Added code verifier as a parameter.

[mooreds]

This allows using PKCE code verifier with the client libs.

Fixes issue #17 .

I tested building the java and php client libs, and things looked ok. It compiled.

Wasn't sure quite how to make it optional, looked through https://github.com/inversoft/client-library-plugin/ but didn't see it.

[robotdan]

For typed languages, this will be a compile break. That may be ok, it shouldn't be too hard to fix.
One option is to make a new method for use with PKCE to make it more explicit and to not break the existing client method.

I could go either way. In general I would prefer not to break compile if we don't have to, in this case it may not be too bad to just add another method.

exchangeOAuthCodeForAccessTokenUsingPKCE or something like that?

[mooreds]

That makes sense. I'll add another json file with that name and the new params.

[mooreds]

@robotdan can I get a quick review on this? It's blocking @amans330 's PKCE work.

[robotdan]

Wondering if we want to use PKCE in the method name or not? We could also name it exchangeOAuthCodeForAccessTokenWithCodeVerifier would this be confusing?

[robotdan]

Generally, this is the same as the file name, or is this intentionally overloading the method w/ an additional parameter?

If so, that is ok, but we will need to ensure it doesn't break other client libs. Not all of them have the same naming rules that Java has, so you'll want to run a build of all client libs with this and see if they tolerate this or if they fail indicating they have duplicate signatures.

[mooreds]

Happy to go with convention and avoid overloading issues.

[robotdan]

Should we update this to indicate this version of the API takes the code_verifier for PKCE?

[mooreds]

Yup, good catch.

[robotdan]

The generated value used to build the code_challenge sent on the Authorization request.
This value will be used to produce a code_challenge that will then be compared to the value sent on the authorization request for equality.

This may need to be split up into separate lines to ensure formatting comes out ok.

[robotdan]

Your description is actually fine... but the "if you are using PKCE" threw me. Not sure why you would use this method if you aren't using PKCE? Unless we want to eventually deprecate the other method and use this one regardless of if they user is making the request with PKCE.

[mooreds]

Removed 'if you are using pkce'

[robotdan]

Added comments.

[robotdan]

This was already here, but perhaps should be re-written, not sure what it means. We are using the authorization code grant, otherwise we wouldn't be using this method.

[robotdan]

Or if you want to leave that is fine - I can re-word some of this stuff later, I don't want to hold you up too long fixing my technical debt. :-)

[mooreds]

OK. Was trying to keep this in line with the other exchange method, defined in exchangeOAuthCodeForAccessToken.json but will rewrite both to make it clearer.

[mooreds]

No worries, wasn't hard to change the verbiage a bit.

[mooreds]

@robotdan you comfortable with this as it is now? Would love to get this included in the next point release.