Yaml oauth2 example readme

[predic8]

Summary by CodeRabbit

• Documentation

  • Expanded security docs with multi-source API key options, clearer global vs per-API key guidance, YAML-based examples, RBAC and OpenAPI permission notes, and editorial consistency improvements
  • Updated JWT and OAuth2 examples and naming (Azure Entra ID, Membrane Authentication Servers) and replaced XML with YAML
  • Added OpenTelemetry configuration example and diagram; clarified Prometheus/Grafana example

• Refactor

  • Simplified OAuth2 example flows to use standardized request/response templates and header forwarding

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Documentation and example YAML updated: XML examples replaced with YAML; API key sourcing and OAuth2/JWT wording modernized (Azure Entra ID); OAuth2 example flows simplified by removing Groovy scripting in favor of header forwarding and request/template responses.

Changes

Cohort / File(s)	Summary
Documentation README.md	Security section wording revised; API Keys section expanded to cover multi-source definitions (config/file/database) and YAML key store examples; JWT and OAuth2 branding/name updates to Azure Entra ID / Membrane Authentication Servers; OpenTelemetry example and diagram added; various editorial consistency edits.
JWT example distribution/examples/security/jwt/apikey-to-jwt-conversion/apis.yaml	Removed an empty explicit return: {} step from the Token Server API flow document end.
OAuth2 example / client distribution/examples/security/oauth2/membrane/client/apis.yaml	Replaced Groovy logging/header-injection blocks with request/setHeader forwarding of X-EMAIL from membrane.oauth2.userinfo.email; changed downstream target to http://localhost:3000; replaced inline Groovy responses with template-and-return response patterns.

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• README.md changed samples to YAML #2336: Similar migration of XML configuration examples to YAML across README and examples.
• Migrate README.md examples from XML to YAML configuration #2416: Related XML→YAML conversion and security example updates for JWT/OAuth2.
• add code flow examples to README #2231: Updates to OAuth2 example documentation and configuration under distribution/examples/security/oauth2.

Suggested labels

7.x

Suggested reviewers

• rrayst

Poem

🐇 I hopped through docs and YAML trails,
Swapped old XML leaves for modern scales,
OAuth emails travel light and quick,
Tokens dance without a Groovy trick,
Snuggled in configs—secure and slick.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title refers to a specific part of the changeset (YAML OAuth2 example in README), but the PR also includes substantial changes to JWT examples, OpenTelemetry documentation, and other security features that are not captured in the title.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3e8ef6b and 02e882b.

📒 Files selected for processing (2)

• README.md
• distribution/examples/security/oauth2/membrane/client/apis.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• README.md

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-11-23T15:59:51.742Z

Learnt from: rrayst
Repo: membrane/api-gateway PR: 2339
File: distribution/examples/web-services-soap/rest2soap-template/apis.yaml:17-32
Timestamp: 2025-11-23T15:59:51.742Z
Learning: In Membrane API Gateway YAML configuration files, response flows execute in reverse order. Steps that appear later in the response flow list actually execute first. For example, if a template references properties and setProperty steps appear after the template in the YAML, those setProperty steps will execute before the template renders.

Applied to files:

• distribution/examples/security/oauth2/membrane/client/apis.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Automated tests
• GitHub Check: Analyze (java)

🔇 Additional comments (1)

distribution/examples/security/oauth2/membrane/client/apis.yaml (1)

26-30: LGTM! Clean migration to declarative YAML.

The template-and-return pattern is a good replacement for Groovy scripting. The flow correctly references the X-EMAIL header forwarded from the upstream OAuth2-protected API (lines 14-18).

Note: The indentation inconsistency flagged in the previous review appears to be resolved—the list items now use 8 spaces consistently throughout the file.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @distribution/examples/security/oauth2/membrane/client/apis.yaml:
- Around line 26-30: Fix the inconsistent indentation under the request block by
aligning the list items to match the rest of the file: change the two list
entries "- template:" and "- return:" (and their nested lines like "src: You
accessed the protected resource! Hello ${header[\"X-EMAIL\"]}" and "status:
200") to use the same 8-space indentation as the other request list items so the
"request:" block's list formatting is consistent.

In @README.md:
- Line 902: Replace the unhyphenated phrase "OpenAPI defined permissions" with
the hyphenated compound adjective "OpenAPI-defined permissions" wherever it
appears (e.g., the README occurrence "OpenAPI defined permissions") so the
compound modifier correctly precedes the noun.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b4b296e and 3e8ef6b.

📒 Files selected for processing (3)

• README.md
• distribution/examples/security/jwt/apikey-to-jwt-conversion/apis.yaml
• distribution/examples/security/oauth2/membrane/client/apis.yaml

💤 Files with no reviewable changes (1)

• distribution/examples/security/jwt/apikey-to-jwt-conversion/apis.yaml

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-11-23T15:59:51.742Z

Learnt from: rrayst
Repo: membrane/api-gateway PR: 2339
File: distribution/examples/web-services-soap/rest2soap-template/apis.yaml:17-32
Timestamp: 2025-11-23T15:59:51.742Z
Learning: In Membrane API Gateway YAML configuration files, response flows execute in reverse order. Steps that appear later in the response flow list actually execute first. For example, if a template references properties and setProperty steps appear after the template in the YAML, those setProperty steps will execute before the template renders.

Applied to files:

• distribution/examples/security/oauth2/membrane/client/apis.yaml

🪛 LanguageTool

README.md

[grammar] ~902-~902: Use a hyphen to join words.
Context: ...with fine-grained permissions. - OpenAPI defined permissions. See the [API Key P...

(QB_NEW_EN_HYPHEN)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Automated tests
• GitHub Check: Analyze (java)

🔇 Additional comments (5)

distribution/examples/security/oauth2/membrane/client/apis.yaml (1)

14-20: LGTM! OAuth2 user info forwarding is correctly implemented.

The request flow properly extracts the authenticated user's email from the OAuth2 userinfo and forwards it to the backend via the X-EMAIL header. The property access syntax and target configuration are correct.

README.md (4)

876-904: Excellent improvement to the API Keys documentation.

The updated section provides much clearer explanation of API key sources (configuration, file, database) and includes a practical YAML example. The addition of advanced use cases with references to detailed configurations is helpful for users.

---

906-920: LGTM! JWT section correctly updated.

The branding update from "Azure AD" to "Azure Entra ID" reflects Microsoft's current naming, and the conversion from XML to YAML example aligns with the PR's modernization goals.

---

928-947: LGTM! OAuth2 YAML example is clear and consistent.

The OAuth2 configuration example correctly demonstrates:

• OAuth2 resource protection with Membrane as the authentication server
• Header forwarding pattern to pass authenticated user information to backends
• Proper use of property access syntax for OAuth2 userinfo

The YAML structure matches the working example in apis.yaml (with appropriate placeholder backend URL for documentation).

---

1162-1180: Good enhancement to OpenTelemetry documentation.

Adding the diagram reference and providing a concrete YAML configuration example makes this section more actionable for users implementing observability.