We must be able to allow OAuth2 SASL clients to obtain tokens on behalf of an user using the Resource Owner Password Credentials Grant Type [1]. To do that we should provide a CallbackHandler that could be used to handle all the necessary logic related with this grant type.

This should also allow Elytron to support other grant types defined by OAuth2 in the future.

Configuration wise, we must be able to obtain the necessary configuration to integrate with an OAuth2/OpenID Connect identity provider. Where this configuration should be purely based on standard options such as those specified by OpenID Connect Discovery [2].

[1] https://tools.ietf.org/html/rfc6749#page-9
[2] https://openid.net/specs/openid-connect-discovery-1_0.html