feat(mobile): Implement Keycloak WebView authentication with HTTP callback

- Replace flutter_appauth with custom WebView implementation to resolve deep link issues
- Add KeycloakWebViewAuthService with integrated WebView for seamless authentication
- Configure Android manifest for HTTP cleartext traffic support
- Add network security config for development environment (192.168.1.11)
- Update Keycloak client to use HTTP callback endpoint (http://192.168.1.11:8080/auth/callback)
- Remove obsolete keycloak_auth_service.dart and temporary scripts
- Clean up dependencies and regenerate injection configuration
- Tested successfully on multiple Android devices (Xiaomi 2201116TG, SM A725F)

BREAKING CHANGE: Authentication flow now uses WebView instead of external browser
- Users will see Keycloak login page within the app instead of browser redirect
- Resolves ERR_CLEARTEXT_NOT_PERMITTED and deep link state management issues
- Maintains full OIDC compliance with PKCE flow and secure token storage

Technical improvements:
- WebView with custom navigation delegate for callback handling
- Automatic token extraction and user info parsing from JWT
- Proper error handling and user feedback
- Consistent authentication state management across app lifecycle

keycloak-resource-server-config.md

@@ -0,0 +1,107 @@
+# Configuration Keycloak Resource Server pour UnionFlow
+
+## Problème Identifié
+Le client "unionflow-server" n'est pas configuré comme Resource Server dans Keycloak, causant des erreurs 403 avec le Policy Enforcer.
+
+## Solution : Configuration du Resource Server
+
+### 1. Accéder à Keycloak Admin Console
+- URL: http://localhost:8180/admin
+- Realm: unionflow
+- Client: unionflow-server
+
+### 2. Activer Authorization Services
+1. Aller dans **Clients** → **unionflow-server**
+2. Dans l'onglet **Settings**:
+   - **Authorization Enabled**: ON
+   - **Service Accounts Enabled**: ON
+   - **Standard Flow Enabled**: ON
+3. Cliquer **Save**
+
+### 3. Configurer les Resources
+Dans l'onglet **Authorization** → **Resources**, créer:
+
+#### Resource: evenements-api
+- **Name**: evenements-api
+- **Display Name**: API Événements
+- **URI**: /api/evenements/*
+- **Scopes**: read, write, delete
+
+#### Resource: membres-api
+- **Name**: membres-api
+- **Display Name**: API Membres
+- **URI**: /api/membres/*
+- **Scopes**: read, write, delete
+
+#### Resource: cotisations-api
+- **Name**: cotisations-api
+- **Display Name**: API Cotisations
+- **URI**: /api/cotisations/*
+- **Scopes**: read, write, delete
+
+### 4. Configurer les Scopes
+Dans **Authorization** → **Authorization Scopes**:
+- **read**: Lecture des données
+- **write**: Écriture des données
+- **delete**: Suppression des données
+
+### 5. Configurer les Policies
+Dans **Authorization** → **Policies**:
+
+#### Policy: Admin Policy
+- **Type**: Role Based
+- **Name**: admin-policy
+- **Roles**: ADMIN, PRESIDENT
+
+#### Policy: Member Policy
+- **Type**: Role Based
+- **Name**: member-policy
+- **Roles**: MEMBRE, SECRETAIRE, TRESORIER
+
+### 6. Configurer les Permissions
+Dans **Authorization** → **Permissions**:
+
+#### Permission: Événements Full Access
+- **Name**: evenements-full-access
+- **Resource**: evenements-api
+- **Scopes**: read, write, delete
+- **Policies**: admin-policy
+
+#### Permission: Événements Read Access
+- **Name**: evenements-read-access
+- **Resource**: evenements-api
+- **Scopes**: read
+- **Policies**: member-policy
+
+### 7. Vérifier la Configuration
+1. Dans **Authorization** → **Evaluate**, tester avec différents utilisateurs
+2. Vérifier que les tokens contiennent les bonnes permissions
+
+## Configuration Application Properties
+
+```properties
+# Policy Enforcer en mode PERMISSIVE pour développement
+%dev.quarkus.keycloak.policy-enforcer.enable=true
+%dev.quarkus.keycloak.policy-enforcer.lazy-load-paths=true
+%dev.quarkus.keycloak.policy-enforcer.enforcement-mode=PERMISSIVE
+
+# Une fois configuré, passer en ENFORCING
+%prod.quarkus.keycloak.policy-enforcer.enforcement-mode=ENFORCING
+```
+
+## Test de Validation
+
+```bash
+# 1. Obtenir un token
+curl -X POST "http://localhost:8180/realms/unionflow/protocol/openid-connect/token" \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -d "grant_type=password&username=admin@unionflow.dev&password=admin123&client_id=unionflow-server&client_secret=unionflow-secret-2025"
+
+# 2. Tester l'API avec le token
+curl -H "Authorization: Bearer <TOKEN>" "http://localhost:8080/api/evenements/publics"
+```
+
+## Résultat Attendu
+- ✅ Plus d'erreurs "invalid_clientId"
+- ✅ API accessible avec authentification
+- ✅ Permissions basées sur les rôles fonctionnelles