From 6145a79f5d68158233551dc4ca10a1be29c0ff21 Mon Sep 17 00:00:00 2001
From: Michael Jumper <mjumper@apache.org>
Date: Fri, 21 Jan 2022 15:23:40 -0800
Subject: [PATCH] GUACAMOLE-641: Add generic vault support with an initial
 Azure Key Vault implementation.

---
 doc/licenses/adal4j-1.6.7/LICENSE             |  21 ++
 doc/licenses/adal4j-1.6.7/README              |   8 +
 doc/licenses/adal4j-1.6.7/dep-coordinates.txt |   1 +
 doc/licenses/apache-commons-lang-3.8.1/NOTICE |   5 +
 doc/licenses/apache-commons-lang-3.8.1/README |   8 +
 .../dep-coordinates.txt                       |   1 +
 doc/licenses/asm-8.0.1/LICENSE.txt            |  28 ++
 doc/licenses/asm-8.0.1/README                 |   8 +
 doc/licenses/asm-8.0.1/dep-coordinates.txt    |   1 +
 .../autorest-client-runtime-1.7.4/LICENSE     |  21 ++
 .../autorest-client-runtime-1.7.4/README      |   9 +
 .../dep-coordinates.txt                       |   2 +
 .../azure-annotations-1.10.0/License.txt      |  28 ++
 doc/licenses/azure-annotations-1.10.0/README  |   9 +
 .../dep-coordinates.txt                       |   1 +
 .../azure-sdk-for-java-1.2.4/LICENSE.txt      |  21 ++
 doc/licenses/azure-sdk-for-java-1.2.4/README  |   8 +
 .../dep-coordinates.txt                       |   5 +
 doc/licenses/gson-2.8.0/README                |   8 +
 doc/licenses/gson-2.8.0/dep-coordinates.txt   |   1 +
 .../jackson-2.13.1/dep-coordinates.txt        |   1 +
 doc/licenses/joda-time-2.10.8/NOTICE          |   2 +
 doc/licenses/joda-time-2.10.8/README          |   8 +
 .../joda-time-2.10.8/dep-coordinates.txt      |   1 +
 doc/licenses/json-smart-2.4.2/LICENSE         | 202 +++++++++++++
 doc/licenses/json-smart-2.4.2/README          |   8 +
 .../json-smart-2.4.2/dep-coordinates.txt      |   2 +
 doc/licenses/lang-tag-1.5/README              |   8 +
 doc/licenses/lang-tag-1.5/dep-coordinates.txt |   1 +
 doc/licenses/nimbus-content-type-2.1/README   |   8 +
 .../dep-coordinates.txt                       |   1 +
 doc/licenses/nimbus-jose-jwt-9.8.1/README     |   8 +
 .../nimbus-jose-jwt-9.8.1/dep-coordinates.txt |   1 +
 doc/licenses/oauth2-oidc-sdk-9.4/README       |   9 +
 .../oauth2-oidc-sdk-9.4/dep-coordinates.txt   |   1 +
 doc/licenses/okhttp-3.14.7/README             |   8 +
 .../okhttp-3.14.7/dep-coordinates.txt         |   3 +
 doc/licenses/okio-1.17.2/README               |   8 +
 doc/licenses/okio-1.17.2/dep-coordinates.txt  |   1 +
 doc/licenses/retrofit-2.7.2/README            |   8 +
 .../retrofit-2.7.2/dep-coordinates.txt        |   3 +
 doc/licenses/rxjava-1.3.8/LICENSE             | 202 +++++++++++++
 doc/licenses/rxjava-1.3.8/README              |   8 +
 doc/licenses/rxjava-1.3.8/dep-coordinates.txt |   1 +
 doc/licenses/snakeyaml-1.27/README            |   8 +
 .../snakeyaml-1.27/dep-coordinates.txt        |   1 +
 .../stephenc-jcip-annotations-1.0-1/README    |   8 +
 .../dep-coordinates.txt                       |   1 +
 extensions/guacamole-auth-vault/.ratignore    |   0
 .../guacamole-auth-vault-azure/.ratignore     |   0
 .../guacamole-auth-vault-azure/pom.xml        | 194 ++++++++++++
 .../AzureKeyVaultAuthenticationProvider.java  |  47 +++
 ...eKeyVaultAuthenticationProviderModule.java |  61 ++++
 .../AzureKeyVaultAuthenticationException.java |  57 ++++
 .../AzureKeyVaultConfigurationService.java    | 135 +++++++++
 .../azure/conf/AzureKeyVaultCredentials.java  | 115 +++++++
 .../secret/AzureKeyVaultSecretService.java    |  99 ++++++
 .../src/main/resources/guac-manifest.json     |  16 +
 .../guacamole-auth-vault-base/.ratignore      |   0
 .../modules/guacamole-auth-vault-base/pom.xml |  70 +++++
 .../vault/VaultAuthenticationProvider.java    |  63 ++++
 .../VaultAuthenticationProviderModule.java    |  98 ++++++
 .../vault/conf/VaultConfigurationService.java | 107 +++++++
 .../auth/vault/secret/VaultSecretService.java |  67 +++++
 .../auth/vault/user/VaultUserContext.java     | 281 ++++++++++++++++++
 .../vault/user/VaultUserContextFactory.java   |  46 +++
 .../src/main/resources/translations/en.json   |   7 +
 .../guacamole-auth-vault-dist/.ratignore      |   0
 .../modules/guacamole-auth-vault-dist/pom.xml |  63 ++++
 .../src/main/assembly/dist.xml                |  54 ++++
 extensions/guacamole-auth-vault/pom.xml       |  67 +++++
 extensions/pom.xml                            |   1 +
 pom.xml                                       |   7 +-
 73 files changed, 2369 insertions(+), 1 deletion(-)
 create mode 100644 doc/licenses/adal4j-1.6.7/LICENSE
 create mode 100644 doc/licenses/adal4j-1.6.7/README
 create mode 100644 doc/licenses/adal4j-1.6.7/dep-coordinates.txt
 create mode 100644 doc/licenses/apache-commons-lang-3.8.1/NOTICE
 create mode 100644 doc/licenses/apache-commons-lang-3.8.1/README
 create mode 100644 doc/licenses/apache-commons-lang-3.8.1/dep-coordinates.txt
 create mode 100644 doc/licenses/asm-8.0.1/LICENSE.txt
 create mode 100644 doc/licenses/asm-8.0.1/README
 create mode 100644 doc/licenses/asm-8.0.1/dep-coordinates.txt
 create mode 100644 doc/licenses/autorest-client-runtime-1.7.4/LICENSE
 create mode 100644 doc/licenses/autorest-client-runtime-1.7.4/README
 create mode 100644 doc/licenses/autorest-client-runtime-1.7.4/dep-coordinates.txt
 create mode 100644 doc/licenses/azure-annotations-1.10.0/License.txt
 create mode 100644 doc/licenses/azure-annotations-1.10.0/README
 create mode 100644 doc/licenses/azure-annotations-1.10.0/dep-coordinates.txt
 create mode 100644 doc/licenses/azure-sdk-for-java-1.2.4/LICENSE.txt
 create mode 100644 doc/licenses/azure-sdk-for-java-1.2.4/README
 create mode 100644 doc/licenses/azure-sdk-for-java-1.2.4/dep-coordinates.txt
 create mode 100644 doc/licenses/gson-2.8.0/README
 create mode 100644 doc/licenses/gson-2.8.0/dep-coordinates.txt
 create mode 100644 doc/licenses/joda-time-2.10.8/NOTICE
 create mode 100644 doc/licenses/joda-time-2.10.8/README
 create mode 100644 doc/licenses/joda-time-2.10.8/dep-coordinates.txt
 create mode 100644 doc/licenses/json-smart-2.4.2/LICENSE
 create mode 100644 doc/licenses/json-smart-2.4.2/README
 create mode 100644 doc/licenses/json-smart-2.4.2/dep-coordinates.txt
 create mode 100644 doc/licenses/lang-tag-1.5/README
 create mode 100644 doc/licenses/lang-tag-1.5/dep-coordinates.txt
 create mode 100644 doc/licenses/nimbus-content-type-2.1/README
 create mode 100644 doc/licenses/nimbus-content-type-2.1/dep-coordinates.txt
 create mode 100644 doc/licenses/nimbus-jose-jwt-9.8.1/README
 create mode 100644 doc/licenses/nimbus-jose-jwt-9.8.1/dep-coordinates.txt
 create mode 100644 doc/licenses/oauth2-oidc-sdk-9.4/README
 create mode 100644 doc/licenses/oauth2-oidc-sdk-9.4/dep-coordinates.txt
 create mode 100644 doc/licenses/okhttp-3.14.7/README
 create mode 100644 doc/licenses/okhttp-3.14.7/dep-coordinates.txt
 create mode 100644 doc/licenses/okio-1.17.2/README
 create mode 100644 doc/licenses/okio-1.17.2/dep-coordinates.txt
 create mode 100644 doc/licenses/retrofit-2.7.2/README
 create mode 100644 doc/licenses/retrofit-2.7.2/dep-coordinates.txt
 create mode 100644 doc/licenses/rxjava-1.3.8/LICENSE
 create mode 100644 doc/licenses/rxjava-1.3.8/README
 create mode 100644 doc/licenses/rxjava-1.3.8/dep-coordinates.txt
 create mode 100644 doc/licenses/snakeyaml-1.27/README
 create mode 100644 doc/licenses/snakeyaml-1.27/dep-coordinates.txt
 create mode 100644 doc/licenses/stephenc-jcip-annotations-1.0-1/README
 create mode 100644 doc/licenses/stephenc-jcip-annotations-1.0-1/dep-coordinates.txt
 create mode 100644 extensions/guacamole-auth-vault/.ratignore
 create mode 100644 extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/.ratignore
 create mode 100644 extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/pom.xml
 create mode 100644 extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/AzureKeyVaultAuthenticationProvider.java
 create mode 100644 extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/AzureKeyVaultAuthenticationProviderModule.java
 create mode 100644 extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/conf/AzureKeyVaultAuthenticationException.java
 create mode 100644 extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/conf/AzureKeyVaultConfigurationService.java
 create mode 100644 extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/conf/AzureKeyVaultCredentials.java
 create mode 100644 extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/secret/AzureKeyVaultSecretService.java
 create mode 100644 extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/resources/guac-manifest.json
 create mode 100644 extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/.ratignore
 create mode 100644 extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/pom.xml
 create mode 100644 extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/VaultAuthenticationProvider.java
 create mode 100644 extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/VaultAuthenticationProviderModule.java
 create mode 100644 extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/conf/VaultConfigurationService.java
 create mode 100644 extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/secret/VaultSecretService.java
 create mode 100644 extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/user/VaultUserContext.java
 create mode 100644 extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/user/VaultUserContextFactory.java
 create mode 100644 extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/resources/translations/en.json
 create mode 100644 extensions/guacamole-auth-vault/modules/guacamole-auth-vault-dist/.ratignore
 create mode 100644 extensions/guacamole-auth-vault/modules/guacamole-auth-vault-dist/pom.xml
 create mode 100644 extensions/guacamole-auth-vault/modules/guacamole-auth-vault-dist/src/main/assembly/dist.xml
 create mode 100644 extensions/guacamole-auth-vault/pom.xml

diff --git a/doc/licenses/adal4j-1.6.7/LICENSE b/doc/licenses/adal4j-1.6.7/LICENSE
new file mode 100644
index 000000000..48bc6bb49
--- /dev/null
+++ b/doc/licenses/adal4j-1.6.7/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) Microsoft Corporation
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/doc/licenses/adal4j-1.6.7/README b/doc/licenses/adal4j-1.6.7/README
new file mode 100644
index 000000000..34062836d
--- /dev/null
+++ b/doc/licenses/adal4j-1.6.7/README
@@ -0,0 +1,8 @@
+adal4j (https://github.com/AzureAD/azure-activedirectory-library-for-java)
+--------------------------------------------------------------------------
+
+    Version: 1.6.7
+    From: 'Microsoft Corporation' (https://microsoft.com/)
+    License(s):
+        MIT (bundled/adal4j-1.6.7/LICENSE)
+
diff --git a/doc/licenses/adal4j-1.6.7/dep-coordinates.txt b/doc/licenses/adal4j-1.6.7/dep-coordinates.txt
new file mode 100644
index 000000000..e8e0f3b2f
--- /dev/null
+++ b/doc/licenses/adal4j-1.6.7/dep-coordinates.txt
@@ -0,0 +1 @@
+com.microsoft.azure:adal4j:jar:1.6.7
diff --git a/doc/licenses/apache-commons-lang-3.8.1/NOTICE b/doc/licenses/apache-commons-lang-3.8.1/NOTICE
new file mode 100644
index 000000000..0f4ac594a
--- /dev/null
+++ b/doc/licenses/apache-commons-lang-3.8.1/NOTICE
@@ -0,0 +1,5 @@
+Apache Commons Lang
+Copyright 2001-2018 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
diff --git a/doc/licenses/apache-commons-lang-3.8.1/README b/doc/licenses/apache-commons-lang-3.8.1/README
new file mode 100644
index 000000000..d8cf381ef
--- /dev/null
+++ b/doc/licenses/apache-commons-lang-3.8.1/README
@@ -0,0 +1,8 @@
+Apache Commons Lang (http://commons.apache.org/proper/commons-lang/)
+--------------------------------------------------------------------
+
+    Version: 3.8.1
+    From: 'Apache Software Foundation' (https://www.apache.org/)
+    License(s):
+        Apache v2.0
+
diff --git a/doc/licenses/apache-commons-lang-3.8.1/dep-coordinates.txt b/doc/licenses/apache-commons-lang-3.8.1/dep-coordinates.txt
new file mode 100644
index 000000000..f3305d051
--- /dev/null
+++ b/doc/licenses/apache-commons-lang-3.8.1/dep-coordinates.txt
@@ -0,0 +1 @@
+org.apache.commons:commons-lang3:jar:3.8.1
diff --git a/doc/licenses/asm-8.0.1/LICENSE.txt b/doc/licenses/asm-8.0.1/LICENSE.txt
new file mode 100644
index 000000000..4d191851a
--- /dev/null
+++ b/doc/licenses/asm-8.0.1/LICENSE.txt
@@ -0,0 +1,28 @@
+
+ ASM: a very small and fast Java bytecode manipulation framework
+ Copyright (c) 2000-2011 INRIA, France Telecom
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the distribution.
+ 3. Neither the name of the copyright holders nor the names of its
+    contributors may be used to endorse or promote products derived from
+    this software without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/doc/licenses/asm-8.0.1/README b/doc/licenses/asm-8.0.1/README
new file mode 100644
index 000000000..304b95281
--- /dev/null
+++ b/doc/licenses/asm-8.0.1/README
@@ -0,0 +1,8 @@
+ASM (https://asm.ow2.io/)
+-------------------------
+
+    Version: 8.0.1
+    From: 'INRIA, France Telecom'
+    License(s):
+        BSD 3-clause (bundled/asm-8.0.1/LICENSE.txt)
+
diff --git a/doc/licenses/asm-8.0.1/dep-coordinates.txt b/doc/licenses/asm-8.0.1/dep-coordinates.txt
new file mode 100644
index 000000000..cf52dc1a7
--- /dev/null
+++ b/doc/licenses/asm-8.0.1/dep-coordinates.txt
@@ -0,0 +1 @@
+org.ow2.asm:asm:jar:8.0.1
diff --git a/doc/licenses/autorest-client-runtime-1.7.4/LICENSE b/doc/licenses/autorest-client-runtime-1.7.4/LICENSE
new file mode 100644
index 000000000..4918d653b
--- /dev/null
+++ b/doc/licenses/autorest-client-runtime-1.7.4/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Microsoft Azure
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/doc/licenses/autorest-client-runtime-1.7.4/README b/doc/licenses/autorest-client-runtime-1.7.4/README
new file mode 100644
index 000000000..e8a65f14f
--- /dev/null
+++ b/doc/licenses/autorest-client-runtime-1.7.4/README
@@ -0,0 +1,9 @@
+AutoRest Client Runtimes for Java
+(https://github.com/Azure/autorest-clientruntime-for-java)
+----------------------------------------------------------
+
+    Version: 1.7.4
+    From: 'Microsoft Azure' (https://azure.microsoft.com/)
+    License(s):
+        MIT (bundled/autorest-client-runtime-1.7.4/LICENSE)
+
diff --git a/doc/licenses/autorest-client-runtime-1.7.4/dep-coordinates.txt b/doc/licenses/autorest-client-runtime-1.7.4/dep-coordinates.txt
new file mode 100644
index 000000000..5d1dc913f
--- /dev/null
+++ b/doc/licenses/autorest-client-runtime-1.7.4/dep-coordinates.txt
@@ -0,0 +1,2 @@
+com.microsoft.rest:client-runtime:jar:1.7.4
+com.microsoft.azure:azure-client-runtime:jar:1.7.4
diff --git a/doc/licenses/azure-annotations-1.10.0/License.txt b/doc/licenses/azure-annotations-1.10.0/License.txt
new file mode 100644
index 000000000..fbe8e19b3
--- /dev/null
+++ b/doc/licenses/azure-annotations-1.10.0/License.txt
@@ -0,0 +1,28 @@
+/**
+ * Copyright (c) Microsoft Corporation. All rights reserved.
+ * Licensed under the MIT License. See License.txt in the project root for
+ * license information.
+ */
+
+NOTE: The above has been extracted from the source of the "azure-annotations"
+library, as may be downloaded from Maven Central:
+
+https://search.maven.org/remotecontent?filepath=com/microsoft/azure/azure-annotations/1.10.0/azure-annotations-1.10.0-sources.jar
+
+Unfortunately, the "License.txt" file noted is not included with the source
+.jar, and the GitHub repository referenced by the pom.xml of
+"azure-annotations" is not publicly visible:
+
+https://github.com/Microsoft/java-api-annotations
+
+I (Mike Jumper) have reached out to Microsoft to correct this and to request a
+copy of the "License.txt" file if access to this repository cannot be fixed in
+the near future. Until then, the above should serve as reasonable confirmation
+that this library is indeed (1) licensed under the MIT license and (2)
+copyright Microsoft Corporation.
+
+For reference, the terms of the open source license widely known as the "MIT
+license" can be found here:
+
+https://opensource.org/licenses/MIT
+
diff --git a/doc/licenses/azure-annotations-1.10.0/README b/doc/licenses/azure-annotations-1.10.0/README
new file mode 100644
index 000000000..183f0f76e
--- /dev/null
+++ b/doc/licenses/azure-annotations-1.10.0/README
@@ -0,0 +1,9 @@
+Microsoft Azure SDK Annotations
+(https://github.com/Microsoft/java-api-annotations)
+---------------------------------------------------
+
+    Version: 1.10.0
+    From: 'Microsoft Corporation' (https://microsoft.com/)
+    License(s):
+        MIT (bundled/azure-annotations-1.10.0/License.txt)
+
diff --git a/doc/licenses/azure-annotations-1.10.0/dep-coordinates.txt b/doc/licenses/azure-annotations-1.10.0/dep-coordinates.txt
new file mode 100644
index 000000000..f96581d3c
--- /dev/null
+++ b/doc/licenses/azure-annotations-1.10.0/dep-coordinates.txt
@@ -0,0 +1 @@
+com.microsoft.azure:azure-annotations:jar:1.10.0
diff --git a/doc/licenses/azure-sdk-for-java-1.2.4/LICENSE.txt b/doc/licenses/azure-sdk-for-java-1.2.4/LICENSE.txt
new file mode 100644
index 000000000..49d21669a
--- /dev/null
+++ b/doc/licenses/azure-sdk-for-java-1.2.4/LICENSE.txt
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Microsoft
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
\ No newline at end of file
diff --git a/doc/licenses/azure-sdk-for-java-1.2.4/README b/doc/licenses/azure-sdk-for-java-1.2.4/README
new file mode 100644
index 000000000..9e6e3fd08
--- /dev/null
+++ b/doc/licenses/azure-sdk-for-java-1.2.4/README
@@ -0,0 +1,8 @@
+Azure SDK for Java (https://github.com/Azure/azure-sdk-for-java/)
+-----------------------------------------------------------------
+
+    Version: 1.2.4
+    From: 'Microsoft' (https://microsoft.com/)
+    License(s):
+        MIT (bundled/azure-sdk-for-java-1.2.4/LICENSE.txt)
+
diff --git a/doc/licenses/azure-sdk-for-java-1.2.4/dep-coordinates.txt b/doc/licenses/azure-sdk-for-java-1.2.4/dep-coordinates.txt
new file mode 100644
index 000000000..9bfa04c27
--- /dev/null
+++ b/doc/licenses/azure-sdk-for-java-1.2.4/dep-coordinates.txt
@@ -0,0 +1,5 @@
+com.microsoft.azure:azure-keyvault-core:jar:1.2.4
+com.microsoft.azure:azure-keyvault-cryptography:jar:1.2.4
+com.microsoft.azure:azure-keyvault-webkey:jar:1.2.4
+com.microsoft.azure:azure-keyvault:jar:1.2.4
+
diff --git a/doc/licenses/gson-2.8.0/README b/doc/licenses/gson-2.8.0/README
new file mode 100644
index 000000000..40530bbf6
--- /dev/null
+++ b/doc/licenses/gson-2.8.0/README
@@ -0,0 +1,8 @@
+Gson (https://github.com/google/gson)
+-------------------------------------
+
+    Version: 2.8.0
+    From: 'Google Inc.' (http://www.google.com/)
+    License(s):
+        Apache v2.0
+
diff --git a/doc/licenses/gson-2.8.0/dep-coordinates.txt b/doc/licenses/gson-2.8.0/dep-coordinates.txt
new file mode 100644
index 000000000..d171937b9
--- /dev/null
+++ b/doc/licenses/gson-2.8.0/dep-coordinates.txt
@@ -0,0 +1 @@
+com.google.code.gson:gson:jar:2.8.0
diff --git a/doc/licenses/jackson-2.13.1/dep-coordinates.txt b/doc/licenses/jackson-2.13.1/dep-coordinates.txt
index f2cbd8d67..f469e53ff 100644
--- a/doc/licenses/jackson-2.13.1/dep-coordinates.txt
+++ b/doc/licenses/jackson-2.13.1/dep-coordinates.txt
@@ -2,4 +2,5 @@ com.fasterxml.jackson.core:jackson-databind:jar:2.13.1
 com.fasterxml.jackson.core:jackson-core:jar:2.13.1
 com.fasterxml.jackson.core:jackson-annotations:jar:2.13.1
 com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.13.1
+com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.13.1
 com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.13.1
diff --git a/doc/licenses/joda-time-2.10.8/NOTICE b/doc/licenses/joda-time-2.10.8/NOTICE
new file mode 100644
index 000000000..b8f54d7b2
--- /dev/null
+++ b/doc/licenses/joda-time-2.10.8/NOTICE
@@ -0,0 +1,2 @@
+This product includes software developed by
+Joda.org (https://www.joda.org/).
diff --git a/doc/licenses/joda-time-2.10.8/README b/doc/licenses/joda-time-2.10.8/README
new file mode 100644
index 000000000..ee8d28c96
--- /dev/null
+++ b/doc/licenses/joda-time-2.10.8/README
@@ -0,0 +1,8 @@
+Joda-Time (https://www.joda.org/joda-time/)
+----------------------------------------------
+
+    Version: 2.10.8
+    From: 'Joda.org' (https://www.joda.org/)
+    License(s):
+        Apache v2.0
+
diff --git a/doc/licenses/joda-time-2.10.8/dep-coordinates.txt b/doc/licenses/joda-time-2.10.8/dep-coordinates.txt
new file mode 100644
index 000000000..0cc75bc83
--- /dev/null
+++ b/doc/licenses/joda-time-2.10.8/dep-coordinates.txt
@@ -0,0 +1 @@
+joda-time:joda-time:jar:2.10.8
diff --git a/doc/licenses/json-smart-2.4.2/LICENSE b/doc/licenses/json-smart-2.4.2/LICENSE
new file mode 100644
index 000000000..8f71f43fe
--- /dev/null
+++ b/doc/licenses/json-smart-2.4.2/LICENSE
@@ -0,0 +1,202 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright {yyyy} {name of copyright owner}
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
diff --git a/doc/licenses/json-smart-2.4.2/README b/doc/licenses/json-smart-2.4.2/README
new file mode 100644
index 000000000..6ba0bb66a
--- /dev/null
+++ b/doc/licenses/json-smart-2.4.2/README
@@ -0,0 +1,8 @@
+json-smart (https://netplex.github.io/json-smart/)
+--------------------------------------------------
+
+    Version: 2.4.2
+    From: 'Uriel Chemouni' (https://github.com/UrielCh)
+    License(s):
+        Apache v2.0
+
diff --git a/doc/licenses/json-smart-2.4.2/dep-coordinates.txt b/doc/licenses/json-smart-2.4.2/dep-coordinates.txt
new file mode 100644
index 000000000..bf1c8b44b
--- /dev/null
+++ b/doc/licenses/json-smart-2.4.2/dep-coordinates.txt
@@ -0,0 +1,2 @@
+net.minidev:accessors-smart:jar:2.4.2
+net.minidev:json-smart:jar:2.4.2
diff --git a/doc/licenses/lang-tag-1.5/README b/doc/licenses/lang-tag-1.5/README
new file mode 100644
index 000000000..2de3b0e74
--- /dev/null
+++ b/doc/licenses/lang-tag-1.5/README
@@ -0,0 +1,8 @@
+Nimbus Language Tags (https://bitbucket.org/connect2id/nimbus-language-tags)
+----------------------------------------------------------------------------
+
+    Version: 1.5
+    From: 'Connect2id Ltd.' (https://connect2id.com/)
+    License(s):
+        Apache v2.0
+
diff --git a/doc/licenses/lang-tag-1.5/dep-coordinates.txt b/doc/licenses/lang-tag-1.5/dep-coordinates.txt
new file mode 100644
index 000000000..fd885a12b
--- /dev/null
+++ b/doc/licenses/lang-tag-1.5/dep-coordinates.txt
@@ -0,0 +1 @@
+com.nimbusds:lang-tag:jar:1.5
diff --git a/doc/licenses/nimbus-content-type-2.1/README b/doc/licenses/nimbus-content-type-2.1/README
new file mode 100644
index 000000000..13b925e21
--- /dev/null
+++ b/doc/licenses/nimbus-content-type-2.1/README
@@ -0,0 +1,8 @@
+Nimbus Content Type (https://bitbucket.org/connect2id/nimbus-content-type)
+--------------------------------------------------------------------------
+
+    Version: 2.1
+    From: 'Connect2id Ltd.' (https://connect2id.com/)
+    License(s):
+        Apache v2.0
+
diff --git a/doc/licenses/nimbus-content-type-2.1/dep-coordinates.txt b/doc/licenses/nimbus-content-type-2.1/dep-coordinates.txt
new file mode 100644
index 000000000..8910f18d2
--- /dev/null
+++ b/doc/licenses/nimbus-content-type-2.1/dep-coordinates.txt
@@ -0,0 +1 @@
+com.nimbusds:content-type:jar:2.1
diff --git a/doc/licenses/nimbus-jose-jwt-9.8.1/README b/doc/licenses/nimbus-jose-jwt-9.8.1/README
new file mode 100644
index 000000000..5035f4127
--- /dev/null
+++ b/doc/licenses/nimbus-jose-jwt-9.8.1/README
@@ -0,0 +1,8 @@
+Nimbus JOSE+JWT (https://bitbucket.org/connect2id/nimbus-jose-jwt)
+------------------------------------------------------------------
+
+    Version: 9.8.1
+    From: 'Connect2id Ltd.' (https://connect2id.com/)
+    License(s):
+        Apache v2.0
+
diff --git a/doc/licenses/nimbus-jose-jwt-9.8.1/dep-coordinates.txt b/doc/licenses/nimbus-jose-jwt-9.8.1/dep-coordinates.txt
new file mode 100644
index 000000000..d15ff6d87
--- /dev/null
+++ b/doc/licenses/nimbus-jose-jwt-9.8.1/dep-coordinates.txt
@@ -0,0 +1 @@
+com.nimbusds:nimbus-jose-jwt:jar:9.8.1
diff --git a/doc/licenses/oauth2-oidc-sdk-9.4/README b/doc/licenses/oauth2-oidc-sdk-9.4/README
new file mode 100644
index 000000000..f32808a0e
--- /dev/null
+++ b/doc/licenses/oauth2-oidc-sdk-9.4/README
@@ -0,0 +1,9 @@
+Nimbus OAuth 2.0 SDK with OpenID Connect extensions
+(https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions)
+-------------------------------------------------------------------------------
+
+    Version: 9.4
+    From: 'Connect2id Ltd.' (https://connect2id.com/)
+    License(s):
+        Apache v2.0
+
diff --git a/doc/licenses/oauth2-oidc-sdk-9.4/dep-coordinates.txt b/doc/licenses/oauth2-oidc-sdk-9.4/dep-coordinates.txt
new file mode 100644
index 000000000..2bce0c919
--- /dev/null
+++ b/doc/licenses/oauth2-oidc-sdk-9.4/dep-coordinates.txt
@@ -0,0 +1 @@
+com.nimbusds:oauth2-oidc-sdk:jar:9.4
diff --git a/doc/licenses/okhttp-3.14.7/README b/doc/licenses/okhttp-3.14.7/README
new file mode 100644
index 000000000..c3bd4173b
--- /dev/null
+++ b/doc/licenses/okhttp-3.14.7/README
@@ -0,0 +1,8 @@
+OkHttp (https://github.com/square/okhttp)
+-----------------------------------------
+
+    Version: 3.14.7
+    From: 'Square, Inc.' (http://square.github.io/)
+    License(s):
+        Apache v2.0
+
diff --git a/doc/licenses/okhttp-3.14.7/dep-coordinates.txt b/doc/licenses/okhttp-3.14.7/dep-coordinates.txt
new file mode 100644
index 000000000..9729cd760
--- /dev/null
+++ b/doc/licenses/okhttp-3.14.7/dep-coordinates.txt
@@ -0,0 +1,3 @@
+com.squareup.okhttp3:logging-interceptor:jar:3.14.7
+com.squareup.okhttp3:okhttp-urlconnection:jar:3.14.7
+com.squareup.okhttp3:okhttp:jar:3.14.7
diff --git a/doc/licenses/okio-1.17.2/README b/doc/licenses/okio-1.17.2/README
new file mode 100644
index 000000000..13471ad46
--- /dev/null
+++ b/doc/licenses/okio-1.17.2/README
@@ -0,0 +1,8 @@
+Okio (https://github.com/square/okio)
+-------------------------------------
+
+    Version: 1.17.2
+    From: 'Square, Inc.' (http://square.github.io/)
+    License(s):
+        Apache v2.0
+
diff --git a/doc/licenses/okio-1.17.2/dep-coordinates.txt b/doc/licenses/okio-1.17.2/dep-coordinates.txt
new file mode 100644
index 000000000..54ab8297c
--- /dev/null
+++ b/doc/licenses/okio-1.17.2/dep-coordinates.txt
@@ -0,0 +1 @@
+com.squareup.okio:okio:jar:1.17.2
diff --git a/doc/licenses/retrofit-2.7.2/README b/doc/licenses/retrofit-2.7.2/README
new file mode 100644
index 000000000..83fea9db2
--- /dev/null
+++ b/doc/licenses/retrofit-2.7.2/README
@@ -0,0 +1,8 @@
+Retrofit (https://github.com/square/retrofit)
+---------------------------------------------
+
+    Version: 2.7.2
+    From: 'Square, Inc.' (http://square.github.io/)
+    License(s):
+        Apache v2.0
+
diff --git a/doc/licenses/retrofit-2.7.2/dep-coordinates.txt b/doc/licenses/retrofit-2.7.2/dep-coordinates.txt
new file mode 100644
index 000000000..ff175a09d
--- /dev/null
+++ b/doc/licenses/retrofit-2.7.2/dep-coordinates.txt
@@ -0,0 +1,3 @@
+com.squareup.retrofit2:adapter-rxjava:jar:2.7.2
+com.squareup.retrofit2:converter-jackson:jar:2.7.2
+com.squareup.retrofit2:retrofit:jar:2.7.2
diff --git a/doc/licenses/rxjava-1.3.8/LICENSE b/doc/licenses/rxjava-1.3.8/LICENSE
new file mode 100644
index 000000000..7f8ced0d1
--- /dev/null
+++ b/doc/licenses/rxjava-1.3.8/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2012 Netflix, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/doc/licenses/rxjava-1.3.8/README b/doc/licenses/rxjava-1.3.8/README
new file mode 100644
index 000000000..9aaa62d61
--- /dev/null
+++ b/doc/licenses/rxjava-1.3.8/README
@@ -0,0 +1,8 @@
+RxJava – Reactive Extensions for the JVM (https://github.com/ReactiveX/RxJava)
+------------------------------------------------------------------------------
+
+    Version: 1.3.8
+    From: 'RxJava Contributors' (https://github.com/ReactiveX/RxJava)
+    License(s):
+        Apache v2.0
+
diff --git a/doc/licenses/rxjava-1.3.8/dep-coordinates.txt b/doc/licenses/rxjava-1.3.8/dep-coordinates.txt
new file mode 100644
index 000000000..e17a77560
--- /dev/null
+++ b/doc/licenses/rxjava-1.3.8/dep-coordinates.txt
@@ -0,0 +1 @@
+io.reactivex:rxjava:jar:1.3.8
diff --git a/doc/licenses/snakeyaml-1.27/README b/doc/licenses/snakeyaml-1.27/README
new file mode 100644
index 000000000..3fcd837d6
--- /dev/null
+++ b/doc/licenses/snakeyaml-1.27/README
@@ -0,0 +1,8 @@
+SnakeYAML (https://bitbucket.org/asomov/snakeyaml/)
+---------------------------------------------------
+
+    Version: 1.27
+    From: 'Andrey Somov' (https://bitbucket.org/asomov/)
+    License(s):
+        Apache v2.0
+
diff --git a/doc/licenses/snakeyaml-1.27/dep-coordinates.txt b/doc/licenses/snakeyaml-1.27/dep-coordinates.txt
new file mode 100644
index 000000000..d7cbad91a
--- /dev/null
+++ b/doc/licenses/snakeyaml-1.27/dep-coordinates.txt
@@ -0,0 +1 @@
+org.yaml:snakeyaml:jar:1.27
diff --git a/doc/licenses/stephenc-jcip-annotations-1.0-1/README b/doc/licenses/stephenc-jcip-annotations-1.0-1/README
new file mode 100644
index 000000000..8e59938a1
--- /dev/null
+++ b/doc/licenses/stephenc-jcip-annotations-1.0-1/README
@@ -0,0 +1,8 @@
+Clean-room JCIP Annotations (https://github.com/stephenc/jcip-annotations)
+--------------------------------------------------------------------------
+
+    Version: 1.0-1
+    From: 'Stephen Connolly' (https://github.com/stephenc)
+    License(s):
+        Apache v2.0
+
diff --git a/doc/licenses/stephenc-jcip-annotations-1.0-1/dep-coordinates.txt b/doc/licenses/stephenc-jcip-annotations-1.0-1/dep-coordinates.txt
new file mode 100644
index 000000000..e42206c27
--- /dev/null
+++ b/doc/licenses/stephenc-jcip-annotations-1.0-1/dep-coordinates.txt
@@ -0,0 +1 @@
+com.github.stephenc.jcip:jcip-annotations:jar:1.0-1
diff --git a/extensions/guacamole-auth-vault/.ratignore b/extensions/guacamole-auth-vault/.ratignore
new file mode 100644
index 000000000..e69de29bb
diff --git a/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/.ratignore b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/.ratignore
new file mode 100644
index 000000000..e69de29bb
diff --git a/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/pom.xml b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/pom.xml
new file mode 100644
index 000000000..d1d336aa1
--- /dev/null
+++ b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/pom.xml
@@ -0,0 +1,194 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
+                        http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>org.apache.guacamole</groupId>
+    <artifactId>guacamole-auth-vault-azure</artifactId>
+    <packaging>jar</packaging>
+    <version>1.4.0</version>
+    <name>guacamole-auth-vault-azure</name>
+    <url>http://guacamole.apache.org/</url>
+
+    <properties>
+        <azure-client-runtimes.version>1.7.4</azure-client-runtimes.version>
+        <okhttp.version>3.14.7</okhttp.version>
+    </properties>
+
+    <parent>
+        <groupId>org.apache.guacamole</groupId>
+        <artifactId>guacamole-auth-vault</artifactId>
+        <version>1.4.0</version>
+        <relativePath>../../</relativePath>
+    </parent>
+
+    <build>
+        <plugins>
+
+            <!-- The Azure libraries result in javac outright failing without
+            any explicit error or warning if "-Werror" is passed -->
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <failOnWarning>false</failOnWarning>
+                </configuration>
+            </plugin>
+
+        </plugins>
+    </build>
+
+    <dependencies>
+
+        <!-- Guacamole Extension API -->
+        <dependency>
+            <groupId>org.apache.guacamole</groupId>
+            <artifactId>guacamole-ext</artifactId>
+            <scope>provided</scope>
+        </dependency>
+
+        <!-- Guacamole base key vault support -->
+        <dependency>
+            <groupId>org.apache.guacamole</groupId>
+            <artifactId>guacamole-auth-vault-base</artifactId>
+            <version>1.4.0</version>
+        </dependency>
+
+        <!-- Azure Key Vault client -->
+        <dependency>
+            <groupId>com.microsoft.azure</groupId>
+            <artifactId>azure-keyvault</artifactId>
+            <version>1.2.4</version>
+            <exclusions>
+
+                <!-- Already provided within Guacamole webapp environment via
+                guacamole-ext / guacamole-common -->
+                <exclusion>
+                    <groupId>org.slf4j</groupId>
+                    <artifactId>slf4j-api</artifactId>
+                </exclusion>
+
+                <!-- Multiple version conflicts between transitive dependencies
+                of azure-keyvault and adal4j -->
+                <exclusion>
+                    <groupId>com.microsoft.azure</groupId>
+                    <artifactId>azure-client-runtime</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>commons-codec</groupId>
+                    <artifactId>commons-codec</artifactId>
+                </exclusion>
+
+            </exclusions>
+
+        </dependency>
+
+        <!-- Active Directory client (used to authenticate with Azure) -->
+        <dependency>
+            <groupId>com.microsoft.azure</groupId>
+            <artifactId>adal4j</artifactId>
+            <version>1.6.7</version>
+            <exclusions>
+
+                <!-- Already provided within Guacamole webapp environment via
+                guacamole-ext / guacamole-common w-->
+                <exclusion>
+                    <groupId>org.slf4j</groupId>
+                    <artifactId>slf4j-api</artifactId>
+                </exclusion>
+
+                <!-- Multiple version conflicts between transitive dependencies
+                of azure-keyvault and adal4j -->
+                <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-lang3</artifactId>
+                </exclusion>
+
+            </exclusions>
+        </dependency>
+
+        <!-- Explicitly depend on most recent versions of Azure client runtime
+        compatible with azure-keyvault / adal4j (conflict otherwise) -->
+        <dependency>
+            <groupId>com.microsoft.azure</groupId>
+            <artifactId>azure-client-runtime</artifactId>
+            <version>${azure-client-runtimes.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>com.microsoft.rest</groupId>
+            <artifactId>client-runtime</artifactId>
+            <version>${azure-client-runtimes.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-lang3</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>com.squareup.okhttp3</groupId>
+                    <artifactId>okhttp</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>com.squareup.okhttp3</groupId>
+                    <artifactId>okhttp-urlconnection</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>com.squareup.okhttp3</groupId>
+                    <artifactId>logging-interceptor</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
+        <!-- Explicitly depend on most recent versions of dependencies required
+        by azure-keyvault / adal4j -->
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.8.1</version>
+        </dependency>
+        <dependency>
+            <groupId>commons-codec</groupId>
+            <artifactId>commons-codec</artifactId>
+            <version>1.14</version>
+        </dependency>
+
+        <!-- Explicitly depend on most recent version of okhttp required by
+        transitive dependencies of azure-keyvault -->
+        <dependency>
+            <groupId>com.squareup.okhttp3</groupId>
+            <artifactId>okhttp</artifactId>
+            <version>${okhttp.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>com.squareup.okhttp3</groupId>
+            <artifactId>okhttp-urlconnection</artifactId>
+            <version>${okhttp.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>com.squareup.okhttp3</groupId>
+            <artifactId>logging-interceptor</artifactId>
+            <version>${okhttp.version}</version>
+        </dependency>
+
+    </dependencies>
+
+</project>
diff --git a/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/AzureKeyVaultAuthenticationProvider.java b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/AzureKeyVaultAuthenticationProvider.java
new file mode 100644
index 000000000..5fd091374
--- /dev/null
+++ b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/AzureKeyVaultAuthenticationProvider.java
@@ -0,0 +1,47 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.vault.azure;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.auth.vault.VaultAuthenticationProvider;
+
+/**
+ * VaultAuthenticationProvider implementation which reads secrets from Azure
+ * Key Vault.
+ */
+public class AzureKeyVaultAuthenticationProvider extends VaultAuthenticationProvider {
+
+    /**
+     * Creates a new AzureKeyVaultAuthenticationProvider which reads secrets
+     * from a configured Azure Key Vault.
+     *
+     * @throws GuacamoleException
+     *     If configuration details cannot be read from guacamole.properties.
+     */
+    public AzureKeyVaultAuthenticationProvider() throws GuacamoleException {
+        super(new AzureKeyVaultAuthenticationProviderModule());
+    }
+
+    @Override
+    public String getIdentifier() {
+        return "azure-keyvault";
+    }
+
+}
diff --git a/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/AzureKeyVaultAuthenticationProviderModule.java b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/AzureKeyVaultAuthenticationProviderModule.java
new file mode 100644
index 000000000..3cba8b705
--- /dev/null
+++ b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/AzureKeyVaultAuthenticationProviderModule.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.vault.azure;
+
+import com.microsoft.azure.keyvault.authentication.KeyVaultCredentials;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.auth.vault.VaultAuthenticationProviderModule;
+import org.apache.guacamole.auth.vault.azure.conf.AzureKeyVaultConfigurationService;
+import org.apache.guacamole.auth.vault.azure.conf.AzureKeyVaultCredentials;
+import org.apache.guacamole.auth.vault.azure.secret.AzureKeyVaultSecretService;
+import org.apache.guacamole.auth.vault.conf.VaultConfigurationService;
+import org.apache.guacamole.auth.vault.secret.VaultSecretService;
+
+/**
+ * Guice module which configures injections specific to Azure Key Vault
+ * support.
+ */
+public class AzureKeyVaultAuthenticationProviderModule
+        extends VaultAuthenticationProviderModule {
+
+    /**
+     * Creates a new AzureKeyVaultAuthenticationiProviderModule which
+     * configures dependency injection for the Azure Key Vault authentication
+     * provider and related services.
+     *
+     * @throws GuacamoleException
+     *     If configuration details in guacamole.properties cannot be parsed.
+     */
+    public AzureKeyVaultAuthenticationProviderModule() throws GuacamoleException {}
+
+    @Override
+    protected void configureVault() {
+
+        // Bind services specific to Azure Key Vault
+        bind(VaultConfigurationService.class).to(AzureKeyVaultConfigurationService.class);
+        bind(VaultSecretService.class).to(AzureKeyVaultSecretService.class);
+
+        // Bind ADAL credentials implementation required for authenticating
+        // against Azure
+        bind(KeyVaultCredentials.class).to(AzureKeyVaultCredentials.class);
+
+    }
+
+}
diff --git a/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/conf/AzureKeyVaultAuthenticationException.java b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/conf/AzureKeyVaultAuthenticationException.java
new file mode 100644
index 000000000..5cf92a1b6
--- /dev/null
+++ b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/conf/AzureKeyVaultAuthenticationException.java
@@ -0,0 +1,57 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.vault.azure.conf;
+
+/**
+ * Unchecked exception thrown by AzureKeyVaultCredentials if an error occurs
+ * during the authentication process. Note that the base KeyVaultCredentials
+ * base class does not provide for checked exceptions within the authentication
+ * process.
+ *
+ * @see AzureKeyVaultCredentials#doAuthenticate(java.lang.String, java.lang.String, java.lang.String)
+ */
+public class AzureKeyVaultAuthenticationException extends RuntimeException {
+
+    /**
+     * Creates a new AzureKeyVaultAuthenticationException having the given
+     * human-readable message.
+     *
+     * @param message
+     *     A human-readable message describing the error that occurred.
+     */
+    public AzureKeyVaultAuthenticationException(String message) {
+        super(message);
+    }
+
+    /**
+     * Creates a new AzureKeyVaultAuthenticationException having the given
+     * human-readable message and cause.
+     *
+     * @param message
+     *     A human-readable message describing the error that occurred.
+     *
+     * @param cause
+     *     The error that caused this exception.
+     */
+   public AzureKeyVaultAuthenticationException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+}
diff --git a/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/conf/AzureKeyVaultConfigurationService.java b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/conf/AzureKeyVaultConfigurationService.java
new file mode 100644
index 000000000..2be7bd1b0
--- /dev/null
+++ b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/conf/AzureKeyVaultConfigurationService.java
@@ -0,0 +1,135 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.vault.azure.conf;
+
+import com.google.inject.Inject;
+import com.google.inject.Singleton;
+import com.microsoft.aad.adal4j.ClientCredential;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.auth.vault.conf.VaultConfigurationService;
+import org.apache.guacamole.environment.Environment;
+import org.apache.guacamole.properties.StringGuacamoleProperty;
+
+/**
+ * Service for retrieving configuration information regarding the Azure Key
+ * Vault authentication extension.
+ */
+@Singleton
+public class AzureKeyVaultConfigurationService extends VaultConfigurationService {
+
+    /**
+     * The Guacamole server environment.
+     */
+    @Inject
+    private Environment environment;
+
+    /**
+     * The name of the file which contains the JSON mapping of connection
+     * parameter token to Azure Key Vault secret name.
+     */
+    private static final String TOKEN_MAPPING_FILENAME = "azure-keyvault-token-mapping.json";
+
+    /**
+     * The URL of the Azure Key Vault that should be used to populate token
+     * values.
+     */
+    private static final StringGuacamoleProperty VAULT_URL = new StringGuacamoleProperty() {
+
+        @Override
+        public String getName() {
+            return "azure-keyvault-url";
+        }
+
+    };
+
+    /**
+     * The client ID that should be used to authenticate with Azure Key Vault
+     * using ADAL.
+     */
+    private static final StringGuacamoleProperty CLIENT_ID = new StringGuacamoleProperty() {
+
+        @Override
+        public String getName() {
+            return "azure-keyvault-client-id";
+        }
+
+    };
+
+    /**
+     * The client key that should be used to authenticate with Azure Key Vault
+     * using ADAL.
+     */
+    private static final StringGuacamoleProperty CLIENT_KEY = new StringGuacamoleProperty() {
+
+        @Override
+        public String getName() {
+            return "azure-keyvault-client-key";
+        }
+
+    };
+
+    /**
+     * Creates a new AzureKeyVaultConfigurationService which reads the token
+     * mapping from "azure-keyvault-token-mapping.json". The token mapping is
+     * a JSON file which lists each connection parameter token and the name of
+     * the secret from which the value for that token should be read.
+     */
+    public AzureKeyVaultConfigurationService() {
+        super(TOKEN_MAPPING_FILENAME);
+    }
+
+    /**
+     * Returns the base URL of the Azure Key Vault containing the secrets that
+     * should be retrieved to populate connection parameter tokens. The base
+     * URL is specified with the "azure-keyvault-url" property.
+     *
+     * @return
+     *     The base URL of the Azure Key Vault.
+     *
+     * @throws GuacamoleException
+     *     If the base URL is not specified within guacamole.properties.
+     */
+    public String getVaultURL() throws GuacamoleException {
+        return environment.getRequiredProperty(VAULT_URL);
+    }
+
+    /**
+     * Returns the credentials that should be used to authenticate with Azure
+     * Key Vault when retrieving secrets. Azure's "ADAL" authentication will be
+     * used, requiring a client ID and key. These values are specified with the
+     * "azure-keyvault-client-id" and "azure-keyvault-client-key" properties
+     * respectively.
+     *
+     * @return
+     *     The credentials that should be used to authenticate with Azure Key
+     *     Vault.
+     *
+     * @throws GuacamoleException
+     *     If the client ID or key are not specified within
+     *     guacamole.properties.
+     */
+    public ClientCredential getClientCredentials() throws GuacamoleException {
+        return new ClientCredential(
+            environment.getRequiredProperty(CLIENT_ID),
+            environment.getRequiredProperty(CLIENT_KEY)
+        );
+    }
+
+}
diff --git a/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/conf/AzureKeyVaultCredentials.java b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/conf/AzureKeyVaultCredentials.java
new file mode 100644
index 000000000..c69da5f1e
--- /dev/null
+++ b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/conf/AzureKeyVaultCredentials.java
@@ -0,0 +1,115 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.vault.azure.conf;
+
+import com.google.inject.Inject;
+import com.microsoft.aad.adal4j.AuthenticationContext;
+import com.microsoft.aad.adal4j.AuthenticationResult;
+import com.microsoft.aad.adal4j.ClientCredential;
+import com.microsoft.azure.keyvault.authentication.KeyVaultCredentials;
+import java.net.MalformedURLException;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+import org.apache.guacamole.GuacamoleException;
+
+/**
+ * KeyVaultCredentials implementation which retrieves the required client ID
+ * and key from guacamole.properties. Note that KeyVaultCredentials as
+ * implemented in the Azure Java SDK is NOT THREADSAFE; it leverages a
+ * non-concurrent HashMap for authentication result caching and does not
+ * perform any synchronization.
+ */
+public class AzureKeyVaultCredentials extends KeyVaultCredentials {
+
+    /**
+     * Service for retrieving configuration information.
+     */
+    @Inject
+    private AzureKeyVaultConfigurationService confService;
+
+    /**
+     * {@inheritDoc}
+     *
+     * @throws AzureKeyVaultAuthenticationException
+     *     If an error occurs preventing successful authentication. Note that
+     *     this exception is unchecked. Uses of this class which need to be
+     *     aware of errors in the authentication process must manually catch
+     *     this exception.
+     */
+    @Override
+    public String doAuthenticate(String authorization, String resource,
+            String scope) throws AzureKeyVaultAuthenticationException {
+
+        // Read Azure credentials from guacamole.properties
+        ClientCredential credentials;
+        try {
+            credentials = confService.getClientCredentials();
+        }
+        catch (GuacamoleException e) {
+            throw new AzureKeyVaultAuthenticationException("Azure "
+                    + "credentials could not be read.", e);
+        }
+
+        ExecutorService service = Executors.newFixedThreadPool(1);
+        try {
+
+            // Attempt to aquire authentication token from Azure
+            AuthenticationContext context = new AuthenticationContext(authorization, false, service);
+            Future<AuthenticationResult> future = context.acquireToken(resource, credentials, null);
+
+            // Wait for response
+            AuthenticationResult result = future.get();
+
+            // The semantics of a null return value are not documented, however
+            // example code provided with the Azure Java SDK demonstrates that
+            // a null check is required, albeit without explanation
+            if (result == null)
+                throw new AzureKeyVaultAuthenticationException(
+                        "Authentication result from Azure was empty.");
+
+            // Return authentication token from successful response
+            return result.getAccessToken();
+
+        }
+
+        // Rethrow any errors which occur during the authentication process as
+        // AzureKeyVaultAuthenticationExceptions
+        catch (MalformedURLException e) {
+            throw new AzureKeyVaultAuthenticationException("Azure "
+                    + "authentication URL is malformed.", e);
+        }
+        catch (InterruptedException e) {
+            throw new AzureKeyVaultAuthenticationException("Azure "
+                    + "authentication process was interrupted.", e);
+        }
+        catch (ExecutionException e) {
+            throw new AzureKeyVaultAuthenticationException("Authentication "
+                    + "against Azure failed.", e);
+        }
+
+        finally {
+            service.shutdown();
+        }
+
+    }
+
+}
diff --git a/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/secret/AzureKeyVaultSecretService.java b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/secret/AzureKeyVaultSecretService.java
new file mode 100644
index 000000000..ccbd6c9cc
--- /dev/null
+++ b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/java/org/apache/guacamole/auth/vault/azure/secret/AzureKeyVaultSecretService.java
@@ -0,0 +1,99 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.vault.azure.secret;
+
+import com.google.inject.Inject;
+import com.google.inject.Provider;
+import com.google.inject.Singleton;
+import com.microsoft.azure.keyvault.KeyVaultClient;
+import com.microsoft.azure.keyvault.authentication.KeyVaultCredentials;
+import com.microsoft.azure.keyvault.models.SecretBundle;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.GuacamoleServerException;
+import org.apache.guacamole.auth.vault.azure.conf.AzureKeyVaultAuthenticationException;
+import org.apache.guacamole.auth.vault.azure.conf.AzureKeyVaultConfigurationService;
+import org.apache.guacamole.auth.vault.secret.VaultSecretService;
+
+/**
+ * Service which retrieves secrets from Azure Key Vault.
+ */
+@Singleton
+public class AzureKeyVaultSecretService implements VaultSecretService {
+
+    /**
+     * Pattern which matches contiguous groups of characters which are not
+     * allowed within Azure Key Vault secret names.
+     */
+    private static final Pattern DISALLOWED_CHARACTERS = Pattern.compile("[^a-zA-Z0-9-]+");
+
+    /**
+     * Service for retrieving configuration information.
+     */
+    @Inject
+    private AzureKeyVaultConfigurationService confService;
+
+    /**
+     * Provider for Azure Key Vault credentials.
+     */
+    @Inject
+    private Provider<KeyVaultCredentials> credentialProvider;
+
+    /**
+     * {@inheritDoc}
+     *
+     * <p>Azure Key Vault allows strictly a-z, A-Z, 0-9, and "-". This
+     * implementation strips out all contiguous groups of characters which are
+     * not allowed by Azure Key Vault, replacing them with a single dash.
+     */
+    @Override
+    public String canonicalize(String name) {
+        Matcher disallowed = DISALLOWED_CHARACTERS.matcher(name);
+        return disallowed.replaceAll("-");
+    }
+
+    @Override
+    public String getValue(String name) throws GuacamoleException {
+
+        try {
+
+            // Retrieve configuration information necessary for connecting to
+            // Azure Key Vault
+            String url = confService.getVaultURL();
+            KeyVaultCredentials credentials = credentialProvider.get();
+
+            // Authenticate against Azure Key Vault
+            KeyVaultClient client = new KeyVaultClient(credentials);
+
+            // Retrieve requested secret
+            SecretBundle secret = client.getSecret(url, name);
+
+            // FIXME: STUB
+            return null;
+
+        }
+        catch (AzureKeyVaultAuthenticationException e) {
+            throw new GuacamoleServerException("Unable to authenticate with Azure.", e);
+        }
+
+    }
+
+}
diff --git a/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/resources/guac-manifest.json b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/resources/guac-manifest.json
new file mode 100644
index 000000000..87e1b1165
--- /dev/null
+++ b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-azure/src/main/resources/guac-manifest.json
@@ -0,0 +1,16 @@
+{
+
+    "guacamoleVersion" : "1.4.0",
+
+    "name"      : "Azure Key Vault",
+    "namespace" : "azure-keyvault",
+
+    "authProviders" : [
+        "org.apache.guacamole.auth.vault.azure.AzureKeyVaultAuthenticationProvider"
+    ],
+
+    "translations" : [
+        "translations/en.json"
+    ]
+
+}
diff --git a/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/.ratignore b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/.ratignore
new file mode 100644
index 000000000..e69de29bb
diff --git a/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/pom.xml b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/pom.xml
new file mode 100644
index 000000000..d59754fe6
--- /dev/null
+++ b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/pom.xml
@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
+                        http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>org.apache.guacamole</groupId>
+    <artifactId>guacamole-auth-vault-base</artifactId>
+    <packaging>jar</packaging>
+    <name>guacamole-auth-vault-base</name>
+    <url>http://guacamole.apache.org/</url>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <parent>
+        <groupId>org.apache.guacamole</groupId>
+        <artifactId>guacamole-auth-vault</artifactId>
+        <version>1.4.0</version>
+        <relativePath>../../</relativePath>
+    </parent>
+
+    <dependencies>
+
+        <!-- Guacamole Extension API -->
+        <dependency>
+            <groupId>org.apache.guacamole</groupId>
+            <artifactId>guacamole-ext</artifactId>
+            <scope>provided</scope>
+        </dependency>
+
+        <!-- Jackson for JSON support -->
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+        </dependency>
+
+        <!-- Guice -->
+        <dependency>
+            <groupId>com.google.inject</groupId>
+            <artifactId>guice</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.google.inject.extensions</groupId>
+            <artifactId>guice-assistedinject</artifactId>
+        </dependency>
+
+    </dependencies>
+
+</project>
diff --git a/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/VaultAuthenticationProvider.java b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/VaultAuthenticationProvider.java
new file mode 100644
index 000000000..0b9126a67
--- /dev/null
+++ b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/VaultAuthenticationProvider.java
@@ -0,0 +1,63 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.vault;
+
+import com.google.inject.Guice;
+import com.google.inject.Injector;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.auth.vault.user.VaultUserContextFactory;
+import org.apache.guacamole.net.auth.AbstractAuthenticationProvider;
+import org.apache.guacamole.net.auth.AuthenticatedUser;
+import org.apache.guacamole.net.auth.Credentials;
+import org.apache.guacamole.net.auth.UserContext;
+
+/**
+ * AuthenticationProvider implementation which automatically injects tokens
+ * containing the values of secrets retrieved from a vault.
+ */
+public abstract class VaultAuthenticationProvider
+        extends AbstractAuthenticationProvider {
+
+    /**
+     * Factory for creating instances of the relevant vault-specific
+     * UserContext implementation.
+     */
+    private final VaultUserContextFactory userContextFactory;
+
+    /**
+     * Creates a new VaultAuthenticationProvider which uses the given module to
+     * configure dependency injection.
+     *
+     * @param module
+     *     The module to use to configure dependency injection.
+     */
+    protected VaultAuthenticationProvider(VaultAuthenticationProviderModule module) {
+        Injector injector = Guice.createInjector(module);
+        this.userContextFactory = injector.getInstance(VaultUserContextFactory.class);
+    }
+
+    @Override
+    public UserContext decorate(UserContext context,
+            AuthenticatedUser authenticatedUser, Credentials credentials)
+            throws GuacamoleException {
+        return userContextFactory.create(context);
+    }
+
+}
diff --git a/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/VaultAuthenticationProviderModule.java b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/VaultAuthenticationProviderModule.java
new file mode 100644
index 000000000..9e5ae7155
--- /dev/null
+++ b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/VaultAuthenticationProviderModule.java
@@ -0,0 +1,98 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.vault;
+
+import com.google.inject.AbstractModule;
+import com.google.inject.assistedinject.FactoryModuleBuilder;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.auth.vault.user.VaultUserContext;
+import org.apache.guacamole.auth.vault.user.VaultUserContextFactory;
+import org.apache.guacamole.environment.Environment;
+import org.apache.guacamole.environment.LocalEnvironment;
+import org.apache.guacamole.net.auth.UserContext;
+
+/**
+ * Guice module which configures injections specific to the base support for
+ * key vaults. When adding support for a key vault provider, a subclass
+ * specific to that vault implementation will need to be created.
+ *
+ * @see AzureKeyVaultAuthenticationProviderModule
+ */
+public abstract class VaultAuthenticationProviderModule extends AbstractModule {
+
+    /**
+     * Guacamole server environment.
+     */
+    private final Environment environment;
+
+    /**
+     * Creates a new VaultAuthenticationProviderModule which configures
+     * dependency injection for the Azure Key Vault authentication provider.
+     *
+     * @throws GuacamoleException
+     *     If an error occurs while retrieving the Guacamole server
+     *     environment.
+     */
+    public VaultAuthenticationProviderModule() throws GuacamoleException {
+        this.environment = LocalEnvironment.getInstance();
+    }
+
+    /**
+     * Configures injections for interfaces which are implementation-specific
+     * to the vault service in use. Subclasses MUST provide a version of this
+     * function which binds concrete implementations to the following
+     * interfaces:
+     *
+     *     - VaultConfigurationService
+     *     - VaultSecretService
+     *
+     * @see AzureKeyVaultAuthenticationProviderModule
+     */
+    protected abstract void configureVault();
+
+    /**
+     * Returns the instance of the Guacamole server environment which will be
+     * exposed to other classes via dependency injection.
+     *
+     * @return
+     *     The instance of the Guacamole server environment which will be
+     *     exposed via dependency injection.
+     */
+    protected Environment getEnvironment() {
+        return environment;
+    }
+
+    @Override
+    protected void configure() {
+
+        // Bind Guacamole server environment
+        bind(Environment.class).toInstance(environment);
+
+        // Bind factory for creating UserContexts
+        install(new FactoryModuleBuilder()
+                .implement(UserContext.class, VaultUserContext.class)
+                .build(VaultUserContextFactory.class));
+
+        // Bind all other implementation-specific interfaces
+        configureVault();
+
+    }
+
+}
diff --git a/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/conf/VaultConfigurationService.java b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/conf/VaultConfigurationService.java
new file mode 100644
index 000000000..9cafbd45f
--- /dev/null
+++ b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/conf/VaultConfigurationService.java
@@ -0,0 +1,107 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.vault.conf;
+
+import com.fasterxml.jackson.core.type.TypeReference;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.inject.Inject;
+import java.io.File;
+import java.io.IOException;
+import java.util.Map;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.GuacamoleServerException;
+import org.apache.guacamole.auth.vault.VaultAuthenticationProviderModule;
+import org.apache.guacamole.environment.Environment;
+
+/**
+ * Base class for services which retrieve key vault configuration information.
+ * A concrete implementation of this class must be defined and bound for key
+ * vault support to work.
+ *
+ * @see VaultAuthenticationProviderModule
+ */
+public abstract class VaultConfigurationService {
+
+    /**
+     * The Guacamole server environment.
+     */
+    @Inject
+    private Environment environment;
+
+    /**
+     * ObjectMapper for deserializing JSON.
+     */
+    private static final ObjectMapper mapper = new ObjectMapper();
+
+    /**
+     * The name of the file containing a JSON mapping of Guacamole parameter
+     * token to vault secret name.
+     */
+    private final String tokenMappingFilename;
+
+    /**
+     * Creates a new VaultConfigurationService which retrieves the token/secret
+     * mapping from a JSON file having the given name.
+     *
+     * @param tokenMappingFilename
+     *     The name of the JSON file containing the token/secret mapping.
+     */
+    protected VaultConfigurationService(String tokenMappingFilename) {
+        this.tokenMappingFilename = tokenMappingFilename;
+    }
+
+    /**
+     * Returns a mapping dictating the name of the secret which maps to each
+     * parameter token. In the returned mapping, the value of each entry is the
+     * name of the secret to use to populate the value of the parameter token,
+     * and the key of each entry is the name of the parameter token which
+     * should receive the value of the secret.
+     *
+     * The name of the secret may contain its own tokens, which will be
+     * substituted using values from the given filter. See the definition of
+     * VaultUserContext for the names of these tokens and the contexts in which
+     * they can be applied to secret names.
+     *
+     * @return
+     *     A mapping dictating the name of the secret which maps to each
+     *     parameter token.
+     *
+     * @throws GuacamoleException
+     *     If the JSON file defining the token/secret mapping cannot be read.
+     */
+    public Map<String, String> getTokenMapping() throws GuacamoleException {
+
+        // Get configuration file from GUACAMOLE_HOME
+        File confFile = new File(environment.getGuacamoleHome(), tokenMappingFilename);
+
+        // Deserialize token mapping from JSON
+        try {
+            return mapper.readValue(confFile, new TypeReference<Map<String, String>>() {});
+        }
+
+        // Fail if JSON is invalid/unreadable
+        catch (IOException e) {
+            throw new GuacamoleServerException("Unable to read token mapping "
+                    + "configuration file \"" + tokenMappingFilename + "\".", e);
+        }
+
+    }
+
+}
diff --git a/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/secret/VaultSecretService.java b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/secret/VaultSecretService.java
new file mode 100644
index 000000000..49d0d9ce3
--- /dev/null
+++ b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/secret/VaultSecretService.java
@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.vault.secret;
+
+import org.apache.guacamole.GuacamoleException;
+
+/**
+ * Generic service for retrieving the value of a secret stored in a vault.
+ */
+public interface VaultSecretService {
+
+    /**
+     * Translates an arbitrary string, which may contain characters not allowed
+     * by the vault implementation, into a string which is a valid secret name.
+     * The type of transformation performed on the string, if any, will depend
+     * on the specific requirements of the vault provider.
+     *
+     * NOTE: It is critical that this transformation is deterministic and
+     * reasonably predictable for users. If an implementation must apply a
+     * transformation to secret names, that transformation needs to be
+     * documented.
+     *
+     * @param name
+     *     An arbitrary string intended for use as a secret name, but which may
+     *     contain characters not allowed by the vault implementation.
+     *
+     * @return
+     *     A name containing essentially the same content as the provided
+     *     string, but transformed deterministically such that it is acceptable
+     *     as a secret name by the vault provider.
+     */
+    String canonicalize(String name);
+
+    /**
+     * Returns the value of the secret having the given name. If no such
+     * secret exists, null is returned.
+     *
+     * @param name
+     *     The name of the secret to retrieve.
+     *
+     * @return
+     *     The value of the secret having the given name, or null if no such
+     *     secret exists.
+     *
+     * @throws GuacamoleException
+     *     If the secret cannot be retrieved due to an error.
+     */
+    String getValue(String name) throws GuacamoleException;
+
+}
diff --git a/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/user/VaultUserContext.java b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/user/VaultUserContext.java
new file mode 100644
index 000000000..13cb6d515
--- /dev/null
+++ b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/user/VaultUserContext.java
@@ -0,0 +1,281 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.vault.user;
+
+import com.google.inject.Inject;
+import com.google.inject.assistedinject.Assisted;
+import com.google.inject.assistedinject.AssistedInject;
+import java.util.HashMap;
+import java.util.Map;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.auth.vault.conf.VaultConfigurationService;
+import org.apache.guacamole.net.auth.Connection;
+import org.apache.guacamole.net.auth.ConnectionGroup;
+import org.apache.guacamole.net.auth.TokenInjectingUserContext;
+import org.apache.guacamole.net.auth.UserContext;
+import org.apache.guacamole.auth.vault.secret.VaultSecretService;
+import org.apache.guacamole.protocol.GuacamoleConfiguration;
+import org.apache.guacamole.token.GuacamoleTokenUndefinedException;
+import org.apache.guacamole.token.TokenFilter;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * UserContext implementation which automatically injects tokens containing the
+ * values of secrets retrieved from a vault.
+ */
+public class VaultUserContext extends TokenInjectingUserContext {
+
+    /**
+     * Logger for this class.
+     */
+    private final Logger logger = LoggerFactory.getLogger(VaultUserContext.class);
+
+    /**
+     * The name of the token which will be replaced with the username of the
+     * current user if specified within the name of a secret. This token
+     * applies to both connections and connection groups.
+     */
+    private static final String USERNAME_TOKEN = "GUAC_USERNAME";
+
+    /**
+     * The name of the token which will be replaced with the name of the
+     * current connection group if specified within the name of a secret. This
+     * token only applies only to connection groups.
+     */
+    private static final String CONNECTION_GROUP_NAME_TOKEN = "CONNECTION_GROUP_NAME";
+
+    /**
+     * The name of the token which will be replaced with the identifier of the
+     * current connection group if specified within the name of a secret. This
+     * token only applies only to connection groups.
+     */
+    private static final String CONNECTION_GROUP_IDENTIFIER_TOKEN = "CONNECTION_GROUP_ID";
+
+    /**
+     * The name of the token which will be replaced with the \"hostname\"
+     * connection parameter of the current connection if specified within the
+     * name of a secret. This token only applies only to connections.
+     */
+    private static final String CONNECTION_HOSTNAME_TOKEN = "CONNECTION_HOSTNAME";
+
+    /**
+     * The name of the token which will be replaced with the \"username\"
+     * connection parameter of the current connection if specified within the
+     * name of a secret. This token only applies only to connections.
+     */
+    private static final String CONNECTION_USERNAME_TOKEN = "CONNECTION_USERNAME";
+
+    /**
+     * The name of the token which will be replaced with the name of the
+     * current connection if specified within the name of a secret. This token
+     * only applies only to connections.
+     */
+    private static final String CONNECTION_NAME_TOKEN = "CONNECTION_NAME";
+
+    /**
+     * The name of the token which will be replaced with the identifier of the
+     * current connection if specified within the name of a secret. This token
+     * only applies only to connections.
+     */
+    private static final String CONNECTION_IDENTIFIER_TOKEN = "CONNECTION_ID";
+
+    /**
+     * Service for retrieving configuration information.
+     */
+    @Inject
+    private VaultConfigurationService confService;
+
+    /**
+     * Service for retrieving the values of secrets stored in a vault.
+     */
+    @Inject
+    private VaultSecretService secretService;
+
+    /**
+     * Creates a new VaultUserContext which automatically injects tokens
+     * containing values of secrets retrieved from a vault. The given
+     * UserContext is decorated such that connections and connection groups
+     * will receive additional tokens during the connection process.
+     *
+     * Note that this class depends on concrete implementations of the
+     * following classes to be provided via dependency injection:
+     *
+     *     - VaultConfigurationService
+     *     - VaultSecretService
+     *
+     * Bindings providing these concrete implementations will need to be
+     * provided by subclasses of VaultAuthenticationProviderModule for each
+     * supported vault.
+     *
+     * @param userContext
+     *     The UserContext instance to decorate.
+     */
+    @AssistedInject
+    public VaultUserContext(@Assisted UserContext userContext) {
+        super(userContext);
+    }
+
+    /**
+     * Creates a new TokenFilter instance with token values set for all tokens
+     * which are not specific to connections or connection groups. Currently,
+     * this is only the username token ("GUAC_USERNAME").
+     *
+     * @return
+     *     A new TokenFilter instance with token values set for all tokens
+     *     which are not specific to connections or connection groups.
+     */
+    private TokenFilter createFilter() {
+        TokenFilter filter = new TokenFilter();
+        filter.setToken(USERNAME_TOKEN, self().getIdentifier());
+        return filter;
+    }
+
+    /**
+     * Retrieve all applicable tokens and corresponding values from the vault,
+     * using the given TokenFilter to filter tokens within the secret names
+     * prior to retrieving those secrets.
+     *
+     * @param tokenMapping
+     *     The mapping dictating the name of the secret which maps to each
+     *     parameter token, where the key is the name of the parameter token
+     *     and the value is the name of the secret. The name of the secret
+     *     may contain its own tokens, which will be substituted using values
+     *     from the given filter.
+     *
+     * @param filter
+     *     The filter to use to substitute values for tokens in the names of
+     *     secrets to be retrieved from the vault.
+     *
+     * @return
+     *     The tokens which should be added to the in-progress call to
+     *     connect().
+     *
+     * @throws GuacamoleException
+     *     If the value for any applicable secret cannot be retrieved from the
+     *     vault due to an error.
+     */
+    private Map<String, String> getTokens(Map<String, String> tokenMapping,
+            TokenFilter filter) throws GuacamoleException {
+
+        Map<String, String> tokens = new HashMap<>();
+
+        // Populate map with tokens containing the values of all secrets
+        // indicated in the token mapping
+        for (Map.Entry<String, String> entry : tokenMapping.entrySet()) {
+
+            // Translate secret pattern into secret name, ignoring any
+            // secrets which cannot be translated
+            String secretName;
+            try {
+                secretName = secretService.canonicalize(filter.filterStrict(entry.getValue()));
+            }
+            catch (GuacamoleTokenUndefinedException e) {
+                logger.debug("Secret for token \"{}\" will not be retrieved. "
+                        + "Token \"{}\" within mapped secret name has no "
+                        + "defined value in the current context.",
+                        entry.getKey(), e.getTokenName());
+                continue;
+            }
+
+            // If a value is defined for the secret in question, store that
+            // value under the mapped token
+            String tokenName = entry.getKey();
+            String secretValue = secretService.getValue(secretName);
+            if (secretValue != null) {
+                tokens.put(tokenName, secretValue);
+                logger.debug("Token \"{}\" populated with value from "
+                        + "secret \"{}\".", tokenName, secretName);
+            }
+            else
+                logger.debug("Token \"{}\" not populated. Mapped "
+                        + "secret \"{}\" has no value.",
+                        tokenName, secretName);
+
+        }
+
+        return tokens;
+
+    }
+
+    @Override
+    protected Map<String, String> getTokens(ConnectionGroup connectionGroup)
+            throws GuacamoleException {
+
+        String name = connectionGroup.getName();
+        String identifier = connectionGroup.getIdentifier();
+        logger.debug("Injecting tokens from vault for connection group "
+                + "\"{}\" (\"{}\").", identifier, name);
+
+        // Add general and connection-group-specific tokens
+        TokenFilter filter = createFilter();
+        filter.setToken(CONNECTION_GROUP_NAME_TOKEN, name);
+        filter.setToken(CONNECTION_GROUP_IDENTIFIER_TOKEN, identifier);
+
+        // Substitute tokens producing secret names, retrieving and storing
+        // those secrets as parameter tokens
+        return getTokens(confService.getTokenMapping(), filter);
+
+    }
+
+    @Override
+    protected Map<String, String> getTokens(Connection connection)
+            throws GuacamoleException {
+
+        String name = connection.getName();
+        String identifier = connection.getIdentifier();
+        logger.debug("Injecting tokens from vault for connection \"{}\" "
+                + "(\"{}\").", identifier, name);
+
+        // Add general and connection-specific tokens
+        TokenFilter filter = createFilter();
+        filter.setToken(CONNECTION_NAME_TOKEN, connection.getName());
+        filter.setToken(CONNECTION_IDENTIFIER_TOKEN, identifier);
+
+        // Add hostname and username tokens if available (implementations are
+        // not required to expose connection configuration details)
+
+        GuacamoleConfiguration config = connection.getConfiguration();
+
+        String hostname = config.getParameter("hostname");
+        if (hostname != null)
+            filter.setToken(CONNECTION_HOSTNAME_TOKEN, hostname);
+        else
+            logger.debug("Hostname for connection \"{}\" (\"{}\") not "
+                    + "available. \"{}\" token will not be populated in "
+                    + "secret names.", identifier, name,
+                    CONNECTION_HOSTNAME_TOKEN);
+
+        String username = config.getParameter("username");
+        if (username != null)
+            filter.setToken(CONNECTION_USERNAME_TOKEN, username);
+        else
+            logger.debug("Username for connection \"{}\" (\"{}\") not "
+                    + "available. \"{}\" token will not be populated in "
+                    + "secret names.", identifier, name,
+                    CONNECTION_USERNAME_TOKEN);
+
+        // Substitute tokens producing secret names, retrieving and storing
+        // those secrets as parameter tokens
+        return getTokens(confService.getTokenMapping(), filter);
+
+    }
+
+}
diff --git a/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/user/VaultUserContextFactory.java b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/user/VaultUserContextFactory.java
new file mode 100644
index 000000000..712d41a9b
--- /dev/null
+++ b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/java/org/apache/guacamole/auth/vault/user/VaultUserContextFactory.java
@@ -0,0 +1,46 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.vault.user;
+
+import org.apache.guacamole.net.auth.UserContext;
+
+/**
+ * Factory for creating UserContext instances which automatically inject tokens
+ * containing the values of secrets retrieved from a vault.
+ */
+public interface VaultUserContextFactory {
+
+    /**
+     * Returns a new instance of a UserContext implementation which
+     * automatically injects tokens containing values of secrets retrieved from
+     * a vault. The given UserContext is decorated such that connections and
+     * connection groups will receive additional tokens during the connection
+     * process.
+     *
+     * @param userContext
+     *     The UserContext instance to decorate.
+     *
+     * @return
+     *     A new UserContext instance which automatically injects tokens
+     *     containing values of secrets retrieved from a vault.
+     */
+    UserContext create(UserContext userContext);
+
+}
diff --git a/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/resources/translations/en.json b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/resources/translations/en.json
new file mode 100644
index 000000000..c96ec2821
--- /dev/null
+++ b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-base/src/main/resources/translations/en.json
@@ -0,0 +1,7 @@
+{
+
+    "DATA_SOURCE_AZURE_KEYVAULT" : {
+        "NAME" : "Azure Key Vault"
+    }
+
+}
diff --git a/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-dist/.ratignore b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-dist/.ratignore
new file mode 100644
index 000000000..e69de29bb
diff --git a/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-dist/pom.xml b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-dist/pom.xml
new file mode 100644
index 000000000..b239f28bf
--- /dev/null
+++ b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-dist/pom.xml
@@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
+                        http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>org.apache.guacamole</groupId>
+    <artifactId>guacamole-auth-vault-dist</artifactId>
+    <packaging>pom</packaging>
+    <name>guacamole-auth-vault-dist</name>
+    <url>http://guacamole.apache.org/</url>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <parent>
+        <groupId>org.apache.guacamole</groupId>
+        <artifactId>guacamole-auth-vault</artifactId>
+        <version>1.4.0</version>
+        <relativePath>../../</relativePath>
+    </parent>
+
+    <dependencies>
+
+        <!-- Azure Key Vault Extension -->
+        <dependency>
+            <groupId>org.apache.guacamole</groupId>
+            <artifactId>guacamole-auth-vault-azure</artifactId>
+            <version>1.4.0</version>
+        </dependency>
+
+   </dependencies>
+
+    <build>
+
+        <!-- Dist .tar.gz for guacamole-auth-vault should be named after the
+            parent guacamole-auth-vault project, not after
+            guacamole-auth-vault-dist -->
+        <finalName>${project.parent.artifactId}-${project.parent.version}</finalName>
+
+    </build>
+
+</project>
diff --git a/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-dist/src/main/assembly/dist.xml b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-dist/src/main/assembly/dist.xml
new file mode 100644
index 000000000..b0ea3b1f6
--- /dev/null
+++ b/extensions/guacamole-auth-vault/modules/guacamole-auth-vault-dist/src/main/assembly/dist.xml
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+<assembly
+    xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.0 http://maven.apache.org/xsd/assembly-1.1.0.xsd">
+
+    <id>dist</id>
+    <baseDirectory>${project.parent.artifactId}-${project.parent.version}</baseDirectory>
+
+    <!-- Output .tar.gz -->
+    <formats>
+        <format>tar.gz</format>
+    </formats>
+
+    <!-- Include extension .jars -->
+    <dependencySets>
+
+        <!-- Azure Key Vault extension .jar -->
+        <dependencySet>
+            <outputDirectory>azure</outputDirectory>
+            <includes>
+                <include>org.apache.guacamole:guacamole-auth-vault-azure</include>
+            </includes>
+        </dependencySet>
+
+    </dependencySets>
+
+    <!-- Licenses -->
+    <fileSets>
+        <fileSet>
+            <outputDirectory></outputDirectory>
+            <directory>target/licenses</directory>
+        </fileSet>
+    </fileSets>
+
+</assembly>
diff --git a/extensions/guacamole-auth-vault/pom.xml b/extensions/guacamole-auth-vault/pom.xml
new file mode 100644
index 000000000..a924af8b3
--- /dev/null
+++ b/extensions/guacamole-auth-vault/pom.xml
@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
+                        http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>org.apache.guacamole</groupId>
+    <artifactId>guacamole-auth-vault</artifactId>
+    <packaging>pom</packaging>
+    <version>1.4.0</version>
+    <name>guacamole-auth-vault</name>
+    <url>http://guacamole.apache.org/</url>
+
+    <parent>
+        <groupId>org.apache.guacamole</groupId>
+        <artifactId>extensions</artifactId>
+        <version>1.4.0</version>
+        <relativePath>../</relativePath>
+    </parent>
+
+    <modules>
+
+        <!-- Distribution .tar.gz -->
+        <module>modules/guacamole-auth-vault-dist</module>
+
+        <!-- Base key vault classes -->
+        <module>modules/guacamole-auth-vault-base</module>
+
+        <!-- Provider-specific implementations -->
+        <module>modules/guacamole-auth-vault-azure</module>
+
+    </modules>
+
+    <dependencyManagement>
+        <dependencies>
+
+            <!-- Guacamole Extension API -->
+            <dependency>
+                <groupId>org.apache.guacamole</groupId>
+                <artifactId>guacamole-ext</artifactId>
+                <version>1.4.0</version>
+                <scope>provided</scope>
+            </dependency>
+
+        </dependencies>
+    </dependencyManagement>
+
+</project>
diff --git a/extensions/pom.xml b/extensions/pom.xml
index 938e7cc62..18e307e54 100644
--- a/extensions/pom.xml
+++ b/extensions/pom.xml
@@ -48,6 +48,7 @@
         <module>guacamole-auth-quickconnect</module>
         <module>guacamole-auth-sso</module>
         <module>guacamole-auth-totp</module>
+        <module>guacamole-auth-vault</module>
 
     </modules>
 
diff --git a/pom.xml b/pom.xml
index bcfa885ad..2b9b1641f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -209,8 +209,8 @@
                         <target>1.8</target>
                         <compilerArgs>
                             <arg>-Xlint:all</arg>
-                            <arg>-Werror</arg>
                         </compilerArgs>
+                        <failOnWarning>true</failOnWarning>
                         <fork>true</fork>
                     </configuration>
                 </plugin>
@@ -382,6 +382,11 @@
                 <artifactId>jackson-dataformat-yaml</artifactId>
                 <version>${jackson.version}</version>
             </dependency>
+            <dependency>
+                <groupId>com.fasterxml.jackson.datatype</groupId>
+                <artifactId>jackson-datatype-joda</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
             <dependency>
                 <groupId>com.fasterxml.jackson.module</groupId>
                 <artifactId>jackson-module-jaxb-annotations</artifactId>