oauth2: Missing code_verifier parameter in token exchange OpenAPI spec

[chirag1807]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

Problem

The OAuth2 token exchange endpoint (/oauth2/token) supports the code_verifier parameter (used in PKCE), but it is currently missing from the OpenAPI specification.

This causes:

• SDKs generated from the spec to not include code_verifier
• Incomplete API documentation
• Potential integration issues for clients using PKCE

Expected Behavior

The OpenAPI spec should include code_verifier as a form parameter for the token endpoint.

Reproducing the bug

1. Check the OpenAPI (Swagger) specification for /oauth2/token
2. Inspect the parameters defined under oauth2TokenExchange
3. Observe that code_verifier is not present in the spec

However, Hydra accepts code_verifier as part of the token request
when using PKCE.

Proposed Fix

A fix has been proposed in: #4098

Version

v26.2.0

On which operating system are you observing this issue?

Windows

In which environment are you deploying?

None

Additional Context

No response