Fix: Add authorization code to token exchange step for all affected versions (Product IS issue #26237)

[wso2-engineering-bot]

This PR was automatically generated by Claude AI.

• Issue: Improve App Native Authentication docs by adding the step for exchanging authz code for access token product-is#26237
• Type: Documentation / Improvement (Add missing token exchange step)
• Summary: Added comprehensive step 8 documentation for the critical final step of app-native authentication - exchanging the authorization code for access tokens. This step was previously missing, requiring developers to figure it out independently.

Changes made

Added a new step 8 titled "Exchange authorization code for tokens" to the app-native authentication documentation that includes:

1. Token endpoint documentation - Clear specification of the /oauth2/token endpoint
2. Sample and example requests - Complete curl examples showing:
   • How to exchange the authorization code for tokens
   • Required parameters: grant_type, code, redirect_uri, client_id, client_secret
3. Token response structure - Complete sample response with descriptions of:
   • access_token - Token for accessing protected resources
   • refresh_token - Token for obtaining new access tokens
   • id_token - JWT containing user identity information
   • token_type - Type of token (Bearer)
   • expires_in - Token lifetime in seconds
   • scope - Granted scopes
4. Important note - Highlighting that redirect_uri must match the initial authorization request

Affected versions

This fix applies to all versions that support app-native authentication:

• 7.0.0
• 7.1.0
• 7.2.0
• next (latest)

The change was made to the shared include file (en/includes/references/app-native-authentication.md), ensuring consistent documentation across all versions.

Style scope verification

Microsoft Style Guidelines have been applied to the newly added step 8 content, including:

• Sentence case headings ("Exchange authorization code for tokens")
• Active voice and present tense
• Clear, concise language following plain language principles
• Proper formatting of code elements in backticks
• Structured parameter descriptions with consistent formatting
• Present tense for technical descriptions

Existing content in the document was not modified to ensure style compliance is limited to new additions only.

Verification

• ✅ All four affected versions verified to use the shared include file
• ✅ Token exchange examples follow OAuth 2.0 standards
• ✅ Content is AI-friendly for copilot coding assistance
• ✅ Documentation follows Microsoft Style Guide for new content
• ⏳ Build verification will be confirmed by CI/CD pipeline

Summary by CodeRabbit

• Documentation
  • Enhanced app-native authentication guide with comprehensive token exchange documentation covering authorization code-to-access-token exchange workflow, including practical examples, sample requests, response structures with token artifacts, and important parameter requirements.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

wso2-engineering-bot seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Walkthrough

Documentation update to the app-native authentication guide adding a token exchange section explaining how to exchange authorization codes for access tokens at the /token endpoint. Includes sample requests, responses, and parameter descriptions duplicated across two scenarios.

Changes

Cohort / File(s)	Summary
App-native authentication token exchange guide en/includes/references/app-native-authentication.md	Added token exchange section describing the /token endpoint workflow, including sample HTTP requests, JSON response structure showing access_token, refresh_token, scope, id_token, token_type, and expires_in artifacts, plus parameter documentation and redirect_uri validation note. Section duplicated for two authentication scenarios.

Sequence Diagram

sequenceDiagram
    participant Client as Client Application
    participant AuthServer as Authorization Server
    participant TokenEndpoint as /token Endpoint

    Client->>AuthServer: 1. User authorizes app
    AuthServer->>Client: 2. Returns authorization code
    
    rect rgb(200, 220, 255)
        Note over Client,TokenEndpoint: Token Exchange (newly documented)
        Client->>TokenEndpoint: POST /token with<br/>authorization code
        TokenEndpoint->>TokenEndpoint: Validate code & redirect_uri
        TokenEndpoint->>Client: Returns access_token,<br/>refresh_token, id_token, etc.
    end
    
    Client->>Client: Uses access_token for API calls

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Verify accuracy of API endpoint documentation and token response fields
• Confirm that duplication across two scenarios is intentional and consistent
• Check that example request/response values are valid and represent the actual API behavior

Poem

🐰 A token exchange takes flight,
Two scenarios now shine so bright!
Authorization codes leap and dance,
Trading for access with a single chance,
Our documentation hops along! 🌟

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description is comprehensive and well-structured, but diverges significantly from the required template which specifies Purpose, Related PRs, Test environment, and Security checks sections.	Align description with the required template by explicitly including Purpose section with issue link, Related PRs section, Test environment section, and Security checks checklist to maintain consistency with repository standards.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding the authorization code to token exchange step documentation for app-native authentication across all affected versions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fixing-product-is-issue-26237-1762915289

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

en/includes/references/app-native-authentication.md (1)

244-949: Clarify: Should scenarios show the complete token exchange step?

The five scenarios (Scenario 1–5) document authentication flows up to receiving the authorization code but don't include the token exchange step added in step 8. This may be intentional (scenarios focus on authentication steps only, with token exchange shown separately in the main flow), or it could be an oversight.

If the intent is to show end-to-end flows for users, consider whether one or more scenarios should be updated to include the token exchange. If this is by design, the current approach is fine—just worth confirming.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 27071f8 and 3a19907.

📒 Files selected for processing (1)

• en/includes/references/app-native-authentication.md (1 hunks)

🧰 Additional context used

🪛 Gitleaks (8.29.0)

en/includes/references/app-native-authentication.md

[high] 222-222: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

[high] 223-223: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

[high] 225-225: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🔇 Additional comments (1)

en/includes/references/app-native-authentication.md (1)

189-239: Approve content; note Gitleaks false-positive warnings on example tokens.

The new step 8 appropriately completes the OAuth 2.0 flow documentation. Content is well-structured, technically accurate (correct grant type, required parameters, token response fields), and aligns with existing documentation style. Parameter descriptions are clear and the important redirect_uri matching note is included.

The Gitleaks warnings flagging lines 222, 223, and 225 are likely false positives—these are clearly example/dummy tokens in a documentation context (indicated by truncation and format). However, automated scans may flag these as credentials. This is worth monitoring during CI/CD verification, and you may consider adjusting example token formats (e.g., using more obviously synthetic values or documented placeholder patterns) if these alerts become problematic in your pipeline.