As an end user, I want to authenticate inside a browser-based appliction or native/hybrid mobile application which is registered with the IAM Server, using username password and optionally OTP (if configured via IAM.Provision.User.OTP), using a suitable secure mechanism over REST.

Notes: For example, if I am in a role "Marketing Manager", I should be able to access all protected APIs (via corresponding Resource Server) which are accessible to "Marketing Managers".