chore: Add PR's requested changes

Author: matiasperrone-exo

app/Http/Controllers/OAuth2/OAuth2ProviderController.php

@@ -90,7 +90,7 @@ public function __construct
             new OA\Parameter(name: 'redirect_uri', in: 'query', required: true, description: 'Redirect URI', schema: new OA\Schema(type: 'string', format: 'uri')),
             new OA\Parameter(name: 'scope', in: 'query', required: false, description: 'Space-delimited scopes', schema: new OA\Schema(type: 'string')),
             new OA\Parameter(name: 'state', in: 'query', required: false, description: 'Opaque state parameter', schema: new OA\Schema(type: 'string')),
-            new OA\Parameter(name: 'approval_prompt', in: 'query', required: false, description: 'Indicates whether the user should be re-prompted for consent. The default is auto, so a given user should only see the consent page for a given set of scopes the first time through the sequence. If the value is force, then the user sees a consent page even if they previously gave consent to your application for a given set of scopes.', enum: ['auto', 'force'], schema: new OA\Schema(type: 'string', enum: ['auto', 'force'])),
+            new OA\Parameter(name: 'approval_prompt', in: 'query', required: false, description: 'Indicates whether the user should be re-prompted for consent. The default is auto, so a given user should only see the consent page for a given set of scopes the first time through the sequence. If the value is force, then the user sees a consent page even if they previously gave consent to your application for a given set of scopes.', schema: new OA\Schema(type: 'string', enum: ['auto', 'force'])),
             new OA\Parameter(name: 'access_type', in: 'query', required: false, description: 'Indicates whether your application needs to access an API when the user is not present at the browser. This parameter defaults to online. If your application needs to refresh access tokens when the user is not present at the browser, then use offline. This will result in your application obtaining a refresh token the first time your application exchanges an authorization code for a user.', schema: new OA\Schema(type: 'string', enum: ['online', 'offline'])),
             new OA\Parameter(name: 'response_mode', in: 'query', required: false, description: 'OPTIONAL. Informs the Authorization Server of the mechanism to be used for returning Authorization Response parameters from the Authorization Endpoint. This use of this parameter is NOT RECOMMENDED with a value that specifies the same Response Mode as the default Response Mode for the Response Type used.\nThe default Response Mode for the OAuth 2.0 code Response Type is the query encoding. For purposes of this specification, the default Response Mode for the OAuth 2.0 token Response Type is the fragment encoding.', schema: new OA\Schema(type: 'string', enum: ['query', 'fragment', 'form_post', 'direct'])),
             new OA\Parameter(name: 'code_challenge', in: 'query', required: false, description: 'PKCE code challenge', schema: new OA\Schema(type: 'string')),
@@ -250,6 +250,7 @@ public function auth()
         summary: 'OAuth2 Token Endpoint',
         description: 'Issues access tokens. Supports authorization_code, client_credentials, password, refresh_token, and passwordless grant types.',
         tags: ['OAuth2 / OpenID Connect'],
+        security: [['OAuth2ProviderClientBasic' => []], ['OAuth2ProviderSecurity' => []]],
         requestBody: new OA\RequestBody(
             description: 'Token request parameters',
             required: true,

app/Swagger/OAuth2ProviderControllerSchemas.php

@@ -9,6 +9,7 @@
     title: 'OAuth2 Token Response',
     description: 'Successful token response per RFC 6749 §5.1',
     type: 'object',
+    required: ['access_token', 'token_type'],
     properties: [
         new OA\Property(property: 'access_token', type: 'string', description: 'The access token issued by the authorization server'),
         new OA\Property(property: 'token_type', type: 'string', description: 'The type of the token (typically Bearer)', example: 'Bearer'),
@@ -42,6 +43,7 @@ class OAuth2ErrorResponseSchema
     title: 'OAuth2 Token Introspection Response',
     description: 'Token introspection response per RFC 7662',
     type: 'object',
+    required: ['active'],
     properties: [
         new OA\Property(property: 'active', type: 'boolean', description: 'Whether the token is active'),
         new OA\Property(property: 'access_token', type: 'string', description: 'The access token value'),
@@ -87,6 +89,7 @@ class OAuth2IntrospectionResponseSchema
     title: 'JSON Web Key Set',
     description: 'JWK Set document per RFC 7517',
     type: 'object',
+    required: ['keys'],
     properties: [
         new OA\Property(
             property: 'keys',
@@ -115,6 +118,7 @@ class JWKSResponseSchema
     title: 'OpenID Connect Discovery Document',
     description: 'OpenID Provider Configuration per OpenID Connect Discovery 1.0',
     type: 'object',
+    required: ['issuer', 'authorization_endpoint', 'token_endpoint', 'jwks_uri', 'response_types_supported', 'subject_types_supported', 'id_token_signing_alg_values_supported'],
     properties: [
         new OA\Property(property: 'issuer', type: 'string', format: 'uri', description: 'Issuer identifier URL'),
         new OA\Property(property: 'authorization_endpoint', type: 'string', format: 'uri', description: 'Authorization endpoint URL'),

app/Swagger/Requests/OAuth2AuthorizationRequestSchema.php

@@ -17,7 +17,7 @@
         new OA\Property(property: 'scope', type: 'string', description: 'Space-delimited scopes'),
         new OA\Property(property: 'state', type: 'string', description: 'Opaque state parameter'),
         new OA\Property(property: 'approval_prompt', type: 'string', description: 'Indicates whether the user should be re-prompted for consent. The default is auto, so a given user should only see the consent page for a given set of scopes the first time through the sequence. If the value is force, then the user sees a consent page even if they previously gave consent to your application for a given set of scopes.', enum: ['auto', 'force']),
-        new OA\Property(property: 'access_type', type: 'string', description: 'Indicates whether your application needs to access an API when the user is not present at the browser. This parameter defaults to online. If your application needs to refresh access tokens when the user is not present at the browser, then use offline. This will result in your application obtaining a refresh token the first time your application exchanges an authorization code for a user.'),
+        new OA\Property(property: 'access_type', type: 'string', description: 'Indicates whether your application needs to access an API when the user is not present at the browser. This parameter defaults to online. If your application needs to refresh access tokens when the user is not present at the browser, then use offline. This will result in your application obtaining a refresh token the first time your application exchanges an authorization code for a user.', enum: ['online', 'offline']),
         new OA\Property(property: 'response_mode', type: 'string', description: 'OPTIONAL. Informs the Authorization Server of the mechanism to be used for returning Authorization Response parameters from the Authorization Endpoint. This use of this parameter is NOT RECOMMENDED with a value that specifies the same Response Mode as the default Response Mode for the Response Type used.\nThe default Response Mode for the OAuth 2.0 code Response Type is the query encoding. For purposes of this specification, the default Response Mode for the OAuth 2.0 token Response Type is the fragment encoding.', enum: ['query', 'fragment', 'form_post', 'direct']),
         new OA\Property(property: 'code_challenge', type: 'string', description: 'PKCE code challenge'),
         new OA\Property(property: 'code_challenge_method', type: 'string', description: 'Optional. PKCE challenge method', enum: ['plain', 'S256']),