The "Using OAuth 2.0 token-based authentication" section would benefit from more explanation of the SASL PLAIN authentication mechanism (see ENTMQST-2603).

At present, SASL PLAIN is only documented as a call-out in the lengthy procedure for Configuring OAuth 2.0 support for Kafka brokers.] It should be properly explained at the start of the OAuth 2.0 section.

As a stretch goal, we could create a new flowchart for SASL PLAIN, similar to those for fast local token validation vs. validation using the introspection endpoint.