Adding DPoP feature for flutter

[utkrishtsahu]

feat: Add comprehensive DPoP (RFC 9449) support across all platforms

This commit implements full DPoP (Demonstrating Proof of Possession) support
for the auth0-flutter SDK across Web, Android, and iOS platforms, enhancing
security by cryptographically binding access tokens to clients.

📦 Dependencies Updated

• Android: com.auth0.android:auth0:3.10.0
• iOS/macOS: Auth0:2.14.0, JWTDecode:3.3.0, SimpleKeychain:1.3.0
• Web: @auth0/[email protected]

✨ New Features

Web Platform

• Upgraded Auth0 SPA JS SDK from v2.0 to v2.9.0 with unpkg CDN
• Added useDPoP constructor parameter to Auth0Web class
• Implemented SDK loading verification with timeout handling
• Added comprehensive error handling and logging

Android Platform

• Upgraded Auth0.Android SDK from v3.9.0 to v3.10.0
• Implemented reflection-based DPoP enablement for WebAuthProvider
• Added fallback mechanisms for different SDK versions
• Enhanced plugin initialization with proper context management

iOS/macOS Platform

• Upgraded Auth0.Swift SDK from v2.10.0 to v2.14.0
• Upgraded JWTDecode from v3.2.0 to v3.3.0
• Upgraded SimpleKeychain from v1.2.0 to v1.3.0
• Updated all podspec files (darwin/, ios/, macos/)

📚 Documentation

• Added comprehensive DPoP section to README.md (~184 lines)
• Included usage examples for all platforms (Web, Android, iOS)
• Added configuration requirements and troubleshooting guide
• Documented platform-specific features and API usage
• Added links to RFC 9449 and Auth0 documentation

🧪 Testing

• Added 17 DPoP-specific tests for mobile platforms (30 total)
• Added 21 DPoP-specific tests for web platform (68 total)
• Fixed test exception type mismatches (WebException)
• All 122 tests passing across all platforms

🔧 Technical Changes

Build Configuration

• Upgraded Android Gradle to 8.4.0
• Upgraded Java compatibility to version 17
• Upgraded Kotlin JVM target to 17
• Updated compileSdk to 35

🔐 Security Enhancements

• Token theft prevention through cryptographic binding
• Replay attack protection with fresh DPoP proofs
• Cross-platform security consistency
• Automatic DPoP proof generation by native SDKs

🚀 Platform Support

• ✅ Web: Full DPoP support with SPA JS SDK 2.9.0
• ✅ Android: Full DPoP support with Auth0.Android 3.10.0
• ✅ iOS: Full DPoP support with Auth0.Swift 2.14.0
• ✅ macOS: Full DPoP support with Auth0.Swift 2.14.0

[arpit-jn]

@claude

[pmathew92]

You need to pass the token type to the api.userInfo(accessToken, tokenType)

[pmathew92]

No need to add the header here. the android native client will take care of it

[pmathew92]

Same as android , tokenType should be passed here to the userInfo call
client .userInfo(withAccessToken: accessToken,tokenType)

[pmathew92]

You can remove this headers here