rebuild the fields on value change and requires a manual rebuild to update content.
Also can you mention expected flows for different grant types of the OAuth 2.0 with the mock-oauth2-server

[Udhay-Adithya]

1. Authorization Code Grant

1. You must be redirected to the given authorization URL. Enter a mock user/subject here and click on Sign-in
   

2. Upon clicking sign-in you must be redirect to this authorization success page
   

3. Now after this in APIDash the response should look something like this with the user/subject that you have provided during authorization.
   

4. You should also get the session tokens to avoid repetitive manual authorizations. So, every request sent with these tokens should not open the authorization webpage and must instead return the result directly within APIDash.
   

2. Client Credentials Grant

1. Enter a mock client id and client secret and send the request. This will directly return a response within APIDash along with an access token.
   

3. Resource Owner Password Grant

1. Enter a mock username and password and send the request. Just like the Client Credentials Grant this will also return a response directly within APIDash along with Identity and Access token