Fix: Add front channel grant flow details to RAR documentation for all affected versions (Product IS issue #26020)

[wso2-engineering-bot]

This PR was automatically generated by Claude AI.

• Issue: Missing details to invoke front channel grant types with authorization details product-is#26020
• Type: Documentation (Missing Content)
• Summary: Added front channel grant flow (Authorization Code) implementation details to the Rich Authorization Requests documentation. The original documentation only included back channel grant (Client Credentials) flow details.
• Affected Versions: 7.1.0, 7.2.0, next (all versions using the common include file)
• Style Scope Verification: Microsoft Style Guidelines have been applied to the newly added content without modifying existing content style.
• Verification: mkdocs build passed successfully for version 7.2.0

Changes Made:

• Added new section "Sample authorization code grant flow" with complete step-by-step implementation
• Included authorization endpoint request example with authorization_details parameter
• Included token endpoint request/response examples for code-to-token exchange
• Followed Microsoft Style Guide for all new content (active voice, present tense, sentence case headings, proper formatting)

Technical Details:

• Changes made to: en/includes/guides/authorization/rich-authorization-requests.md (common include file)
• This single change automatically affects all versions (7.1.0, 7.2.0, and next) that reference this include file
• No images were added (diagram would require manual creation)

Summary by CodeRabbit

• Documentation
  • Added comprehensive guide on implementing rich authorization requests with the authorization code grant flow
  • Includes step-by-step instructions for initiating authorization requests and exchanging authorization codes for access tokens
  • Provides sample requests and responses for both authorize and token endpoints
  • Demonstrates JSON payloads with authorization_details configuration

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

wso2-engineering-bot seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Walkthrough

This PR adds documentation for integrating rich authorization requests with the authorization code grant flow, including step-by-step instructions, sample requests/responses for both authorize and token endpoints, and JSON payloads illustrating authorization_details usage.

Changes

Cohort / File(s)

Summary

Documentation: Authorization Guide en/includes/guides/authorization/rich-authorization-requests.md

Added "Sample authorization code grant flow" section with Step 1 (initiate authorization request) and Step 2 (exchange authorization code for access token), including sample requests/responses for both authorize and token endpoints. Introduced JSON payloads showing authorization_details for authorization_code flow with descriptions of flow and UI implications. Note: Content appears duplicated in diff with the same section appended twice.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Areas requiring attention:

• Verify and resolve the duplicate "Sample authorization code grant flow" section—determine if this is intentional or should be consolidated
• Confirm JSON payload examples are accurate and match current API specifications
• Validate that the authorization_details structure aligns with other documentation sections

Poem

🐰 A guide springs forth, two-fold and bright,
Rich requests flowing, oh what delight!
Authorization flows, step by step we share,
(Though one copy's enough, I'd declare with care!) 🌿

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description provides purpose, related issue link, and technical details, but is missing required template sections like test environment and security checks.	Complete the required template sections: add test environment details and security check confirmations (or indicate N/A if not applicable to documentation changes).

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: adding front channel grant flow details to RAR documentation, and links to the specific issue being resolved.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fixing-product-is-issue-26020-1762527948

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

en/includes/guides/authorization/rich-authorization-requests.md (1)

3-3: Fix trailing spaces to pass markdown lint.

Line 3 contains trailing whitespace that violates the MD009 rule (expected 0 or 2 spaces; actual: 1).

-Rich Authorization Requests (RAR) ([RFC 9396](https://datatracker.ietf.org/doc/html/rfc9396){:target="_blank"}) enhance authorization mechanisms by allowing clients to specify fine-grained authorization details in a structured format. 
+Rich Authorization Requests (RAR) ([RFC 9396](https://datatracker.ietf.org/doc/html/rfc9396){:target="_blank"}) enhance authorization mechanisms by allowing clients to specify fine-grained authorization details in a structured format.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d763c09 and d486ce4.

📒 Files selected for processing (1)

• en/includes/guides/authorization/rich-authorization-requests.md (1 hunks)

🧰 Additional context used

🪛 GitHub Actions: Markdown Lint

en/includes/guides/authorization/rich-authorization-requests.md

[error] 3-3: markdownlint: MD009/no-trailing-spaces Trailing spaces [Expected: 0 or 2; Actual: 1]. Step: markdownlint-cli2-action@v20.

🪛 Gitleaks (8.28.0)

en/includes/guides/authorization/rich-authorization-requests.md

[high] 367-367: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

[high] 368-368: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: broken-link-checker
• GitHub Check: Vale style check

🔇 Additional comments (2)

en/includes/guides/authorization/rich-authorization-requests.md (2)

326-394: Verify no content duplication in the diff.

The AI-generated summary indicates the "Sample authorization code grant flow" section appears twice with identical content, but the provided annotated code shows only a single instance (lines 326-394). Please confirm whether the diff contains duplication. If duplication exists, remove one instance to avoid redundancy.

---

326-394: New authorization code grant section is well-structured and complete.

The new "Sample authorization code grant flow" section effectively documents the front-channel flow with clear step-by-step guidance, comprehensive examples for both authorize and token endpoints, and proper integration with existing content. The formatting, markdown structure, and adherence to Microsoft Style Guide are all appropriate for the documentation.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Gitleaks flagged sample tokens—document as placeholders.

Gitleaks detected lines 367–368 as Generic API Keys. These are placeholder tokens in documentation examples, not secrets. However, to prevent confusion and reinforce that these are sample values, consider adding a brief comment before the JSON block indicating these are example/placeholder tokens.

Example improvement:

 === "Sample response (/token)"
+    
+    <!-- Example response with placeholder tokens -->
 
     ```json

Alternatively, use more explicit placeholder markers in the sample values themselves (e.g., <sample-access-token> as inline comments near the JSON block).

🧰 Tools

🪛 Gitleaks (8.28.0)

[high] 367-367: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

[high] 368-368: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🤖 Prompt for AI Agents

In en/includes/guides/authorization/rich-authorization-requests.md around lines
365 to 391, the JSON sample contains realistic-looking tokens that triggered
Gitleaks; update the documentation to clearly mark these values as non-sensitive
placeholders by either adding a one-line comment immediately above the code
block stating "Example values — do not use in production" (or similar), and/or
replace the access_token and refresh_token values with explicit placeholder
strings like "<sample-access-token>" and "<sample-refresh-token>" so the example
cannot be misinterpreted as real credentials.