fix: add code_verifier to token exchange OpenAPI spec

[chirag1807]

This PR fixes a mismatch between the OAuth2 token endpoint implementation and the OpenAPI (Swagger) specification by adding the missing code_verifier parameter to the token exchange request.

Hydra already supports PKCE, but the code_verifier field was not included in the swagger:parameters oauth2TokenExchange definition. This caused generated SDKs and API documentation to be incomplete.

Related issue(s)

oauth2: Missing code_verifier parameter in token exchange OpenAPI spec

Checklist

• I have read the contributing guidelines.
• [ ] I have referenced an issue containing the design document if my change
  introduces a new feature. N/A - updating existing feature
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got the approval (please contact
  security@ory.com) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• [ ] I have added or changed the documentation. N/A

Summary by CodeRabbit

Summary by CodeRabbit

• New Features

  • Optional OAuth2 PKCE support: allow sending a code_verifier with token exchange requests.

• Documentation

  • Updated OAuth2 token exchange docs and examples to show the optional code_verifier parameter.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 8ba38e5b-34af-4372-aed4-8c5a48b8592a

📥 Commits

Reviewing files that changed from the base of the PR and between 4ff44fd and 6576b8f.

📒 Files selected for processing (1)

• oryx/pagination/keysetpagination_v2/page_token.go

✅ Files skipped from review due to trivial changes (1)

• oryx/pagination/keysetpagination_v2/page_token.go

---

📝 Walkthrough

Walkthrough

Adds optional OAuth2 PKCE code_verifier form parameter to the token exchange across OpenAPI/Swagger specs, generated HTTP client, documentation, and the server handler, enabling clients to include code_verifier in /oauth2/token requests.

Changes

Cohort / File(s)	Summary
OpenAPI & Swagger Specifications internal/httpclient/api/openapi.yaml, spec/api.json, spec/swagger.json	Added optional code_verifier (string) to the token exchange request schema / form parameters; no other schema or response changes.
Generated HTTP Client & Docs internal/httpclient/api_o_auth2.go, internal/httpclient/docs/OAuth2API.md	Added codeVerifier *string to ApiOauth2TokenExchangeRequest, CodeVerifier(...) fluent setter, conditional inclusion of code_verifier in form submission, and updated usage example/docs.
OAuth2 Handler oauth2/handler.go	Extended token exchange parameter binding to accept code_verifier form field for server-side handling of PKCE.
Misc (imports reorder) oryx/pagination/keysetpagination_v2/page_token.go	Only reordered an import; no functional change.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• oauth2: Missing code_verifier parameter in token exchange OpenAPI spec #4099 — Addresses the missing PKCE code_verifier parameter in client/server/spec that the issue reports.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately summarizes the main change: adding the code_verifier parameter to the OAuth2 token exchange OpenAPI specification.
Description check	✅ Passed	The description covers the key aspects: it explains the issue (missing code_verifier in spec despite implementation support), references the related issue (#4099), and includes a completed checklist with appropriate N/A annotations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

spec/swagger.json (1)

2177-2181: ⚡ Quick win

Add description for the code_verifier parameter.

The newly added code_verifier parameter lacks a description field. Adding documentation would improve the generated SDK documentation and help API consumers understand this PKCE-related parameter.

📝 Suggested enhancement

 {
   "type": "string",
+  "description": "OAuth 2.0 PKCE Code Verifier\n\nThe code verifier for the OAuth 2.0 PKCE flow. This parameter is required when the authorization request included a code_challenge. The code_verifier is a cryptographically random string using the characters [A-Z] / [a-z] / [0-9] / \"-\" / \".\" / \"_\" / \"~\", with a minimum length of 43 characters and a maximum length of 128 characters.",
   "name": "code_verifier",
   "in": "formData"
 }

Optionally, you could also add format constraints per RFC 7636:

 {
   "type": "string",
+  "description": "OAuth 2.0 PKCE Code Verifier\n\nThe code verifier for the OAuth 2.0 PKCE flow. This parameter is required when the authorization request included a code_challenge.",
+  "minLength": 43,
+  "maxLength": 128,
+  "pattern": "^[A-Za-z0-9-._~]+$",
   "name": "code_verifier",
   "in": "formData"
 }

Note: Format constraints may be enforced server-side, so the pattern/length constraints are optional depending on your validation strategy.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/swagger.json` around lines 2177 - 2181, Add a descriptive "description"
field to the OpenAPI parameter named "code_verifier" so SDKs and docs explain
its purpose (it's the PKCE code verifier used in OAuth 2.0 authorization flows).
Update the parameter object for "code_verifier" (the parameter with "name":
"code_verifier", "in": "formData") to include a concise description such as that
it is the original high-entropy random string generated by the client for PKCE,
and optionally add RFC 7636 constraints (e.g., allowed characters/pattern and
min/max length) if you want schema-level validation.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@internal/httpclient/docs/OAuth2API.md`:
- Line 1373: The markdown table row for codeVerifier is missing the trailing
cell separator; update the table row for "codeVerifier" (the row showing
**codeVerifier** | **string** |  |) to include the fourth cell delimiter by
adding a trailing pipe so the row has four cells properly terminated, ensuring
the table aligns and fixes markdownlint MD055/MD056 warnings.

---

Nitpick comments:
In `@spec/swagger.json`:
- Around line 2177-2181: Add a descriptive "description" field to the OpenAPI
parameter named "code_verifier" so SDKs and docs explain its purpose (it's the
PKCE code verifier used in OAuth 2.0 authorization flows). Update the parameter
object for "code_verifier" (the parameter with "name": "code_verifier", "in":
"formData") to include a concise description such as that it is the original
high-entropy random string generated by the client for PKCE, and optionally add
RFC 7636 constraints (e.g., allowed characters/pattern and min/max length) if
you want schema-level validation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 420f8f1b-1b5f-4aae-b8a1-f7cb49c517e0

📥 Commits

Reviewing files that changed from the base of the PR and between a54baeb and 4ff44fd.

📒 Files selected for processing (6)

• internal/httpclient/api/openapi.yaml
• internal/httpclient/api_o_auth2.go
• internal/httpclient/docs/OAuth2API.md
• oauth2/handler.go
• spec/api.json
• spec/swagger.json

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix malformed Markdown table row for codeVerifier

Line 1373 is missing a properly terminated 4th cell, causing markdownlint MD055/MD056 warnings. This can break rendered docs/table alignment in some viewers.

Suggested fix

- **codeVerifier** | **string** |  | 
+ **codeVerifier** | **string** |  |  |

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	**codeVerifier** | **string** | |
	**codeVerifier** | **string** | | |

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 1373-1373: Table pipe style
Expected: no_leading_or_trailing; Actual: trailing_only; Unexpected trailing pipe

(MD055, table-pipe-style)

---

[warning] 1373-1373: Table column count
Expected: 4; Actual: 3; Too few cells, row will be missing data

(MD056, table-column-count)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/httpclient/docs/OAuth2API.md` at line 1373, The markdown table row
for codeVerifier is missing the trailing cell separator; update the table row
for "codeVerifier" (the row showing **codeVerifier** | **string** |  |) to
include the fourth cell delimiter by adding a trailing pipe so the row has four
cells properly terminated, ensuring the table aligns and fixes markdownlint
MD055/MD056 warnings.