Add OAuth2 authorization page for authorization code flow

[Copilot]

Implements the webapp-side OAuth2 authorization code flow. Users are presented with a consent screen showing the requesting application's metadata and requested scopes, and can approve or decline access.

API Client

• Regenerated from upstream swagger to include OAuth types (OAuthClientMetadataResponseData, OauthAuthorizeData, AccessTokenScopeData, etc.)
• Updated generated OAuth client metadata types to include the new URI fields (logo_uri, client_uri, policy_uri, tos_uri)

Route & Page

• /_auth/oauth/authorize — protected route with Zod search param validation for client_id, redirect_uri, code_challenge (required) and scope, state (optional)
• OAuthAuthorizePage — consent UI showing client name, app logo, subtle links to client information / privacy policy / terms of service, required scope tags as provided by the backend, short internationalized scope descriptions, security note, approve/decline actions
• Approve → calls GET /api/v1/oauth/authorize with PKCE params, follows redirect
• Decline → redirects to redirect_uri with error=access_denied and state per RFC 6749 §4.1.2.1

Hooks & Data Layer

• useOAuthClient(clientId) — fetches client metadata via GET /api/v1/oauth/clients/{clientId}
• useOAuthAuthorize() — mutation wrapping the authorize endpoint
• OAuthClient internal model strips client_secret and client_id_issued_at while mapping the new client URI metadata fields needed by the consent UI

i18n

• OAuth consent translations added for all 5 languages (en, de, fr, es, it)
• Scope keys use oauth.scopes.products_write / oauth.scopes.shops_manage with short descriptions for non-technical users
• Added localized labels for the consent-page client metadata links and logo alt text

Tests (29)

• Data mapping: field correctness, URI metadata mapping, secret exclusion, empty scopes
• Route: meta tags, SSR disabled, param validation, defaults, missing required params
• Component: loading/error states, logo and metadata links, scope rendering, approve/deny behavior, button disabled states, mutation error display, accessibility labels

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	aura-historia-staging	ca23633	Commit Preview URL Branch Preview URL	May 31 2026, 11:44 AM

[sonarqubecloud]

Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.1% Duplication on New Code

See analysis details on SonarQube Cloud

[bruderj15]

@copilot solid start.

The backend added additional fields for oauth-client metadata, see Changelog.

Please use them to display the app logo and subtly provide links to ToS, Privacy policy and client-uri (more information about the client). Keep in mind users are NON-TECHNICAL.

Also please display the required scopes: display the scope tag as provided by backend AND display an internationalized short description (probably one short sentence is enough) description of what each required scope entails/does.

[Copilot]

@copilot solid start.

The backend added additional fields for oauth-client metadata, see [Changelog](https://github.com/aura-historia/internal-api/blob/master/CHANGELOG.md#2026-05-31---oaut...

Addressed in ca23633.

[bruderj15]

@lfranke42

Can you take a look at this?

Exactly what I wanted but I cannot get the "Approve" action working (oauth redirect).
I guess some CORS.
Probably easy fix for you.

Use below example URL:

https://copilot-add-oauth2-authorization-ser-2915-aura-historia-staging.bitter-frog-5102.workers.dev/oauth/authorize?client_id=019e7e6a-052b-78a3-9f57-eaaf619ca5ac&redirect_uri=https%3A%2F%2Fgoogle.com&code_challenge=abc&response_type=code&code_challenge_method=S256&scope=products%3Awrite+shops%3Amanage