From 95f46982b8d54f64981472fe62c43f81174a701e Mon Sep 17 00:00:00 2001
From: Thomas Bayer <bayer@predic8.de>
Date: Fri, 20 Dec 2024 15:36:10 +0100
Subject: [PATCH] Rewritten README of examples/oauth2/api (#1443)

---
 distribution/examples/oauth2/README.md        |  35 +++++-
 distribution/examples/oauth2/api/README.md    | 111 +++++++++++++++++-
 .../api/oauth2-password-flow-for-apis.png     | Bin 0 -> 12359 bytes
 distribution/examples/oauth2/api/rest.http    |  30 ++---
 docs/ROADMAP.md                               |   7 ++
 5 files changed, 161 insertions(+), 22 deletions(-)
 create mode 100644 distribution/examples/oauth2/api/oauth2-password-flow-for-apis.png

diff --git a/distribution/examples/oauth2/README.md b/distribution/examples/oauth2/README.md
index f83a25e948..1be5bc3fe4 100644
--- a/distribution/examples/oauth2/README.md
+++ b/distribution/examples/oauth2/README.md
@@ -1,5 +1,34 @@
 # OAuth Examples
 
-| Example                                                                | Description                          |
-|------------------------------------------------------------------------|--------------------------------------|
-| [API](api)| Secure API access with OAuth2 tokens |                                                            
\ No newline at end of file
+## JWT Token Validation against Microsoft's Azure AD
+
+See: [Tutorial](azure-ad-with-jwts/README.md)
+
+## Securing APIs with OAuth2 and the Resource Owner Password Flow
+
+See [Tutorial](api/README.md)
+
+## OAuth2 authorization with OpenID-Connect and OpenID-Discovery using Membrane
+
+Membrane API Gateway serves as authorization server.
+
+See [Tutorial](membrane/README.md)
+
+## OAuth2 authorization with OpenID-Connect and OpenID-Discovery using Google
+
+Google serves as authorization server.
+
+See [Tutorial](membrane/README.md)
+
+## OAuth2 authorization with github as Authorization Server.
+
+See: [Tutorial](github/README.md)
+
+## OAuth2 authorization with google as Authorization Server.
+
+See: [Tutorial](google/README.md)
+
+## OAuth2 implicit Flow
+
+See. [Tutorial](implicit/README.md)
+
diff --git a/distribution/examples/oauth2/api/README.md b/distribution/examples/oauth2/api/README.md
index da05c96f63..40bea2a529 100644
--- a/distribution/examples/oauth2/api/README.md
+++ b/distribution/examples/oauth2/api/README.md
@@ -1,7 +1,110 @@
-# Protecting an API with OAuth2 - Resource Owner Password Flow
+# Protecting an API with OAuth2 Using the Resource Owner Password Flow
 
-This example shows the OAuth2 password flow. A client requests an access token ( with user credentials ) and the token is verified through a token validator.
+This step-by-step guide demonstrates how to secure an API using OAuth2 and the Resource Owner Password Flow. A client authenticates using user credentials to request an access token, which is validated via a token validator before accessing the protected resource.
 
-Please follow https://www.membrane-soa.org/api-gateway-doc/current/oauth2-password-flow-sample.html
+The following images shows the flow of this example.
+![OAuth2 Password flow for APIs](oauth2-password-flow-for-apis.png)
 
-Alternatively a Postman based guide is available on [https://membrane-api.io/security/oauth2-using-postman/](https://membrane-api.io/security/oauth2-using-postman/)
\ No newline at end of file
+## How to Run the Example
+
+This example is located in the `$MEMBRANE_HOME/examples/oauth2/api` folder. Follow the instructions below to set up and test the flow:
+
+### 1. Start the Authorization Server
+
+In this example, Membrane acts as a pre-configured OAuth2 authorization server. You can use Membrane as-is or replace it with providers like Azure Entra ID, AWS Cognito, or Keycloak.
+
+Steps to start the authorization server:
+1. Open the `authorization_server` subfolder in a terminal.
+2. Run `service-proxy.bat` or `service-proxy.sh`.
+3. Verify the server is running by visiting [http://localhost:9000/admin](http://localhost:9000/admin).
+
+### 2. Start the Server with the Protected Resource
+
+The `token_validator` folder contains a Membrane setup that validates tokens and protects the resource.
+
+Steps to start the token validator:
+1. Open the `token_validator` folder in a terminal.
+2. Run `service-proxy.bat` or `service-proxy.sh` there.
+3. Verify the resource side is running at [http://localhost:9001/admin](http://localhost:9001/admin).
+
+### 3. Get a Token and Access the Protected Resource
+
+To request a token and access the resource, you can use a command-line client based on `curl` (detailed below). Alternatively, you can use the `rest.http` file or follow the [Postman guide](https://membrane-api.io/security/oauth2-using-postman/).
+
+1. Open a terminal and run the client:
+
+   **Linux**:  
+   ```bash
+   ./client.sh john password
+   ```
+
+   **Windows**:  
+   ```cmd
+   client.bat john password
+   ```
+
+   The `client.sh/bat` is requesting the token in one call to the authorization server and than calling the protected resource with the token in a second call. Both calls are displayed for illustration.
+
+   Example output:
+   ```
+   1.) Requesting Token
+   POST http://localhost:7007/oauth2/token
+   grant_type=password&username=john&password=password&client_id=abc&client_secret=def
+   
+   Got Token: nmsi0fsghcfq3dc9hm064eoq72
+
+   2.) Calling API
+   GET http://localhost:2000
+   Authorization: Bearer nmsi0fsghcfq3dc9hm064eoq72
+
+   Got: { "success": true }
+   ```
+
+   **Note:** Replace `username` and `password` with appropriate credentials.
+
+
+
+## How It Works
+
+### Authorization Server
+
+The authorization server authenticates users and issues access tokens.
+
+### Token Validator
+
+The token validator is a Membrane API Gateway instance that verifies access tokens against the authorization server. If valid, requests are forwarded to the protected resource. Invalid tokens result in a `400 Bad Request` response.
+
+The configuration for the token validator is defined in `proxies.xml`:
+
+```xml
+<api name="Token Validator" port="2000">
+    <tokenValidator endpoint="http://localhost:7007/oauth2/userinfo"/>
+    <target host="localhost" port="3000"/>
+</api>
+```
+
+- **tokenValidator**: Validates the access token.
+- **target**: Routes valid requests to the protected resource.
+
+**Important:** Ensure the resource at port 3000 is inaccessible externally in production environments to prevent unauthorized access.
+
+### Trusted Client
+
+The client script authenticates using user credentials to obtain an access token and calls the protected resource with the token in the `Authorization` header.
+
+Have a look at the `client.sh/.bat` script. There you'll find some variables:
+
+- **clientId**: Application client ID.
+- **clientSecret**: Corresponding client secret.
+- **tokenEndpoint**: OAuth2 token endpoint.
+- **target**: Protected resource URL.
+
+Those variables correspond with the configuration of the authentication server.
+
+There are two script versions: Shell and PowerShell. Alternatively, a Java implementation (`OAuth2TrustedClient`) is available in the example folder.
+
+---
+
+## Postman Guide
+
+Prefer using Postman? Follow the detailed guide on [Membrane API OAuth2 with Postman](https://membrane-api.io/security/oauth2-using-postman/).
\ No newline at end of file
diff --git a/distribution/examples/oauth2/api/oauth2-password-flow-for-apis.png b/distribution/examples/oauth2/api/oauth2-password-flow-for-apis.png
new file mode 100644
index 0000000000000000000000000000000000000000..11db417aa75fcc7305d84185addc55085751dfe2
GIT binary patch
literal 12359
zcmeHtbySqy_wUf9q~OpoAT22fk_y8R(k)0MjdZt?Lkvi#(jXuml2SvbARwSLk`9A_
z)bByx_j~X9-T&@gcin$3Yq5BqbN1Q$v*YZu&*q6zS5>%8NJ9t$fo?0p<TODbECdLI
z`2Zga81eoU*9H8+ej)o*76ht}C%Q1h0SG|qD%$eEI4&+OK0ZDvDJca71sDuwVq#)v
zXXoJH;N|7z=jRs^5_<UXp}4rXjEszef&vT%d;0XLy1Kfywzj^$zM-L^si~>8wY80n
zjiaOE%a<>`y}f;WeEj|WgMxw{8b?c+$H~7yC_5x;xTNcOW+?@JeD0s89@?f8-eDP1
zU>9EUGN#-sp(-G`_E~h7SzM2GVxL0_(lukyJ9juBe>6BaI6OQ&A|e6~hsVao#>dB}
zrlw|OWaQ@NhGjHF<+dagwCCmJ6%`c~7Z+DlR8&<})zs9~*48#QHnz33b#!!u6;DK!
zPsLSzPATomtn7JHJDbrsm-}(yZ7s5-X{fSote}0d?9+1Hr>U0ynX10;^@FP)N7wuN
z`$tAb#>U3FhUfbymd3}&XJ=>U=H`}{mpdmn`)0OBW>$vhcc&KCCzto<zirR19xiU8
zzJLF|xw-jmV{dzV`{3YUbqBq%bGUWzYxfYne{^<uczAMha&&x(J~==8eSUU+d3}8i
z*#H0k{6DmSmR7$4AfDhQ%)ku<BJRHV#prh~u>=Oe?(+KXTF%z)US_UVpqFO0PVV=e
ztlXJ|@AKama}Wwt1%Y^)73E~Ly`S%8$1Y4YWE6Xtno_6u;0fJYeSI6lP+U^wTyuUu
z5ofBqvN4_JVKHOz>p+}&;X5{*-(NjZ&ifV=kfV^89X}i54{Kn%-rr$C(6g^42Ph=6
zNs`-&NnCDiVN@q!DM<Sl#DhQuwwzF@)(?fZdCadT7||{uVTN<4RLh&4CVOs)Ahy+&
zpA~Js9bde@H%QS0TU#t3BNV(iw}0K8QLCaG`cV_%v~3I$rv3=EmSSkBYpOrxka|xN
zngseHjG7QAoezm2IgXQ;XmM8;_c_(U!~FJ$Di(h7!RnbFdSj^BBa&pv<EnHCH!odZ
z2-VP<TU!thcXeGxIfFW%I8ggoiEh`k&paENSQt}%KK=|OOr{KdzDBiHo&4yU??XSc
zU1eVL7Xd-mYR?mNAD6_Mxhqk(w~R%#*&4*@@xDpb*!8xV@4@q1D;Q6ELlM%4>RC_h
z^(5on&VD17KzU|qq9}+H5yLF)4yhY0IuRH$0E?pV$X#dcPV_gMd+E~|f7}Mqytaif
zY9xCc6m@?;y&Am_FU5M=^8umO2ybF->!a5jm$^kdu*h)lM`mLQZ}aOw#c_#Y8lR9?
z5>-=~KbZqGOQt}=c=^!hZxi<tRGkNXG|91k$gJ|)uI(*8-WApTy!I9o>`9yvt_UH)
zukJT;k1M`#u~7;QHycMPKi)Nb!L!5SbU?OJqKY+6I!t{Qi7j3<WgR)eO+XVN28qw8
zvUDP-E=&RmV_86@gr_OQZl5Tb3)9=&>4O)rpz>5R!lc|gR58c#RjAJrqHA9}wiokt
zV4d51_ZGX-zLS`zm?oI0REuMQmBX;W-n0KC<{q;&;fW>|8X4M@z`-ip&2PE3!h)hY
zL+)}h1iQ(HCm20cNSD6bjV%)fOud$`Ko+|?#!DYQnJ5@ou*~xHk(I`yOjK|u55_e`
zBC%quFOxKaPEACeuQsJMKiB11x3Kj{%K@(@sD>s_-x#CbPWo}WVelE2kCwlmbt5V3
z+DN9Pt5b0;x?TDrDDX_WG>zvz>j~r&o(;J*T%x^XQfcrKi`MIC<C=qp{Nyd^b;0wi
z7tHs6WY=c(b6||K4uhLNFnwg{k>*;z^3n)Pa6i9$j6%py)G)l8C(L+724N&%j^?gF
z4>I~{HV5(29REg;UO#R3J?h}w^=4ggX`~d!g+Mje-88D0A241g$DRjGtA8z}E5DFF
zv*MEN4K>475RG|25Ud3jK(S34v3$PTzLvX&KHldp@z=D{xp2F4NhHZjC?(U9&rCoQ
zMg}p_tzJ_HC4Op7l6b9L?KfdpsU7$3@01ro^>})5{~H&-=<Lhy!M<mmD}_?O+AMo`
zKsjcgkc=hJvLyMh;_dYwYb&27)_zV@ROIs!g$9;*H<5s(%s;{Gw$r0!^sp&wn(DDK
zLJ1&anZ%m{$~--0+1Q<4Dqx>4PW31%Ys-)g(@#j=j{&ERufLQhfllMFpi-fTJh3!>
z*IZKFRL;AfdK$4iaa4?U{O-mD3t_>rM=+q6>g=YhAdgQy^{RU?FhMXGFuipN>b!Fg
zE`blh;D1E`iT`q2B5-FNYYyX(fC9=uvC^tK&(!cJfj(H=>=SJ0Nf$4PC0?Ft8h_0T
zFOE|)IR~7Pu2%>;uP5w|FJ<tPVoI^pU#Ni7_p7PBR<|qV-?C#Il0cvg<nO%Kxhagg
z(6DhPIM`=kV{v>{pPon<9|B#XGH+DPctIrU2}GbdYy5*okE7R_2wjB{0PZl@r@-br
zw~&9NfIAS|0;p(GKle%D2vS;dVFDqj>vcqS*9M7(El%vG1Vq2XB57N&hqp{V5XrpE
zp1g)iFDP;}zsEeP$dd&NCZ_h!yEt!Nls$3G$;mYtkBCM}>Vp9cTF}6z+5~v-evEiC
z9pheh?pl|8LED53XqrR|y3fP9KAC`*a!};&9T~U$;E@!SJgW^&AAIext4N$6rBBbq
zdRe8~*ulH7O+uYJh&&gtP$K(N`f0_Hsa1!$9E+;`Hg9*?c|Xh1B?}G~*(v@PYrL9v
zQeQ{+!gw+sULcn4Z$v;GD!)jZbYF&eTJY+P^9)m`GZd0LDo`Fjae7KveX#PW=DzMu
z&cTv_BwO~xT>_eLS;(30s8L&Ta{-(JFK&;A)33jAI>wJkSH4)hyf<nbG)*1`MF|gl
z!q}A5;bv=yGih>teQ+(&>bgGpGi+`@Oul|T?YT@3_qebM&A_p)#uuEk!wad>=VX5I
zR7+>uh)Nu``=CIJX_(X5o+1Crg_*zHl3KRe*mq?jr=F!EuETbn{tM7I3F}yYIr;DV
zz1j4QeDu<RFJm&}&Kn!z=sTLc>Aw`8oBWmqokkl#rWQVq+;NPcy4wIcg_}X9xW8U3
zH0cGIh1~&-2{>B%B6bQgKa1v~@b#W)JO-6K=!<=`80jYx73PsSpU^ZyNE7V?vEppD
zznpNEWLT%T$>ZTT0Gp4ZB_4ee4j@O^xV8g0eQDz-C}O5%eb8fRv1y2qCWaC+rQq*u
zz5K&`pqb^I%1aA4vOMA1mv>i?c3mHG7*=U^sGvWBaV>_BXmZheUMBi)?NNzYO|QGw
z^Ct9#1OvR&a29IcC#9~H%u=qPK;Iz0;3`wxuAlmIj;a{=4q<0acyA44r>bo&bq}K|
zl=*l$q$PORmG-6Ls90?zJY$Emzj_?{y9A(TUUzft<N0F;e{f_KD}85zNPhPHXZ$@g
zaR%e&m+mpn*Zg>d?|ebyGP|_tMI?MYaZH`NV&M!h&>btV;@9>&RL`0>50y7~vBn=N
z2`2h@uLCD}RO-i4a_)Rn43MjmFgfT@>1KCh{%4yvAo3Ba@Cb1XkUrcIBL9n#m1Tkx
z)cN>7RD&X}5_CUO*b3dJ5_6z)&p{ba2cS?1Lj`Euo6-bHy66Hm+a&^-Db87>Tu--I
zeC%$d%|jJAnSr-9Q5;>U4G`%%&D=o4Z<du}IrJBpjvXdQNkq^bD;<UuSyOjE#ULBT
z7=L5WN*R%j;ao45MOrPG$N&PVG((H><4Bn);~&?Flb3SBv1PO}5Qv1=7UFU8{6&JU
zf+fUI%mkn~iQ6idW9s8V^i8J?UswXT#TsIFV`P3^4pCWfB^f8y@fl{l>4bq?9cUF_
z7eppGA$4?qFN?RC>3KeGkW0Je=OUA=2PTk-^MFjTBKx-sj8(m~6*;}!s#xLJO#SVM
z+Av*(?)PHp8xSK55VaMU0HjX^&}WyFBW90<KqK!ep*b^SAYr1L!C(Yvn&AKNK@YAS
zbBt|#h8^74WM1$)r>(S?0CY(90<KMTg4`McoyG`3t+yOO7d;h*+@SW=XoP+^wJ??*
z96OJ?$=ovdnRp%<pzsfDyNdq~=4C(9MVfkx6|}ShM;J3azKcdvfpS)&5mDc&Hy-Du
zVFv=-%pMl?Ykbkn1bIhuL!;%S*gP)VL1|r-5G+U5@O@B+OA-AXLXDU09;h8yX&b+Q
zu=r|^ld}p(fP^vi;BUwzNvE*9<GG=(U&_^)9<m<Nr`lCOLY83P9;wztH0*Jf08+3G
zF--_JG!Bzlj(_qQkN~)$4WV+ZAvE_u!5x6wu&r`)ZSF&cV)*VSU|}VgIuY?U@|fz6
z%mJp`nD_*({ge<48{AQ_*gkszaP*lN3Dk_O4r9T|{uo7e{Amlu%zLaG0||~2|AvH|
z0M@zl6RU3*wCvK0l&cfx{XJ_YgmFmq!mdKh7Z3CtP$&N_?v!-!Y?C?bhC-<IHx=rr
zGejQQzpv4VG)97q5G|;AAnPH69=zuQHh#-Ufcyv|EA+A#2FkzyoS+K8r;*j0btVet
zG!jVETd_4`WB4Yi`q^;(4G+k_j}s#B7<6MFsF5RO$P#9!o{@m&(kuaKEb(a^HxzXN
z8@>Qtt!h7V4Q^)a^vdFdG&5626KDN#&RYi<xi2k9+NBpJP=JRH1RVfRVj`eD*f+^a
zaJm4)4mO~NN`+1%ivSFC8Vm4Cpl8{uLlc8qd+LFB2?UHU3D3iN+DQq4FeeIsyH5&W
zN`LgI%_*(VMh^4FG{GHQQ2ZOtNGFLqVN@+r!3Phu?30;Bi4W=Z;40v+PJj=i0e53H
z+Eu`pFoIJ7l^Ns}w&+3L1b?FL1zcsaF8<M@PCp|7!5@Xj0MKgy=<ghsXh8WJHF4YY
z;o%;a4WP77l#tTFc}2*yVaNgCp?T%WI|81;Cl4)HL9w8JGu3}m*8kqayKtzKk1WX~
z(&P*y_@2fSNJpCziNo59+(AbWjoj^6f0ti5!l;2vH8cZ=<_Y}*!fUk66jHS`z5o)A
zFkG7RxwaQXZPtFx!Ok<7o<!m;sHqlj?r-q|i+N*Jq%YBE(Ssdf(9?H0P^meofL|d%
z?aunc*7EnUE!saAs;LE;I&pc1C!E+qL%=L6R9cQ0WfB+12qrLHyVIS5UqsbI3k|`i
zXzOy<cG_mgfn!5M5EOl8iTD#!&unwiDv2+ZG{6M!u^=zDBU{yP^+e`wnN5?iY|MHa
z7+eZRzp}YqfCwP7iYRzT8<jV9fMrT=y2ew{3g1=kW|d8Fx3wpYenqFPhC!JZ0!~6e
zCI(3qUq_OYZJl6z5Tt-~T%T45N&QT%%Gv2~!0~lRWqCX43hOmXByRe8OR=`p(B4Gd
zQG_`_KE`B#<ok)2_V*THqz}I=?b$ABpdqOBQuKJ1_x1yNw{%~lH8z1#XsojN4D6SV
zR3v|%9_op9y(dTfGr~2AG+ASd+;eXo{?y!o4rj%p*DC$47O=_VIVtOQ_^vDUoMH)e
zI%7>40$@&LVllS7!sCC5TKw2in!SH?vA;NW&2e4U?>j~gZzfAamptVVEtUL|Y_*m~
z6GhO-1SzDE9tiMf;`~A$c9HNIE;kzHgG6pRt6#Ob=p7tJ_WQTx8ns{bR6tpT1nJ#N
zSmv2OLV1}V-BVzujQAaOBCj2p7z!z?w2t_In5fx<tx0^rpdM)UGH~|oOJ$$moBi=D
z;PGe}eI(kgg-2@k+0su6WAF?27Eh+lF4Z3AH*PssszS>XI@j5%v$xhHIAn~9QsAn7
ziUHSBH*e!4#{t>D$nQtl`NVt|b7i>0G`}bPqoCM-+$rdNQhlhM2h!&Qmf+-((Ruql
zy{j=d`+FAzVkCr25XoJV%ngH&ml>+MgN+Nhmz7D0*D|AFm`K=izplC)w76`2pnlKU
zBhiQc4}Ab*$+e+lWsJ#Ez{%b0Hzq`4B%U(RA8#6`w_8qK&J7z{)v@mDftzt}3!;8+
z8y+5<tTl!p@<`tx3Q=qGa}Ht@V1npi1RH9l@7J*eDK8vbz7vURa{KjTnx>wg{0;_W
zXr;?<GjK+c;LlV|)6aTU8&g&eOsFmpx&U!mFd`2hY(V*kxcnWus#mso5C>X`0e??8
zWx`Dwa!W~Z%+(K%f0Dq|QYY=o@Eyg=t-&0d(uZS@f)T19NcpE$L^ZhB7VLsNo-1rg
zWZKebp&YXMD3_Y`S=q{3*~h9s^B;akP+~bg`e-Ryv3hMiy~q^9US+x8>G^W~ipuDt
z!q%GA5lqM|2&((q2QtN^vKpMqmTpiMV_zKw9;`DeWz}Y$J!5KnqZim}V7f*FK>uKB
z$rG+UjzG96d)PuadG(G~ep!-FVsI^zbzgYbb|N1HBXrEVkO=&q;M-Zx%IquQ1p%#f
zclpi>V~68KiQq<I^VI3QVHR;4;Ph~#QAEfeMzx--dpn5q*4<PQLFpwPe%ISd{H~s*
z94)wg7?*~8!Lw*ll`#05o#C30DP@m!sOKY=>6A%Df|hxhl=R$B>kx$fhayCXgZDU4
zZ<&CEw$|_9@sgF;Tk=#ziJ=!*CW`yjU%3w9-xjC|2QcbSAp^;$obA5H|G<R!`THx^
zn@5j3Q(P3xKPdw6V?bt2_Y8N`%h>!f#Xi3+QxhdMR>Gej_07V2yH!_!2zmdpO!wAx
z=3e)V^Hj2KncDVjjg;eYD+7NG7hom_JJz?cbid>!;C*YRf=IutZL!4Ug%F9XW!bR{
zzDJKwG|C&dmF!6qJN+G&iYszvv2G&6DC}wM+S0~X*mImL&9b9(zpS%+eq2LH%TZ*y
zl*4^foeCXYLp=2TQtQBu=h9VpK(GKonn{x``O>1An>**d?#$}@gG&S=z^6be?P}!M
zj3gORHc2y4B$0D%6)=y=pZODkMp#<VvOX3smuf?U_@e?i9g)G#@B+du;LAKr$2PeJ
z^^*g#hzqR@A%I}DKZ1lSs(DJd5u_eJjF+E@W6l4>x?SQ|fp)GW@#9!7;;K;6oePTf
zTq8%i@hiBb9t??xI)VW6VL_ThIjh10JB4mRSt->Hsb8a&W>$y!*iiSm;|r!Q5vXN%
z#)jSeqQ+7sdxaL!ccF+)k^w2l%T@*{YOz@jZf>gA(ETq15mcVoo07d7Hx6z<h^Qye
z5X|9d`!n;#C_qQOrtb^8vZKZyH?bsv=@0@K&`Q|~coyRnA!HNz$d2=gc<4uW&g2m}
z295K)-Uoz>3ST$-PSwYr&O}U}--{?67}Q?)9$#=5#jui+aC}Fce(HQpmK*SXo-TB>
z`|ddU$k*G_a!G?bmaa_IXfa<I)5D|u*$Ejt!7_uEThj5{Ixp8WU)p8&nC3$1ZDy)a
zXZ%|>7QT!@A)kX0_UiVKk#F&cq&P#Xg0g5-whb5mdcfYR1C<v6JwEYdURTzXUkA*7
zI9|9S*Eb6y(w3x)^gf#N*E)Or-D>))_9O1os&H*u&5rjcx>E2`SfR0<ldI>}u-OH*
zO0Lp)I)gc}gv`Cs{b$rbC;-7Xb80wAGN+*&`cm|u4pDPBWX(Dh5qW_5(<vuYLJMjg
zVFjIBvMGvqxJOV~@jsU7UK;`^7qNJVMpSs`x`$5s3MA3|-~3AQ9sY`&M6xQC6pE#7
zGjH^<wTXOmw)zL+rTtTJyIKa*xs#y=%i1^}%j&ua2Fv6moi}btM^B1Lw2}raJdQkC
zBGRsfDp7z$%D+HqUN(RFlPWMEvSc^A=D(%KNL-q;bNcKO;4TqulY>}x2zsaW855v=
zDuhaPJGgq6M2Q8wjR>NE+|KAx;|ef%rwDCty4pCt%VmId^C}CyY6)nex-bZ&1rre3
zYEqwlYip@vroLgR`v}#)r<Sv2x!ws=$EH5hXAdZp^e}EcbvTDU%}A^g<=*T{Oh8C)
z7Zgj_H>z#39_@UtJ#nuw92Mr>?9xm?m;h(fSLa5PS;gKqdvOh3Mq$3qF7gC~GqA${
zt5Z;3QvC`MaIgi#C4OeA`VAau?fp6tH|A!5Y|3J+#P9vG%Knu&w*4una_XJ|-)JvT
zF{lThMxpj9mkty9(N8Y#W<RHVPLf|fW!tG?KmG1;;z%rTWMj(x*8LbTxv+3Jwrta=
zR&n-3k}!#tbdJX7l6B*A8#;vmf;h?pF$WE)`uH+liMH^F*bTkB(|D_1%B0-^H$p15
zh^lYA+~z&Vm0?#-eQz6ECs!)4$m_Hx)qS8*8fg9U6Nf3f2UuCQJ3u44g;jasZ}leh
zac)j~g_d@|#F~S(^>e#;K8dS~2fu4Ynt2|6vt5dthN|*rcI}v{Q1v1IlBY$)sxWqp
ziosf4`tGhhkkva6r!4j^Yvzc};>jd)H9bs!Er3e9916?AbAv&q&_tD1-u+P>4u%jq
zRo+PvPRQpPYJvxl7gT-v-9W982I=^=f2DZcboQyVv15K$clks2j@cniv~Olb=5rB?
zz-oB?O-Vz2Pac%UP9P6sTj@bYG8CtbfHgcke9dmvN8^GrK@f}*3V!lnag2W-%%)*s
z0uJt-A|L2*-L6^!aX*_*BJaK!F$NbO3+dyowMwT6qiU!0JnY<F8ov)M%wqiIXMg-5
z^ftfET9tE7;O2|$B`~-d)6+Gupy-uq>@E(Q={T}nRCQUbc#0MaqSvW9+9>ztRfV^m
z6b%Q48}!QmSMN6Z$E>ftmgyQwf6zy4h)rcx-8oDXXlpe;au;MwYv~0+Qu{SW-Q<!g
zVH8P?G@aZ6DT^i@>}nguxj*)9hai+KxHl~(enj#=MSpm%PFw`{uep@T8D2h{1M#~W
z?5_JOM4G1k(u3<@igdq0EFba-=MGnmTxfSAt*X<H(uOppptJ<I4?+>#W{}NV1DiZ;
z(}KI5Fy~;z^Wdx#T<|sy(&vA9G3DFrZ;Mk6(FCYWxi`-dY0>&bN+76jNOBfqPY9_j
zoHMZy6VlcR9aW~s^Tm3D14m=hit+Ia)er*gzaY=zNX_m-o(<vtUE=iwW+2W#N#wA8
z5$U|YCCq^X$fa@%?2Ks%n+!(W7o;JM5K30$7F+H%S|<!f>`&;K(H^JtKt~n)Yahrs
zTMl%>PVnU-zV-6BIjpsAd2|aqZS$&=^G`|={w8o-li*{Gg}E1EK^7qyoD6ItuI;oW
zy?L)?Fxh~id~QP{$Is8m0erOO`j&YPrUiZ+I@Y6Eu~}-s1&){YKQ=IhY<g&@Y|-c4
zGA#(}kxd}Bc50eO`Z$$yp^4RT0b%B3gwN~k2-jLg0X(F};*PcSuSMJfC1wczOv`CT
zBMcy#dCD~^fDCuw7T+~|C_*ci`+(&U7^Zg*-~g4Fl=vWhf~AcCcSp!h<~n{g7&vob
z#KIoLgSJG_&4{PjF3us(q#9YUu=Ba8!P^X>G@gh{4fmT%e3uG4(FYQ^dwe@S=0wd>
z+?%9!e%f+CpD_3*Q>W;H*sRo~c9vUTIDvKG8ijY1u8lo+L|moFDpX_G1NXAx2zD_b
z^kL489BAUG*sR&>+i$&s1#f%|*%bShjm`XK2pcMnY)VDDYg({vlF{FI)9+T(J=>sR
z;&)GUF#*xK39O5t3Fb>|Xp4fZ!rRy^1$U$p;4$Xa?m1EN31)5#V1hNG(I7XL?U58I
zea(%z-w4wZ{hfk!yqVJ<2IX%l;R19DqX{*ERUUUd#Ix0z?ie=%R!ulDj1YP;3LT9o
zV~&z_U&n+PKe1<duMlxZ;vuMw(FzM<oIgb-aRjN6wvJ#NkK+N{$52Ku7B-Tl&^n_T
z@<$nuJ@8M%Asit1VzV|&C$LxQQ;2{F{o^-0&KHh6J@ysYz&f^ySRH<Sk}rVm6%_3)
z>eqrjU$t@FSly~3w)c3Ya)JoEmF8bU0h+&rwbkA<8(F8FQv8$hN(Qvb(R?4s)ovn`
z!&XE$<5waBbUgVsV5&rGix9vxm0dcDeOC@Vua_{{FaY#*bNUh`^{<h7fG&&q!*lws
z1LEo|{FAc31y!<^67+|B&<ZIx>-R@-a{&CEdh{xP)s(eo3je8sH3sauJ*?p?jvJt^
zM%;Wu0$tG2qu+?MGYw#uNgBG)c>2xQSLBi3crQ$t?A<GYM|qg01)1m<cMYJUepqn#
zTTY9L@8d}mygd1>ivbr|*r?&RJu!!DHXlKH(z0tp5OHKb#~Y|FxvgGx!b}7I?7*$V
zr`dDg9cNq_>Sq9oeGO8lZl%%qbAk=-RAK<II&M_0^kX18%0bYUewpxvH0mX5$mTP_
zPO6!{8?&+$zW2S4w_~=iFxLs=`(VuqI0n!ZuFGyxXGcgY#`w3j#X$hXZwLpCiUnjd
zNtOni^d^Wb?o@fh|7I**S1H9Qse3%Bz}j1jk*t5BIo_8}8hh1H85b%Z?j%R<8v$gG
zsUW6zU>8py)@~w!#J3te60VB(D+EETsp<|ZtMQz~ub)Z0(L~c7S*I{*!Itw!FHLut
zIsstG!ARoLXfvo&D3GM~HK6WDRjM-39`fH6`r%xi{4KznljdW0WT-mMO-MXgc?Y8f
zG7ytC#?4;6%^d2jP;#4AOgcf-lmA1#rD=gZyyY#a*=*pg5cjXjzFYA(A<U$yv;!Ft
zqoP+rP6GTAzcAK@>ANR`AoP}`Njx+8Pa4*;v(r_nOc}x3G*3!bztZag`OHt6^sEf9
zjlH^#;QT~utu^a!2#|AIpv7BP#j#oOB{Lb=`ccJzOdu!w_`FasU5^LgJ~w6GoM1G-
z05WpI(GuuS9(T)59)Fg{YFd#0#iSw*qHZ2&x!nm<sCF)}^yGYTBNhkn`z7LL16shY
zq1mPlBDRoCNM*w)@eCGV(#ozUwk*tRkr{LVu!9}!v`Y;^z#97Uh+EIzE~Nlx!o<sm
zJ;U*UdX>zvS<c@K27G?Ue-P0H#LSX1*YCsb?pU$T^pyb{lg72qHlyK`SS>Dnx5X=-
z;WYp1idS+xD73yB$dlsHu@4`SG?<jc`<~GHcFyYqW@_tH_q;sQI@9nP{fYaR2~K#;
z&Om0zq(a-5D|sg~$M;+}nU3qDlTl%OOW;#S_&I^KLJBdE7qsS%S9aT`)Rz2NrXuC_
z0M8S_t!A^`imL)E5-XU<6!|HrsDQoi8`8Y%dyRg?r>%4-m<+akE&@;vTg`?|dATdm
zL~SJi#%cQ|dFcRRU}GW}K&qQw-o%P2#-BE=fym!-L>33_{c@kRjOwIToy|wlJFl$+
zC`@q_6MI;4+gaoiv6cB4h#;xB(9rcLc0yO%^hj2Ek5{e9!uay+WchFI4(yJ*HFVHM
z-rq}mCNaflYAHTC+o13ME}$L6Wg$WNDIyjQ{NoVT@}5Cb;qk3{M7KkbNl&+pO3QDF
zmN6a3c7!0~a=jV1<@?b`g+;@eVuO{4v5xaoxSr7!D*bBeIdr&-RQPMrtwi_EkDr2v
zcZzK7&DSi0de|5BE9$Alq;sFe(TL%nzOq%Rd(0(-x>{hLzxp|2e7VVck2J}L%^ep~
z!*3>3y0u2glbJ@HzNbggLzUH)T&gxYww96)4JXLu9}%xei2OB_YhG3}*)Y#-SWVns
z)S#g4VW)u;m54sd3X0o;7Ma&cUMER$F1c)oUb5e3LKu{O7lMWV@~9Tmf=;?M<bF&1
z9Ems{JS+X`I)!wSDYoiE>O5nXoXD@GErR%l#A*2fjlIt;8Vj=Hg`d1s@Zi|>4{FD9
z=^8jY+PaEYW8)8&jEizMalH-#UBa)+v`&uW%(cl%A+_bp)7~m#S?cXt6k6G`zX{ei
z9fBs4HhD9$e%F^Oj~)#3vd7XP0)?QJON8J1EI4|a*kN)$bU~!H{jbZUlmgWsrv}?h
zEF6vHN&(-r_{EO)rt9e)X085whK|Vgo@1O@RmlY_s`(ecnAY^d{v8r|c5BjYdfhN?
zNzH>ooGm|rizic~JS%qukOMFI{_w$yYlSXM87|NAyY+#9W?P8KhU1y+1=HhpSJYU#
zxC12T=m34!w_9jG$DvV8YKGR{j3wf(Mq^g)D8OM&mjRJoU2n*2Oco^^c{=NfK%l}}
zjG&se!tb75iU9>>=KYuhkNHPep3z*d#oMSvV&5B&s;#FaK?VIkiP*lrg`*>7(bZ@(
z$KULw^k6B)dF?vvS7Q&;Ih_`C>7?<MWuW+kQ&8#DPUp!Ik4AS^?pjJM6h*L5LP@TU
zm@Q5z5LDUMu^S|kbvmML-cvkR(8`te_;OEu=R0pUI&o<47iac+YLDSFiN>r4D9SJI
zkJ7$VUvjlycowW)K!d)i0XHeT^dldqE@ath*`ic_QVy!v^PErIfcr=Kk%7~hT|uud
zGDE^UkAg-VE9kSLTJy*6ZS-0f7v-up|4>+7HZ@*GMYoiQO*#2}p%5FX%@AhoSiIWx
z%6>B~1az}Q5rsd`i=CIo6*uZV{qnEG@$!lgsyahS_6x0b>d>cd&o`;yJcy2tYgGn4
zE=irFq0cPt+dJByFHrj*?bfl2io~kih@dHhZC*>)A5~{IUF)IQS3Qi4RaUX#85{m1
zvHqKNja!7;Ver<<YgF`^m$7UJf@$+at<lF8S|kgd31OcdwSN27j1_rmeLi(j$q0zM
zE80-C(@S9rjGcY;Gk_!pBi3CucR!cru!9NGOsY0M-y?wY#NZudpBu2V@ssl}tCl?_
z2OCg{qEUX-e_M{2&`=hjvv_m$z3CzmL~~rWe2ba^>MA`9s4jeahlMmGi(KhX4^s2y
zo?TQ$G(qstP*JUpDoYDo3baG<kDz^Y!W{62@Fj=SV^)0MH#1}l@~K($4VL3?c_jQi
zZyJVNoyceb=QSDh<Xb{nT9r>#UaxIRk-IFDV~-1Dv+Cqb_E!y^{wGRHnpd{NJAA|8
zCYy#1Ea8H@`D5W+-v}5Bx@$N8bTl#H@4-aSK64ljJ+;`~Kx0}(Tk5yj3rUJFyb|{p
zT)Q9t5n64!2E#V*#2tNYlFJRTWsI<ARE1{|o;#6)n+f@A%z6IpJ$|39M;JUx{8d`m
z<qA2vX@>r>z-`Dei`=%#>G4;jlftWcP3mQ1+JO+^+J6aDo>mbhd7E2uJPusxJ@yG$
zmJt`S`AHacF9ZSfCCbfvs|pP_3!;sTa_z6{x`rg#G_@@NTZABVs#j*;&9~7w%2pyX
zq#kvP)~64s!&9~n@nf0N=GaLLiNOW}KtDwH!cew^t85VYTo)Rh7D1*KZjRs8ID}g#
z&=xOks%UE23-n_3_v~-WiN>x8=7-7=c@HOjrAI|CCcOoJkK}Pg)P$u6aDyP+xKQ0*
zJCm5%UwcQAw)atMcJJoX17Ww7m(p+dew)y+T-j}3{|9w_72D-Xa*z<kQJIa2oX``2
z$((QVKmN{JT(}zl#>~U&msKvTsQj@Rh8W}%%P^k@8bgU^$%oA@ia7sJ*8W@{ytF`(
zkMp#ErdJvuKIdwmpw@V575+mIg5i}g1PYgH{kih}$}tWhi_c<Wl6S&LHi!{(0m@hq
zZtK;d`rID(6_49d`tBI$f*9ku;(O^*q|g~$z%aO#F>l@N@08}+&*!C#e6_Svg0IIv
zTD}-6;+*<;y3BMZn~J*Bb85ln#g$q4aUtM}Ki(98gyoehB)Bcwm5Hi6g>E#g$mkf>
z+78ac#1k)Qe=M%CKL|vTKu+6eG5#*#g!q{2WV{^nh#Bfi9~h+fSuRo&@jRxd6MJev
z&AE)UDp(q+pBad#m`T;W1vkP0pcTR297(RJtno9EZQkQnUbYEBHqsRVxTGaDEYtRM
z-Q;RW@-0MwzUoa3Ye5IipN`0>mQag{8W_+}$GjrR$SG2}t`QVm$WBGf)osLvAj$#n
z^}RvVoX03D%%>eNPeF-GZqbdYY83@Z1cWRg=A0O^1TW1p|Iv~RBKDZuD`;TCSnz$n
zinIRAH6uqCfZ(Vjuv0V$I=8QZ^s-}TY!Ksjr3B(<8r{NA@E804h5j3j<yvNO7x{&O
zwQd;v!sFTXI%U3KyCO7{(k2119d`0#G936C;ihF*v>m^YD={%Jc#~AbG2%TY_2#uw
zuVTg;oTm#o4W_bYn{goJD=Hr^lT>{Nk37!{R0TVpOZus?mlx)U<*rk~-$yqt>{Yo>
zYV9{JRP7Y3EIr6BN%7tAPk9C?b~W$RQ30F|E*~#LRA-|99cE};U=N(KmG;SByi#S4
z0oT3STKif5kfH8OCx@u?#pnw_DEI20HXS;VZ|kN_hx1Y$vCpa<V#t@gIy7G#CzcDO
z|M&2NExNC>wj@5DKh|g4j3_+jVU*Z>M4-jn5AjpC`UG#GSwGYg5>-4Oi8D^7*|=bB
z%o25ldE^cla8~cvifOC)j4b=^q<fyPDPOmwY<U)?Nab-OQf;R(^3GWppma#FM2u|q
zkZdb`o69mOPmdp|M@e5@7h%LXR6h?2-wn5n^?j9|aO$`cZTn6=wnc6qR3#csJu$Y)
z+D>)(M)QFP31~6(XQL%}t8!}~FPTfJ?$!;MF!?H#Mb|*_Mk7(p@C%(Tbh_Y<ROXZV
z;$H(}CX+L+DODxpGgswH9M*JoxCFFCdCQttRwGz4UWJtx@uS5OLl>P3bSTaC491V*
zK)IFv71fQrsN$#xR5F=x_BfyJ&q+>-mo7H^UjC{;NTDOjjv70Bj4nG<0#x_B)};(S
zjQOaXsSf>Px|&-nH!F9HcQ%$TlIl#@$}-A>5$o%wiNXe4w6*9eFNtsG)YKO>jDrs2
z5Y^ecH;O64E=hf8aGf%W?RgLKx!mW&mPd)=O$9a^yOvRG6av+7TI>gnUHfWgQ*=CZ
zIr}WC+QNJ$G8kLH{#*}m&4^jHtur?jvzRFTm-Oz(<$ARiv+tl{(n-%oX$O$wONog)
zQqa@=u-(mh3f1<@b)m~fN5WiAziF1uO}8NrNWVZ8p7dEEZ}UFZuK6s|aHSPtl>K(H
tvaE&V10fupgqx%HjSDF2e<u`O<Gc@2P7Owa=x;v0R+Lwjt9)!4`d@PEoG$<X

literal 0
HcmV?d00001

diff --git a/distribution/examples/oauth2/api/rest.http b/distribution/examples/oauth2/api/rest.http
index 378eec365e..5eefdbf58b 100644
--- a/distribution/examples/oauth2/api/rest.http
+++ b/distribution/examples/oauth2/api/rest.http
@@ -1,23 +1,23 @@
-@password =password
-@clientid =abc
-@clientsecret =def
-@username =john
-
 ### Get access token
-# @name getAADToken
 POST http://localhost:7007/oauth2/token
 Content-Type: application/x-www-form-urlencoded
 
 grant_type=password
-    &username={{username}}
-    &password={{password}}
-    &client_id={{clientid}}
-    &client_secret={{clientsecret}}
-
-### Extract access token from getAADToken request
-@token = {{getAADToken.response.body.access_token}}
+    &username=john
+    &password=password
+    &client_id=abc
+    &client_secret=def
 
+# Execute the POST request above. You should be a response like that:
+#
+# {
+#  "access_token": "5ta3kbi948eav3dtqs8vqus8j4",
+#  "token_type": "Bearer",
+#  "refresh_token": "6b6ll21lu7l0a8lasi9rvnstaq"
+# }
+#
+# Copy the access_token and use it for the second request below
 
-### Authentication using access token
+### Calling the resource.  using access token
 GET http://localhost:2000
-Authorization: Bearer {{token}}
+Authorization: Bearer <<Replace me with the access_token from the response of the first call>>
diff --git a/docs/ROADMAP.md b/docs/ROADMAP.md
index 7b26d2c0a0..977f48cd76 100644
--- a/docs/ROADMAP.md
+++ b/docs/ROADMAP.md
@@ -2,6 +2,13 @@
 
 # Version 6.0.0
 
+- Update Java Version
+- Change Interceptor chain from stack to instant execution
+  - Probably in InterceptorFlowController {
+- API Key Database Filestore
 - Grafana Dashboard to import in examples/prometheus
   - Also provide the datasource config
   - Maybe the config can be included into the docker-compose setup
+- Simple JWT example 
+- Clean up examples in examples/oauth2
+