From ff3d76c355bdabfab134225b5c9aab639ffb19e6 Mon Sep 17 00:00:00 2001
From: elf Pavlik <elf-pavlik@hackers4peace.net>
Date: Mon, 2 Aug 2021 08:46:06 -0500
Subject: [PATCH 01/14] update diagram to introduce AS and token exchange

---
 sequence.mmd | 40 +++++++++++++++++++++++++++-------------
 1 file changed, 27 insertions(+), 13 deletions(-)

diff --git a/sequence.mmd b/sequence.mmd
index e98849b..87bb417 100644
--- a/sequence.mmd
+++ b/sequence.mmd
@@ -1,17 +1,31 @@
 sequenceDiagram
+  autonumber
+  participant WebID as User's WebID Document
+  participant OP as OpenID Provider
   participant RC as Resource Client
   participant RS as Resource Server
-  participant OP as OpenID Provider
-  participant WebID as User's WebID Document
-  RC ->> RS: 1. unauthenticated request
-  RS ->> RC: 2. 401 with a WWW-Authenticate HTTP header
-  RC ->> OP: 3. start Authorization Code grant
+  participant AS as Authorization Server
+  RC ->> RS: unauthenticated request
+  RS ->> RC: 401 with a WWW-Authenticate HTTP header
+  RC ->> OP: start Authorization Code grant
   OP ->> RC: return Authorization Code
-  RC ->> OP: 4. present Authorization Code and DPoP proof
-  OP ->> RC: 5. return DPoP bound Access Token and OIDC ID Token
-  RC ->> RS: 6. Access Token + DPoP proof
-  RS ->> WebID: 7. get WebID document to verify Issuer
-  WebID ->> RS: WebID document
-  RS ->> OP: 8. get OP's public key to verify Access Token (JWS)
-  OP ->> RS: JWKS
-  RS ->> RC: 9. if all checks pass respond with representation
+  RC ->> OP: present Authorization Code and DPoP proof
+  OP ->> RC: return DPoP bound OIDC ID Token
+  alt
+    RC ->> AS: request exchange of ID Token for Access Token
+  else
+    RC ->> AS: request exchange of ID Token for chainable Ticket
+    AS ->> RC: chainable Ticket
+    loop for each claim
+      RC ->> AS: exchange claim for chainable Ticket
+      AS ->> RC: chainable Ticket
+    end
+    RC ->> AS: exchange chainable Ticket for Access Token
+  end
+  AS ->> WebID: get WebID document to verify Issuer
+  WebID ->> AS: WebID document
+  AS ->> OP: get OP's public key to verify ID Token (JWS)
+  OP ->> AS: JWKS
+  AS ->> RC: if all checks issue Access Token
+  RC ->> RS: request with Access Token
+  RS ->> RC: representation

From a27a9053279ab4bd1113f2d934483e4859578cc9 Mon Sep 17 00:00:00 2001
From: elf Pavlik <elf-pavlik@hackers4peace.net>
Date: Mon, 15 Nov 2021 07:46:49 -0600
Subject: [PATCH 02/14] updated sequence diagram to use UMA claims pushing

---
 sequence.mmd | 36 +++++++++++++-----------------------
 1 file changed, 13 insertions(+), 23 deletions(-)

diff --git a/sequence.mmd b/sequence.mmd
index 87bb417..1536694 100644
--- a/sequence.mmd
+++ b/sequence.mmd
@@ -1,31 +1,21 @@
 sequenceDiagram
   autonumber
-  participant WebID as User's WebID Document
+  participant WebID as End-User's WebID Document
   participant OP as OpenID Provider
-  participant RC as Resource Client
+  participant C as Client
   participant RS as Resource Server
   participant AS as Authorization Server
-  RC ->> RS: unauthenticated request
-  RS ->> RC: 401 with a WWW-Authenticate HTTP header
-  RC ->> OP: start Authorization Code grant
-  OP ->> RC: return Authorization Code
-  RC ->> OP: present Authorization Code and DPoP proof
-  OP ->> RC: return DPoP bound OIDC ID Token
-  alt
-    RC ->> AS: request exchange of ID Token for Access Token
-  else
-    RC ->> AS: request exchange of ID Token for chainable Ticket
-    AS ->> RC: chainable Ticket
-    loop for each claim
-      RC ->> AS: exchange claim for chainable Ticket
-      AS ->> RC: chainable Ticket
-    end
-    RC ->> AS: exchange chainable Ticket for Access Token
-  end
-  AS ->> WebID: get WebID document to verify Issuer
+  C ->> RS: unauthenticated request
+  RS ->> C: 401 with a WWW-Authenticate HTTP header
+  C ->> OP: start Authorization Code grant
+  OP ->> C: return Authorization Code
+  C ->> OP: present Authorization Code and DPoP proof
+  OP ->> C: return DPoP bound OIDC ID Token
+  C ->> AS: request Access Token and push solid Claim Token (including ID Token)
+  AS ->> WebID: get WebID document to verify OIDC Issuer
   WebID ->> AS: WebID document
   AS ->> OP: get OP's public key to verify ID Token (JWS)
   OP ->> AS: JWKS
-  AS ->> RC: if all checks issue Access Token
-  RC ->> RS: request with Access Token
-  RS ->> RC: representation
+  AS ->> C: if all checks pass issue Access Token
+  C ->> RS: request with Access Token
+  RS ->> C: representation

From df7f59837457a2a82d80ba98e9689c2e689a5f5b Mon Sep 17 00:00:00 2001
From: elf Pavlik <elf-pavlik@hackers4peace.net>
Date: Mon, 15 Nov 2021 08:17:50 -0600
Subject: [PATCH 03/14] more detailed sequence diagram

---
 sequence.mmd | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/sequence.mmd b/sequence.mmd
index 1536694..8ac3944 100644
--- a/sequence.mmd
+++ b/sequence.mmd
@@ -1,5 +1,4 @@
 sequenceDiagram
-  autonumber
   participant WebID as End-User's WebID Document
   participant OP as OpenID Provider
   participant C as Client
@@ -7,15 +6,27 @@ sequenceDiagram
   participant AS as Authorization Server
   C ->> RS: unauthenticated request
   RS ->> C: 401 with a WWW-Authenticate HTTP header
+  Note over C: 👩 User provides their WebID ⌨️
+  C ->> WebID: get WebID document to discover OpenID Provider
+  WebID ->> C: WebID document
   C ->> OP: start Authorization Code grant
   OP ->> C: return Authorization Code
   C ->> OP: present Authorization Code and DPoP proof
   OP ->> C: return DPoP bound OIDC ID Token
+  Note over C: 👩 User is authenticated ✅
   C ->> AS: request Access Token and push solid Claim Token (including ID Token)
-  AS ->> WebID: get WebID document to verify OIDC Issuer
+  AS ->> WebID: get WebID document to verify OpenID Provider
   WebID ->> AS: WebID document
   AS ->> OP: get OP's public key to verify ID Token (JWS)
   OP ->> AS: JWKS
-  AS ->> C: if all checks pass issue Access Token
+  Note over AS: 👩 User is authenticated ✅
+  AS ->> C: provide Access Token
   C ->> RS: request with Access Token
+  alt Token introspection
+  RS ->> AS: token introspection request
+  AS ->> RS: token introspection response
+  else signed JWT
+    Note over RS, AS: Verify AS signature
+  end
+  Note over RS: 👩 User is authenticated ✅
   RS ->> C: representation

From 37fe9d570ad43b96445d0d7e936e12c3fda800f4 Mon Sep 17 00:00:00 2001
From: elf Pavlik <elf-pavlik@hackers4peace.net>
Date: Sun, 21 Nov 2021 14:45:12 -0600
Subject: [PATCH 04/14] added Client ID Document to sequence diagram

---
 sequence.mmd | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/sequence.mmd b/sequence.mmd
index 8ac3944..97c0b36 100644
--- a/sequence.mmd
+++ b/sequence.mmd
@@ -1,17 +1,22 @@
 sequenceDiagram
-  participant WebID as End-User's WebID Document
-  participant OP as OpenID Provider
-  participant C as Client
-  participant RS as Resource Server
-  participant AS as Authorization Server
+  participant WebID as 👩 End-User's WebID Document
+  participant OP as 👩 OpenID Provider
+  participant ClientID as ⚙️ Client's ID Document
+  participant C as ⚙️ Client
+  participant RS as ☁️ Resource Server
+  participant AS as ☁️ Authorization Server
   C ->> RS: unauthenticated request
   RS ->> C: 401 with a WWW-Authenticate HTTP header
   Note over C: 👩 User provides their WebID ⌨️
   C ->> WebID: get WebID document to discover OpenID Provider
   WebID ->> C: WebID document
   C ->> OP: start Authorization Code grant
+  OP->> ClientID: get Client ID document
+  ClientID->> OP: ClientID document
+  Note over OP: compare redirect_uri
   OP ->> C: return Authorization Code
   C ->> OP: present Authorization Code and DPoP proof
+  Note over OP:  ⚙️ Client is authenticated ✅
   OP ->> C: return DPoP bound OIDC ID Token
   Note over C: 👩 User is authenticated ✅
   C ->> AS: request Access Token and push solid Claim Token (including ID Token)
@@ -19,7 +24,7 @@ sequenceDiagram
   WebID ->> AS: WebID document
   AS ->> OP: get OP's public key to verify ID Token (JWS)
   OP ->> AS: JWKS
-  Note over AS: 👩 User is authenticated ✅
+  Note over AS: 👩 User and ⚙️ Client are authenticated ✅
   AS ->> C: provide Access Token
   C ->> RS: request with Access Token
   alt Token introspection
@@ -28,5 +33,5 @@ sequenceDiagram
   else signed JWT
     Note over RS, AS: Verify AS signature
   end
-  Note over RS: 👩 User is authenticated ✅
+  Note over RS: 👩 User and ⚙️ Client are authenticated ✅
   RS ->> C: representation

From d07100df6085f5b41ebfe4b6baa0c1350be1228d Mon Sep 17 00:00:00 2001
From: elf Pavlik <elf-pavlik@hackers4peace.net>
Date: Sun, 21 Nov 2021 14:54:05 -0600
Subject: [PATCH 05/14] replaced basic flow details with reference to the
 primer

---
 index.bs | 26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

diff --git a/index.bs b/index.bs
index 6a8403c..4247598 100644
--- a/index.bs
+++ b/index.bs
@@ -142,23 +142,11 @@ Solid and are used as a primary identifier for Users in this specification.
 
 *This section is non-normative*
 
-The basic authentication and authorization flow is as follows:
-
-1. The Client requests a non-public resource from the RS.
-2. The RS returns a 401 with a `WWW-Authenticate` HTTP header containing parameters that inform the
-    Client that a DPoP-bound Access Token is required.
-3. The Client presents its Client Identifier and the associated Secret, if any, to the IdP and requests an
-    Authorization Code.
-4. If granted, the Client presents the Authorization Code and a DPoP proof, to the Token Endpoint.
-5. The Token Endpoint returns a DPoP-bound Access Token and OIDC ID Token, to the Client.
-6. The Client presents the DPoP-bound Access Token and DPoP proof, to the RS.
-7. The RS gets user's WebID Document and check for designated OIDC issuers
-8. The RS gets the public key from the IdP and uses it to validate the signature on the DPoP-bound Access Token (JWS).
-9. If IdP is designated by the user and Access Token is valid, then the RS returns the requested resource.
+Details of the flow are available in [[!Solid.OIDC.Primer]]
 
 <figure id="fig-signature">
     <img src="sequence.mmd.svg" />
-    <figcaption>Basic sequence of authentication and authorization as described above.</figcaption>
+    <figcaption>Basic sequence of authenticating the user and the client.</figcaption>
 </figure>
 
 # Client Identifiers # {#clientids}
@@ -559,6 +547,16 @@ Verborgh, Ricky White, Paul Worrall, Dmitri Zagidulin.
         "title": "Solid Protocol",
         "publisher": "W3C Solid Community Group"
     },
+    "Solid.OIDC.Primer": {
+        "authors": [
+            "Jackson Morgan",
+            "Aaron Coburn",
+            "Matthieu Bosquet"
+        ],
+        "href": "https://solid.github.io/solid-oidc/primer/",
+        "title": "Solid-OIDC Primer",
+        "publisher": "W3C Solid Community Group"
+    },
     "WebID": {
         "authors": [
             "Andrei Sambra",

From 7997d64bd181559c855514d3b2b19dc0169a5d1a Mon Sep 17 00:00:00 2001
From: elf Pavlik <elf-pavlik@hackers4peace.net>
Date: Sun, 21 Nov 2021 15:14:23 -0600
Subject: [PATCH 06/14] removed Access Token

---
 index.bs | 100 ++++++++++++++++++++++---------------------------------
 1 file changed, 40 insertions(+), 60 deletions(-)

diff --git a/index.bs b/index.bs
index 4247598..c7622f6 100644
--- a/index.bs
+++ b/index.bs
@@ -60,7 +60,7 @@ that additional functionality is required.
 
 The additional functionality documented herein aims to address:
 
-1. Resource servers having no existing trust relationship with identity providers.
+1. Resource servers and their Authorization servers having no existing trust relationship with identity providers.
 2. Ephemeral Clients as a first-order use-case.
 
 ## Out of Scope ## {#intro-out-of-scope}
@@ -302,58 +302,35 @@ Assuming one of the following options
  - Client ID and Secret, and valid DPoP Proof (for dynamic and static registration)
  - Dereferencable Client Identifier with a proper Client ID Document and valid DPoP Proof (for a Solid client identifier)
 
-the IdP MUST return two tokens to the Client:
+the IdP MUST return A DPoP-bound OIDC ID Token.
 
-1. A DPoP-bound Access Token
-2. An OIDC ID Token
+## DPoP-bound OIDC ID Token ## {#tokens-id}
 
-## DPoP-bound Access Token ## {#tokens-access}
-
-The DPoP-bound Access Token MUST be a valid JWT. See also: [[!RFC7519]].
-
-When requesting a DPoP-bound Access Token, the Client MUST send a DPoP proof JWT
+When requesting a DPoP-bound OIDC ID Token, the Client MUST send a DPoP proof JWT
 that is valid according to the [[DPOP#section-5]]. The DPoP proof JWT is used to
-bind the access token to a public key. See also: [[!DPOP]].
+bind the OIDC ID Token to a public key. See also: [[!DPOP]].
 
-With the `webid` scope, the DPoP-bound Access Token payload MUST contain these claims:
+With the `webid` scope, the DPoP-bound OIDC ID Token payload MUST contain these claims:
  * `webid` — The WebID claim MUST be the user's WebID.
  * `iss` — The issuer claim MUST be a valid URL of the IdP
     instantiating this token.
- * `aud` — The audience claim MUST either be the string `solid` or be an array
-    of values, one of which is the string `solid`. In the decentralized world
-    of Solid OIDC, the principal of an access token is not a specific endpoint,
-    but rather the Solid API; that is, any Solid server at any accessible address
+ * `aud` — The audience claim MUST an array of values,
+    one of which is the ClientID claim is used to identify the client.
+    (See also: [section 5. Client Identifiers](#clientids)).
+    another one is the string `solid`.
+    In the decentralized world
+    of Solid OIDC, the audience of ID TOken is not only the client,
+    but rather the Solid Authorization Server;
+    that is, any Solid Authorization Server at any accessible address
     on the world wide web. See also: [[RFC7519#section-4.1.3]].
+ * `azp` - The ClientID claim is used to identify the client.
+    (See also: [section 5. Client Identifiers](#clientids)).
  * `iat` — The issued-at claim is the time at which the DPoP-bound
-    Access Token was issued.
+    OIDC ID Token was issued.
  * `exp` — The expiration claim is the time at which the DPoP-bound
-    Access Token becomes invalid.
+    OIDC ID Token becomes invalid.
  * `cnf` — The confirmation claim is used to identify the DPoP Public
-    Key bound to the Access Token. See also: [[DPOP#section-7]].
- * `client_id` - The ClientID claim is used to identify the client. See also:
-    [section 5. Client Identifiers](#clientids).
-
-<div class="example">
-    <p>An example DPoP-bound Access Token:
-
-    <pre highlight="json">
-    {
-        "webid": "https://janedoe.com/web#id",
-        "iss": "https://idp.example.com",
-        "aud": "solid",
-        "iat": 1541493724,
-        "exp": 1573029723,
-        "cnf":{
-          "jkt":"0ZcOCORZNYy-DWpqq30jZyJGHTN0d2HglBV3uiguA4I"
-        },
-        "client_id": "https://client.example.com/web#id"
-    }
-    </pre>
-</div>
-
-## OIDC ID Token ## {#tokens-id}
-
-When requesting the `webid` scope, the user's WebID MUST be present in the ID Token as the `webid` claim.
+    Key bound to the OIDC ID Token. See also: [[DPOP#section-7]].
 
 <div class="example">
     <p>An example OIDC ID Token:
@@ -363,10 +340,13 @@ When requesting the `webid` scope, the user's WebID MUST be present in the ID To
             "webid": "https://janedoe.com/web#id",
             "iss": "https://idp.example.com",
             "sub": "janedoe",
-            "aud": "https://client.example.com/web#id",
-            "nonce": "n-0S6_WzA2Mj",
-            "exp": 1311281970,
+            "aud": ["https://client.example.com/web#id", "solid"],
+            "azp": "https://client.example.com/web#id",
             "iat": 1311280970,
+            "exp": 1311281970,
+            "cnf":{
+              "jkt":"0ZcOCORZNYy-DWpqq30jZyJGHTN0d2HglBV3uiguA4I"
+            },
         }
     </pre>
 </div>
@@ -377,23 +357,23 @@ When requesting the `webid` scope, the user's WebID MUST be present in the ID To
 
 A DPoP Proof that is valid according to
 [DPoP Internet-Draft, Section 4.3](https://tools.ietf.org/html/draft-ietf-oauth-dpop-04#section-4.3),
-MUST be present when a DPoP-bound Access Token is used.
+MUST be present when a DPoP-bound OIDC ID Token is used.
 
-## Access Token Validation ## {#resource-access-validation}
+## OIDC ID Token Validation ## {#resource-access-validation}
 
-The DPoP-bound Access Token MUST be validated according to
+The DPoP-bound OIDC ID Token MUST be validated according to
 [DPoP Internet-Draft, Section 6](https://tools.ietf.org/html/draft-ietf-oauth-dpop-04#section-6),
-but the RS MAY perform additional verification in order to determine whether to grant access to the
+but the AS MAY perform additional verification in order to determine whether to grant access to the
 requested resource.
 
 The user's WebID in the `webid` claim MUST be dereferenced and checked against the `iss` claim in the
-Access Token. If the `iss` claim is different from the domain of the WebID, then the RS MUST check
+OIDC ID Token. If the `iss` claim is different from the domain of the WebID, then the AS MUST check
 the WebID document for the existence of a statement matching `?webid <http://www.w3.org/ns/solid/terms#oidcIssuer> ?iss.`,
 where `?webid` and `?iss` are the values of the `webid` and `iss` claims respectively.
-This prevents a malicious identity provider from issuing valid Access Tokens for arbitrary WebIDs.
+This prevents a malicious identity provider from issuing valid OIDC ID Tokens for arbitrary WebIDs.
 
-Unless the RS acquires IdP keys through some other means, or the RS chooses to reject tokens issued by this IdP,
-the RS MUST follow OpenID Connect Discovery 1.0 [[!OIDC.Discovery]] to find an IdP's signing keys (JWK).
+Unless the AS acquires IdP keys through some other means, or the AS chooses to reject tokens issued by this IdP,
+the AS MUST follow OpenID Connect Discovery 1.0 [[!OIDC.Discovery]] to find an IdP's signing keys (JWK).
 
 ### WebID Issuer Discovery via Link Headers ### {#webid-issuer-discovery}
 
@@ -445,7 +425,7 @@ All tokens, Client, and User credentials MUST only be transmitted over TLS.
 
 ## Client IDs ## {#security-client-ids}
 
-An RS SHOULD assign a fixed set of low trust policies to any client identified as anonymous.
+An AS SHOULD assign a fixed set of low trust policies to any client identified as anonymous.
 
 Implementors SHOULD expire ephemeral Client IDs that are kept in server storage to mitigate the
 potential for a bad actor to fill server storage with unexpired or otherwise useless Client IDs.
@@ -464,15 +444,15 @@ among other factors, are what makes Client trust challenging.
 
 # Privacy Considerations # {#privacy}
 
-## Access Token Reuse ## {#privacy-token-reuse}
+## OIDC ID Token Reuse ## {#privacy-token-reuse}
 
 *This section is non-normative*
 
-With JWTs being extendable by design, there is potential for a privacy breach if Access Tokens get
-reused across multiple resource servers. It is not unimaginable that a custom claim is added to the
-Access Token on instantiation. This addition may unintentionally give other resource servers
-consuming the Access Token information about the user that they may not wish to share outside of the
-intended RS.
+With JWTs being extendable by design, there is potential for a privacy breach if OIDC ID Tokens get
+reused across multiple authorization servers. It is not unimaginable that a custom claim is added to the
+OIDC ID Token on instantiation. This addition may unintentionally give other authorization servers
+consuming the OIDC ID Token information about the user that they may not wish to share outside of the
+intended AS.
 
 # Acknowledgments # {#acknowledgments}
 

From a5a966c7342da01a57bfb316e5533ea7d82fd245 Mon Sep 17 00:00:00 2001
From: elf Pavlik <elf-pavlik@hackers4peace.net>
Date: Mon, 13 Dec 2021 15:07:09 -0600
Subject: [PATCH 07/14] initial primer update introducing AS

---
 .gitignore                |   1 +
 primer/index.bs           | 217 +++++++++++++++++++++-----------------
 primer/primer-login.mmd   |  57 +++++-----
 primer/primer-request.mmd |  45 +++++---
 4 files changed, 176 insertions(+), 144 deletions(-)

diff --git a/.gitignore b/.gitignore
index 394b17a..edc7bac 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
 *.html
 *.mmd.svg
 publish
+node_modules
diff --git a/primer/index.bs b/primer/index.bs
index 7264a82..2404cd1 100644
--- a/primer/index.bs
+++ b/primer/index.bs
@@ -505,61 +505,16 @@ Our JWK thumbprint looks more like:
 9XmwK8mQ3H5-PnzAt3lFHzWBW_v5QhYynezbbit4kC8
 ```
 
-<h4 id="authorization-code-pkce-flow-step-18" class="no-num">18. Generates access token</h4>
-
-The OP generates an access token. To do so it constructs a JSON Web Token and signs it using
-its own keys. The access token could look like (remember you can decode it using
-[https://jwt.io](https://jwt.io/#debugger-io?token=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJodHRwczovL2FsaWNlLmNvb2xwb2QuZXhhbXBsZS9wcm9maWxlL2NhcmQjbWUiLCJ3ZWJpZCI6Imh0dHBzOi8vYWxpY2UuY29vbHBvZC5leGFtcGxlL3Byb2ZpbGUvY2FyZCNtZSIsImlzcyI6Imh0dHBzOi8vc2VjdXJlYXV0aC5leGFtcGxlIiwiYXVkIjoic29saWQiLCJjbmYiOnsiamt0IjoiOVhtd0s4bVEzSDUtUG56QXQzbEZIeldCV192NVFoWXluZXpiYml0NGtDOCJ9LCJjbGllbnRfaWQiOiJodHRwczovL2RlY2VudHBob3Rvcy5leGFtcGxlL3dlYmlkI3RoaXMiLCJqdGkiOiJmZDBhMTM1My0yNWYzLTRjN2UtOGY4Yi1jMTQyNjRmMWMxMmUiLCJpYXQiOjE2MDMzODUyNjEsImV4cCI6MTYwMzM4NTg2MX0.HIIYiovILPvsdkD3s3xomR1MkA_Ir8Mx_C-eHxbWEnw9Z2rv2rOWbvMPZ--BqH3qVSupgYTZZsTDbZXA8giCLA)):
-
-```text
-eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJodHRwczovL2FsaWNlLmNvb2xwb2QuZXhhbXBsZS9wcm9maWxlL2NhcmQjbWUiLCJ3ZWJpZCI6Imh0dHBzOi8vYWxpY2UuY29vbHBvZC5leGFtcGxlL3Byb2ZpbGUvY2FyZCNtZSIsImlzcyI6Imh0dHBzOi8vc2VjdXJlYXV0aC5leGFtcGxlIiwiYXVkIjoic29saWQiLCJjbmYiOnsiamt0IjoiOVhtd0s4bVEzSDUtUG56QXQzbEZIeldCV192NVFoWXluZXpiYml0NGtDOCJ9LCJjbGllbnRfaWQiOiJodHRwczovL2RlY2VudHBob3Rvcy5leGFtcGxlL3dlYmlkI3RoaXMiLCJqdGkiOiJmZDBhMTM1My0yNWYzLTRjN2UtOGY4Yi1jMTQyNjRmMWMxMmUiLCJpYXQiOjE2MDMzODUyNjEsImV4cCI6MTYwMzM4NTg2MX0.HIIYiovILPvsdkD3s3xomR1MkA_Ir8Mx_C-eHxbWEnw9Z2rv2rOWbvMPZ--BqH3qVSupgYTZZsTDbZXA8giCLA
-```
-
-Token Header:
-```json
-{
-    "alg": "ES256",
-    "typ": "JWT"
-}
-```
-
- - `"alg": "ES256"`: indicates the token was signed using eliptic curve
- - `"typ": "JWT"`: indicates that this is a JSON web token
-
-Token Body:
-```json
-{
-    "webid": "https://alice.coolpod.example/profile/card#me",
-    "iss": "https://secureauth.example",
-    "aud": "solid",
-    "cnf": {
-        "jkt": "9XmwK8mQ3H5-PnzAt3lFHzWBW_v5QhYynezbbit4kC8"
-    },
-    "client_id": "https://decentphotos.example/webid#this",
-    "jti": "fd0a1353-25f3-4c7e-8f8b-c14264f1c12e",
-    "iat": 1603385261,
-    "exp": 1603385861
-}
-```
-
-- `"webid": "https://alice.coolpod.example/profile/card#me"`: The WebId of the user that
-    logged in
-- `"iss": "https://secureauth.example"`: The OP that was used to generate this token
-- `"aud": "solid"`: The token's audience. Because DPoP handles scoping the audience in all
-    practical senses, the audience for a solid token is simply "solid."
-- `"cnf": { "jkt": "9XmwK8mQ3H5-PnzAt3lFHzWBW_v5QhYynezbbit4kC8" }`: The jwk thrumbprint must
-    be embedded in an object on the field "jkt"
-- `"client_id": "https://decentphotos.example/webid#this"`: The client id of the application
-- `"iat": 1603370641`: The date the token was issued, in this case October 22, 2020 8:44:01
-- `"exp": 1603371241`: The token's expiration date, in this case October 22, 2020 8:54:01
-
 <h4 id="authorization-code-pkce-flow-step-19" class="no-num">19. Generates the id_token</h4>
 
-If `openid` was listed as a scope during the authorization request, the OP generates an id
-token. The id token is not used to access anything. It is simply to communicate information to
-the client. This token is a [JSON Web Token](https://jwt.io/introduction/). It would look like
+Since `openid` was listed as a scope during the authorization request, the OP generates an id
+token. The id token will be pushed as claim to any Solid Authorization Server needed, which clients want to get Access Token from.
+This token is a [JSON Web Token](https://jwt.io/introduction/). It would look like
 the following (you can decrypt the token with [https://jwt.io](https://jwt.io/#debugger-io?token=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJodHRwczovL2FsaWNlLmNvb2xwb2QuZXhhbXBsZS9wcm9maWxlL2NhcmQjbWUiLCJhdWQiOiJodHRwczovL2RlY2VudHBob3Rvcy5leGFtcGxlL3dlYmlkI3RoaXMiLCJ3ZWJpZCI6Imh0dHBzOi8vYWxpY2UuY29vbHBvZC5leGFtcGxlL3Byb2ZpbGUvY2FyZCNtZSIsImlzcyI6Imh0dHBzOi8vc2VjdXJlYXV0aC5leGFtcGxlIiwianRpIjoiODQ0YTA5NWMtOWNkYi00N2U1LTk1MTAtMWRiYTk4N2MwYTVmIiwiaWF0IjoxNjAzMzg2NDQ4LCJleHAiOjE2MDMzODcwNDh9.T306vT8dmn9gQIMEdG92AM4WRnrhqWZTfDpovwqZ6Zn0mK9yxj0iOVGqXD4CW8-tzDTitNwEGorAo85atL0Oeg)):
 
+
+Issue: encoded token needs to be updated
+
 ```text
 eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJodHRwczovL2FsaWNlLmNvb2xwb2QuZXhhbXBsZS9wcm9maWxlL2NhcmQjbWUiLCJhdWQiOiJodHRwczovL2RlY2VudHBob3Rvcy5leGFtcGxlL3dlYmlkI3RoaXMiLCJ3ZWJpZCI6Imh0dHBzOi8vYWxpY2UuY29vbHBvZC5leGFtcGxlL3Byb2ZpbGUvY2FyZCNtZSIsImlzcyI6Imh0dHBzOi8vc2VjdXJlYXV0aC5leGFtcGxlIiwianRpIjoiODQ0YTA5NWMtOWNkYi00N2U1LTk1MTAtMWRiYTk4N2MwYTVmIiwiaWF0IjoxNjAzMzg2NDQ4LCJleHAiOjE2MDMzODcwNDh9.T306vT8dmn9gQIMEdG92AM4WRnrhqWZTfDpovwqZ6Zn0mK9yxj0iOVGqXD4CW8-tzDTitNwEGorAo85atL0Oeg
 ```
@@ -579,19 +534,26 @@ Token Body:
 ```json
 {
     "sub": "https://alice.coolpod.example/profile/card#me",
-    "aud": "https://decentphotos.example/webid#this",
+    "aud": [ "solid", "https://decentphotos.example/webid#this"],
+    "azp": "https://decentphotos.example/webid#this"
     "webid": "https://alice.coolpod.example/profile/card#me",
     "iss": "https://secureauth.example",
     "jti": "844a095c-9cdb-47e5-9510-1dba987c0a5f",
     "iat": 1603370641,
-    "exp": 1603371241
+    "exp": 1603371241,
+    "cnf": {
+        "jkt": "9XmwK8mQ3H5-PnzAt3lFHzWBW_v5QhYynezbbit4kC8"
+    },
 }
 ```
 
 - `"sub": "https://alice.coolpod.example/profile/card#me"`: The subject claim. It must
     be the same as the authenticated user's WebID.
 - `"aud": "https://decentphotos.example/webid#this"`: The token's audience. Because an
-    id_token is intended for the client, its audience is the client id.
+    id_token is intended for the client and any Solid Authorization Server,
+    its audience is the client id and the string "solid".
+- `"azp": "https://decentphotos.example/webid#this"`: The token's authorized party. Because an
+    id_token is intended to be used by the client, its authorized party is the client id.
 - `"webid": "https://alice.coolpod.example/profile/card#me"`: The WebID of the user that
     logged in
 - `"iss": "https://secureauth.example"`: The OP that was used to generate this token
@@ -599,6 +561,8 @@ Token Body:
     for this token that can be used to prevent replay attacks.
 - `"iat": 1603370641`: The date the token was issued, in this case October 22, 2020 8:44:01
 - `"exp": 1603371241`: The token's expiration date, in this case October 22, 2020 8:54:01
+- `"cnf": { "jkt": "9XmwK8mQ3H5-PnzAt3lFHzWBW_v5QhYynezbbit4kC8" }`: The jwk thrumbprint must
+    be embedded in an object on the field "jkt"
 
 <h4 id="authorization-code-pkce-flow-step-20" class="no-num">20. Generates refresh token</h4>
 
@@ -636,20 +600,12 @@ a response with the tokens in the body:
 Response (content-type: application/json)
 ```json
 {
-    "access_token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJodHRwczovL2FsaWNlLmNvb2xwb2QuZXhhbXBsZS9wcm9maWxlL2NhcmQjbWUiLCJ3ZWJpZCI6Imh0dHBzOi8vYWxpY2UuY29vbHBvZC5leGFtcGxlL3Byb2ZpbGUvY2FyZCNtZSIsImlzcyI6Imh0dHBzOi8vc2VjdXJlYXV0aC5leGFtcGxlIiwiYXVkIjoic29saWQiLCJjbmYiOnsiamt0IjoiOVhtd0s4bVEzSDUtUG56QXQzbEZIeldCV192NVFoWXluZXpiYml0NGtDOCJ9LCJjbGllbnRfaWQiOiJodHRwczovL2RlY2VudHBob3Rvcy5leGFtcGxlL3dlYmlkI3RoaXMiLCJqdGkiOiJmZDBhMTM1My0yNWYzLTRjN2UtOGY4Yi1jMTQyNjRmMWMxMmUiLCJpYXQiOjE2MDMzODUyNjEsImV4cCI6MTYwMzM4NTg2MX0.HIIYiovILPvsdkD3s3xomR1MkA_Ir8Mx_C-eHxbWEnw9Z2rv2rOWbvMPZ--BqH3qVSupgYTZZsTDbZXA8giCLA",
-    "expires_in": 300,
-    "token_type": "DPoP",
     "id_token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJodHRwczovL2FsaWNlLmNvb2xwb2QuZXhhbXBsZS9wcm9maWxlL2NhcmQjbWUiLCJhdWQiOiJodHRwczovL2RlY2VudHBob3Rvcy5leGFtcGxlL3dlYmlkI3RoaXMiLCJ3ZWJpZCI6Imh0dHBzOi8vYWxpY2UuY29vbHBvZC5leGFtcGxlL3Byb2ZpbGUvY2FyZCNtZSIsImlzcyI6Imh0dHBzOi8vc2VjdXJlYXV0aC5leGFtcGxlIiwianRpIjoiODQ0YTA5NWMtOWNkYi00N2U1LTk1MTAtMWRiYTk4N2MwYTVmIiwiaWF0IjoxNjAzMzg2NDQ4LCJleHAiOjE2MDMzODcwNDh9.T306vT8dmn9gQIMEdG92AM4WRnrhqWZTfDpovwqZ6Zn0mK9yxj0iOVGqXD4CW8-tzDTitNwEGorAo85atL0Oeg",
     "refresh_token": "eyJhbGciOiJub25lIn0.eyJqdGkiOiJhNzhiNDllZi03MWM1LTQ5ODUtYTUwYy01ZWYzYWVmMGZkOGYifQ.",
     "scope": "openid webid offline_access"
 }
 ```
 
-- `access_token": "eyJhbGciOiJ..."`: The access token we generated. The client will use this
-    to authenticate with the server.
-- `"expires_in":	300`: Tells the client that the access token will expire in 300 seconds (5
-    minutes)
-- `"token_type":	"DPoP"`: Tells the client that the token type is DPoP
 - `"id_token": "eyJhbGciOiJFU..."`: The id token we generated. The client will use this to
     extract information like the user's WebId.
 - `"refresh_token":	"eyJhbGciOiJ..."`: The refresh token. The client will use this to get a
@@ -660,16 +616,53 @@ Response (content-type: application/json)
 
 <img src="primer-request.mmd.svg" width="980" />
 
-<h4 id="request-flow-step-1" class="no-num">1. An AJAX request is initiated</h4>
 
 In this example, Alice has logged into `https://decentphotos.example` and has completed the
 authentication steps above. She wants to make a request to Bob's Pod to get a photo album
 information at `https://bob.otherpod.example/private/photo_album.ttl`. Bob has previously
 granted access to Alice but has not granted access to anyone else.
 
+<h4 id="request-flow-step-1" class="no-num">1. Discover Authorization Server</h4>
+
+Client can discover Authorization Server by making request to the resource
+
+Request:
+```http
+GET https://bob.otherpod.example/private/photo_album.ttl
+```
+
+Response:
+```http
+HTTP/1.1 401 Unauthorized
+WWW-Authenticate: UMA realm="example",
+  as_uri="https://auth.otherpod.example",
+  ticket="016f84e8-f9b9-11e0-bd6f-0021cc6004de"
+```
+
+<h4 id="request-flow-step-1" class="no-num">1. Discover Token Endpoint</h4>
+
+Knowing Authorization Server now client can discover its Token Endpoint ([[!RFC8414]])
+
+Request:
+```http
+GET https://auth.otherpod.example/.well-known/uma2-configuration
+```
+
+Response:
+```json
+{
+    "issuer": "https://auth.otherpod.example",
+    "token_endpoint": "https://auth.otherpod.example/token",
+    "grant_types_supported": [
+        "urn:ietf:params:oauth:grant-type:uma-ticket"
+    ]
+    ...
+}
+```
+
 <h4 id="request-flow-step-2" class="no-num">2. Creates a DPoP header token</h4>
 
-Before we send a request, we need to generate a DPoP header token. A new DPoP token must be
+Before we request access token, we need to generate a DPoP header token. A new DPoP token must be
 generated every time a request is made.
 
 Generating a DPoP token is done the same way we did it in the authentication section. It must be signed by the same keypair that we generated in the authentication section. Our token
@@ -702,68 +695,77 @@ Token Header:
 Token Body:
 ```json
 {
-    "htu": "https://bob.otherpod.example/private/photo_album.ttl",
-    "htm": "GET",
+    "htu": "https://auth.otherpod.example/token",
+    "htm": "POST",
     "jti": "fb1264dd-fff1-4509-a7b1-0fe58d08d3e1",
     "iat": 1603389616
 }
 ```
-- `"htu": "https://bob.otherpod.example/private/photo_album.ttl"`: htu limits the token for
+- `"htu": "https://auth.otherpod.example/token"`: htu limits the token for
     use only on the given url.
-- `"htm": "GET"`: htm limits the token for use only on a specific http method, in this case
+- `"htm": "POST"`: htm limits the token for use only on a specific http method, in this case
     `POST`.
 - `"jti": "fb1264dd-fff1-4509-a7b1-0fe58d08d3e1"`: jti is a unique identifier for the DPoP
     token that can optionally be used by the server to defend against replay attacks
 - `"iat": 1603389616`: The date the token was issued, in this case October 22, 2020 14:00:16
     GMT.
 
-<h4 id="request-flow-step-3" class="no-num">3. Sends request</h4>
 
-With the access token and new DPoP token in hand, we're ready to make our request.
+<h4 id="request-flow-step-4" class="no-num">4. Includes ID Token in Solid Claim Token</h4>
 
-```http
-GET https://bob.otherpod.example/private/photo_album.ttl
-Headers: {
-    authorization: "DPoP eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJodHRwczovL2FsaWNlLmNvb2xwb2QuZXhhbXBsZS9wcm9maWxlL2NhcmQjbWUiLCJ3ZWJpZCI6Imh0dHBzOi8vYWxpY2UuY29vbHBvZC5leGFtcGxlL3Byb2ZpbGUvY2FyZCNtZSIsImlzcyI6Imh0dHBzOi8vc2VjdXJlYXV0aC5leGFtcGxlIiwiYXVkIjoic29saWQiLCJjbmYiOnsiamt0IjoiOVhtd0s4bVEzSDUtUG56QXQzbEZIeldCV192NVFoWXluZXpiYml0NGtDOCJ9LCJjbGllbnRfaWQiOiJodHRwczovL2RlY2VudHBob3Rvcy5leGFtcGxlL3dlYmlkI3RoaXMiLCJqdGkiOiJmZDBhMTM1My0yNWYzLTRjN2UtOGY4Yi1jMTQyNjRmMWMxMmUiLCJpYXQiOjE2MDMzODUyNjEsImV4cCI6MTYwMzM4NTg2MX0.HIIYiovILPvsdkD3s3xomR1MkA_Ir8Mx_C-eHxbWEnw9Z2rv2rOWbvMPZ--BqH3qVSupgYTZZsTDbZXA8giCLA",
-    dpop: "eyJhbGciOiJFUzI1NiIsInR5cCI6ImRwb3Arand0IiwiandrIjp7Imt0eSI6IkVDIiwia2lkIjoiQ21HVE9Dd3ZKWXhrb0dGOGNxcFpBNTdab2xVdThBcFJQb3MwVlduWk1TNCIsInVzZSI6InNpZyIsImFsZyI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4IjoiU0FZcmF5VUh4Z1FPQ29YSC1MbHdyOW1iSWJpUHBsLXRQRUpLeE1WWFltcyIsInkiOiJ6eGJQODdPQ3JpeEZpMk9vZjU1QkhsTC1ySHhvWHVuUmttNFBkV3duUzJnIn19.eyJodHUiOiJodHRwczovL2JvYi5vdGhlcnBvZC5leGFtcGxlL3ByaXZhdGUvcGhvdG9fYWxidW0udHRsIiwiaHRtIjoiZ2V0IiwianRpIjoiZmIxMjY0ZGQtZmZmMS00NTA5LWE3YjEtMGZlNThkMDhkM2UxIiwiaWF0IjoxNjAzMzg5NjE2LCJleHAiOjE2MDMzOTMyMTZ9.G8JktoMOadenCYtO4Z_ZI7ACnjKJvT59OyKlQ6WpB1Qq2GoCK6v1ocrpsfELDOKIL5nt5fwWccfvCAA2bMrkjA"
+ID token received from OP MUST be included in Claim Token which we will use in next step.
+
+```json
+{
+    "id_token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJodHRwczovL2FsaWNlLmNvb2xwb2QuZXhhbXBsZS9wcm9maWxlL2NhcmQjbWUiLCJhdWQiOiJodHRwczovL2RlY2VudHBob3Rvcy5leGFtcGxlL3dlYmlkI3RoaXMiLCJ3ZWJpZCI6Imh0dHBzOi8vYWxpY2UuY29vbHBvZC5leGFtcGxlL3Byb2ZpbGUvY2FyZCNtZSIsImlzcyI6Imh0dHBzOi8vc2VjdXJlYXV0aC5leGFtcGxlIiwianRpIjoiODQ0YTA5NWMtOWNkYi00N2U1LTk1MTAtMWRiYTk4N2MwYTVmIiwiaWF0IjoxNjAzMzg2NDQ4LCJleHAiOjE2MDMzODcwNDh9.T306vT8dmn9gQIMEdG92AM4WRnrhqWZTfDpovwqZ6Zn0mK9yxj0iOVGqXD4CW8-tzDTitNwEGorAo85atL0Oeg"
 }
 ```
-- `headers.authorization: "DPoP eyJhbGciOiJFUzI1N..."`: The authorization header contains the
-    ACCESS TOKEN that we received from the OP during the auth phase. Putting "DPoP" followed by a
-    space tells the Resource Server that this is a DPoP bound access token.
-- `dpop: "eyJhbGciOi..."`: The DPoP token we just generated.
 
-<h4 id="request-flow-step-4" class="no-num">4. Checks Access Token expirations</h4>
+<h4 id="request-flow-step-4" class="no-num">4. Request Access Token</h4>
+
+Request:
+```http
+POST /token HTTP/1.1
+Host: auth.otherpod.example
+DPoP: eyJhbGciOi...
+...
+grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket
+&ticket=016f84e8-f9b9-11e0-bd6f-0021cc6004de
+&claim_token=eyj0...
+&claim_token_format=http%3A%2F%2Fwww.w3.org%2Fns%2Fsolid%2Fterms%23ClaimToken
+```
+
+<h4 id="request-flow-step-4" class="no-num">4. Checks ID Token expirations</h4>
 
-The RS checks if the access token is still valid by looking at the `exp` claim. If the token
-does not have an `exp` claim or the token is expired, the RS must reject the request with a 403.
+The AS checks if the id token is still valid by looking at the `exp` claim. If the token
+does not have an `exp` claim or the token is expired, the AS must reject the request with a 403.
 
 <h4 id="request-flow-step-5" class="no-num">5. Checks the DPoP token url and method</h4>
 
-The RS checks the `htu` and `htm` claims of the DPoP token. If the `htu` does not match the
+The AS checks the `htu` and `htm` claims of the DPoP token. If the `htu` does not match the
 protocol, origin and path of the request or the `htm` does not correspond the the http method
-of the request, the RS must reject the request with a 403.
+of the request, the AS must reject the request with a 403.
 
 <h4 id="request-flow-step-5.1" class="no-num">5.1. (Optional) Checks DPoP token unique identifier</h4>
 
-The RS can optionally keep track of all DPoP `jti` claims it received. Because a new DPoP token
+The AS can optionally keep track of all DPoP `jti` claims it received. Because a new DPoP token
 must be generated each time a request is made, no two tokens should have the same `jti`. If the
-RS receives a DPoP token with a `jti` it has already encountered it may reject the request with
+AS receives a DPoP token with a `jti` it has already encountered it may reject the request with
 a 403.
 
 <h4 id="request-flow-step-6" class="no-num">6. Checks DPoP signature against Access Token</h4>
 
-The RS first confirms that the DPoP token was signed by the public key listed in its `header
-jwk`. If it was not, the RS must reject the request with a 403.
+The AS first confirms that the DPoP token was signed by the public key listed in its `header
+jwk`. If it was not, the AS must reject the request with a 403.
 
-The RS checks if the public key in the DPoP token's `header.jwk` corresponds to the jwk
+The AS checks if the public key in the DPoP token's `header.jwk` corresponds to the jwk
 thumbprint in the access token in the `cnf` field. If they do not, the OP must reject the
 request with a 403.
 
 <h4 id="request-flow-step-7" class="no-num">7. Retrieves Profile</h4>
 
 Using the `webid` claim in the access token (for us, it's
-`https://alice.coolpod.example/profile/card#me`), the RS retreives the user's WebId document.
+`https://alice.coolpod.example/profile/card#me`), the AS retreives the user's WebId document.
 
 Request
 ```http
@@ -790,12 +792,12 @@ Response
 
 <h4 id="request-flow-step-8" class="no-num">8. Checks issuer</h4>
 
-The RS checks that the `iss` claim in the access token matches the issuer listed in the user's
-WebID. If it does not, the RS must reject the request with a 403.
+The AS checks that the `iss` claim in the access token matches the issuer listed in the user's
+WebID. If it does not, the AS must reject the request with a 403.
 
 <h4 id="request-flow-step-9" class="no-num">9. Retrieves OP configuration</h4>
 
-The RS uses the `iss` claim to get the issuer's configuration. The url is the issuer claim with
+The AS uses the `iss` claim to get the issuer's configuration. The url is the issuer claim with
 `/.well-known/openid-configuration` appended to the end.
 
 Request
@@ -859,7 +861,7 @@ Response
 
 <h4 id="request-flow-step-10" class="no-num">10. Requests JWKS</h4>
 
-Using the `jwks_uri` field in the openid-configuration, the RS makes a request to retreive the
+Using the `jwks_uri` field in the openid-configuration, the AS makes a request to retreive the
 OP's public keys.
 
 Request
@@ -888,15 +890,34 @@ Notice that the `keys` field is an array, so an OP could have multiple public ke
 
 <h4 id="request-flow-step-11" class="no-num">11. Checks access token signature validity</h4>
 
-Using the `kid` value in the access token, the RS searches the OP keys for one that matches the
-access token. Checks to see if the access token was signed by that key. If it was not, the RS
+Using the `kid` value in the access token, the AS searches the OP keys for one that matches the
+access token. Checks to see if the access token was signed by that key. If it was not, the AS
 must reject the request with a 403.
 
 <h4 id="request-flow-step-12" class="no-num">12. Performs Authorization</h4>
 
-Now that the RS has performed all of its checks, we can trust that the agent in the `webid`
+Now that the AS has performed all of its checks, we can trust that the agent in the `webid`
 claim (`https://alice.coolpod.example/profile/card#me`) is the same agent on whose behalf the
-request was made. Using that information, the RS performs authorization.
+request was made. Using that information, the AS performs authorization and returns access token.
+
+Response:
+```json
+{
+   "access_token":"sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv",
+   "token_type":"Bearer"
+}
+```
+
+<h4 id="request-flow-step-3" class="no-num">3. Sends request</h4>
+
+With the access token, we're ready to make our request.
+
+```http
+GET https://bob.otherpod.example/private/photo_album.ttl
+Headers: {
+    authorization: "Bearer sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv",
+}
+```
 
 <h4 id="request-flow-step-13" class="no-num">13. Returns Result</h4>
 
diff --git a/primer/primer-login.mmd b/primer/primer-login.mmd
index 4edf33b..6bca3cb 100644
--- a/primer/primer-login.mmd
+++ b/primer/primer-login.mmd
@@ -1,30 +1,29 @@
 sequenceDiagram
-    participant RP
-    participant Alice's OP
-    participant Alice's WebID
-    participant RP's WebID
-    note over RP: 1. Alice uses the decentphotos app
-    note over RP: 2. Alice selects her OP or WebID
-    RP->>Alice's WebID: 2.1 Retrieve Profile
-    Alice's WebID->>RP: Alice's WebID Profile
-    RP->>Alice's OP: 3. Retrieves OP configuration
-    Alice's OP->>RP: OP configuration
-    note over RP: 4. Generates PKCE code and code verifier
-    note over RP: 5. Saves code verifier to session storage
-    RP->>Alice's OP: 6. Authorization Request
-    Alice's OP->>RP's WebID: 7. Fetch RP WebID
-    RP's WebID->>Alice's OP: RP's WebID Profile
-    note over Alice's OP: 8. Validates redirect url with WebID
-    note over Alice's OP: 9. Alice Logs In
-    note over Alice's OP: 10. Generates a code
-    Alice's OP->>RP: 11. Send code to redirect url
-    note over RP: 12. Generates DPoP Client Key Pair
-    note over RP: 13. Generates a DPoP Header
-    RP->>Alice's OP: 14. Token request with code and code verifier
-    note over Alice's OP: 15. Validates code verifier
-    note over Alice's OP: 16. Validates DPoP Token signature
-    note over Alice's OP: 17. Converts the DPoP public key to a JWK thumbprint
-    note over Alice's OP: 18. Generates access token
-    note over Alice's OP: 19. Generates id token
-    note over Alice's OP: 20. Generates refresh token
-    Alice's OP->>RP: 21. Send tokens
+  participant WebID as 👩 End-User's WebID Document
+  participant OP as 👩 OpenID Provider
+  participant ClientID as ⚙️ Client's ID Document
+  participant Client as ⚙️ Client
+  note over Client: 1. Alice uses the decentphotos app
+  note over Client: 2. Alice selects her OP or WebID
+  Client->>WebID: 2.1 Retrieve Profile
+  WebID->>Client: WebID Profile
+  Client->>OP: 3. Retrieves OP configuration
+  OP->>Client: OP configuration
+  note over Client: 4. Generates PKCE code and code verifier
+  note over Client: 5. Saves code verifier to session storage
+  Client->>OP: 6. Authorization Request
+  OP->>ClientID: 7. Fetch Client WebID
+  ClientID->>OP: ClientID Profile
+  note over OP: 8. Validates redirect url with WebID
+  note over OP: 9. Alice Logs In
+  note over OP: 10. Generates a code
+  OP->>Client: 11. Send code to redirect url
+  note over Client: 12. Generates DPoP Client Key Pair
+  note over Client: 13. Generates a DPoP Header
+  Client->>OP: 14. Token request with code and code verifier
+  note over OP: 15. Validates code verifier
+  note over OP: 16. Validates DPoP Token signature
+  note over OP: 17. Converts the DPoP public key to a JWK thumbprint
+  note over OP: 19. Generates id token
+  note over OP: 20. Generates refresh token
+  OP->>Client: 21. Send tokens
diff --git a/primer/primer-request.mmd b/primer/primer-request.mmd
index 1924bae..827b47d 100644
--- a/primer/primer-request.mmd
+++ b/primer/primer-request.mmd
@@ -1,18 +1,29 @@
 sequenceDiagram
-    note over RP: 1. An AJAX request is initiated
-    note over RP: 2. Creates a DPoP header token
-    RP->>Bob's Pod (RS): 3. Sends Request
-    note over Bob's Pod (RS): 4. Checks Access token expirations
-    note over Bob's Pod (RS): 5. Checks DPoP Token url and method
-    note over Bob's Pod (RS): 5.1. (Optional) Checks DPoP token unique identifier
-    note over Bob's Pod (RS): 6. Checks DPoP signature against Access Token
-    Bob's Pod (RS)->>Alice's Pod (RS): 7. Retrieves Profile
-    Alice's Pod (RS)->>Bob's Pod (RS): Profile
-    note over Bob's Pod (RS): 8. Checks Issuer
-    Bob's Pod (RS)->>Alice's OP: 9. Retrieves OP configuration
-    Alice's OP->>Bob's Pod (RS): OP configuration
-    Bob's Pod (RS)->>Alice's OP: 10. Requests JWKS
-    Alice's OP->>Bob's Pod (RS): JWKS
-    note over Bob's Pod (RS): 11. Checks access token signature validity
-    note over Bob's Pod (RS): 12. Performs Authorization
-    Bob's Pod (RS)->>RP: 13. Returns Result
\ No newline at end of file
+  participant WebID as 👩 End-User's WebID Document
+  participant OP as 👩 OpenID Provider
+  participant Client as ⚙️ Client
+  participant AS as ☁️ Authorization Server
+  participant RS as ☁️ Resource Server
+  note over Client: 1. An AJAX request is initiated
+  note over Client: 2. Creates a DPoP header token
+  Client->>RS: 3. Sends Request
+  RS->>Client: 4. Responds 401 with as_uri
+  Client->>AS: Requests AS configuration
+  AS-->>Client: AS configuration
+  Client->>AS: Request Access Token
+  note over AS: 4. Checks Access token expirations
+  note over AS: 5. Checks DPoP Token url and method
+  note over AS: 5.1. (Optional) Checks DPoP token unique identifier
+  note over AS: 6. Checks DPoP signature against Access Token
+  AS->>WebID: 7. Retrieves Profile
+  WebID->>AS: Profile
+  note over AS: 8. Checks Issuer
+  AS->>OP: 9. Retrieves OP configuration
+  OP->>AS: OP configuration
+  AS->>OP: 10. Requests JWKS
+  OP->>AS: JWKS
+  note over AS: 11. Checks access token signature validity
+  AS->>Client: Access Token Response
+  Client->>RS: 3. Sends Request with Access Token
+  note over AS, RS: Have pre-established usage of Access Tokens
+  RS->>Client: 13. Returns Result

From 8a10b6542f028024513552a4695f363976049c5e Mon Sep 17 00:00:00 2001
From: elf Pavlik <elf-pavlik@hackers4peace.net>
Date: Mon, 20 Dec 2021 08:26:12 -0600
Subject: [PATCH 08/14] added UMA AS details to the spec

---
 index.bs | 42 ++++++++++++++++++++++++++++++++++++++----
 1 file changed, 38 insertions(+), 4 deletions(-)

diff --git a/index.bs b/index.bs
index c7622f6..2045fe3 100644
--- a/index.bs
+++ b/index.bs
@@ -165,9 +165,6 @@ provided at `https://www.w3.org/ns/solid/oidc-context.jsonld` such that the resu
 document produces a JSON serialization of an OIDC client registration, per the
 definition of client registration metadata from [[!RFC7591]] section 2.
 
-Issue: [Related Issue](https://github.com/solid/authentication-panel/issues/75)
-Solid-OIDC requirements for client description document
-
 Also, the IdP MUST dereference the Client ID Document and match any Client-supplied parameters
 with the values in the Client ID Document.
 
@@ -346,13 +343,40 @@ With the `webid` scope, the DPoP-bound OIDC ID Token payload MUST contain these
             "exp": 1311281970,
             "cnf":{
               "jkt":"0ZcOCORZNYy-DWpqq30jZyJGHTN0d2HglBV3uiguA4I"
-            },
+            }
         }
     </pre>
 </div>
 
 # Resource Access # {#resource}
 
+## Solid Claim Token ## {#solid-claim-token}
+
+Issue: Solid Claim Token (JWT) should have common definition outside of this spec
+
+Client MUST embed obtained [[#tokens-id]] in Solid Claim Token as value of `id_token` claim.
+
+## Authorization Server Discovery ## {#authorization-server-discovery}
+
+When client performs unauthenticated request to protected resource,
+Resource Server MUST respond with HTTP <code>401</code> status code,
+as well as <code>WWW-Authenticate</code> HTTP header including <code>UMA</code>
+as authentication scheme, with the <code>issuer</code> URI from the
+authorization server's discovery document in <code>as_uri</code> parameter
+and permission ticket in  <code>ticket</code> parameter.[[!UMA]]
+
+Given <code>as_uri</code> client can discover Authorization Server token endponint via
+Authorization Server Metadata available at <code>./well-known/uma-configuration</code>.
+As specified in [[!UMA]]
+
+
+## Obtaining Access Token ## {#obtaining-access-token}
+
+Client can obtain Access Token from Authorization Server token endpoint using
+<code>urn:ietf:params:oauth:grant-type:uma-ticket</code> grant [[!UMA]].
+When using this grant Client MUST use [[#solid-claim-token]] as <code>claim_token</code>
+and <code>http://www.w3.org/ns/solid/terms#ClaimToken</code> as <code>claim_token_format</code>.
+
 ## DPoP Proof Validation ## {#resource-dpop-validation}
 
 A DPoP Proof that is valid according to
@@ -546,6 +570,16 @@ Verborgh, Ricky White, Paul Worrall, Dmitri Zagidulin.
         "href": "https://www.w3.org/2005/Incubator/webid/spec/identity/",
         "title": "WebID 1.0",
         "publisher": "WebID Incubator Group"
+    },
+    "UMA": {
+        "authors": [
+            "Eve Maler",
+            "Maciej Machulak",
+            "Justin Richer"
+        ],
+        "href": "https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html",
+        "title": "User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization",
+        "publisher": "Kantara Initiative, Inc"
     }
 }
 </pre>

From c01a6ea937ab356b276bc94b3d0b88bb3a5f0d7f Mon Sep 17 00:00:00 2001
From: elf Pavlik <elf-pavlik@hackers4peace.net>
Date: Mon, 3 Jan 2022 08:05:50 -0600
Subject: [PATCH 09/14] incorporated feedback from review

---
 index.bs        | 14 +++++---------
 primer/index.bs | 20 ++++++--------------
 2 files changed, 11 insertions(+), 23 deletions(-)

diff --git a/index.bs b/index.bs
index 2045fe3..cc6aa41 100644
--- a/index.bs
+++ b/index.bs
@@ -350,12 +350,6 @@ With the `webid` scope, the DPoP-bound OIDC ID Token payload MUST contain these
 
 # Resource Access # {#resource}
 
-## Solid Claim Token ## {#solid-claim-token}
-
-Issue: Solid Claim Token (JWT) should have common definition outside of this spec
-
-Client MUST embed obtained [[#tokens-id]] in Solid Claim Token as value of `id_token` claim.
-
 ## Authorization Server Discovery ## {#authorization-server-discovery}
 
 When client performs unauthenticated request to protected resource,
@@ -366,7 +360,7 @@ authorization server's discovery document in <code>as_uri</code> parameter
 and permission ticket in  <code>ticket</code> parameter.[[!UMA]]
 
 Given <code>as_uri</code> client can discover Authorization Server token endponint via
-Authorization Server Metadata available at <code>./well-known/uma-configuration</code>.
+Authorization Server Metadata available at <code>./well-known/uma2-configuration</code>.
 As specified in [[!UMA]]
 
 
@@ -374,8 +368,10 @@ As specified in [[!UMA]]
 
 Client can obtain Access Token from Authorization Server token endpoint using
 <code>urn:ietf:params:oauth:grant-type:uma-ticket</code> grant [[!UMA]].
-When using this grant Client MUST use [[#solid-claim-token]] as <code>claim_token</code>
-and <code>http://www.w3.org/ns/solid/terms#ClaimToken</code> as <code>claim_token_format</code>.
+When using this grant Client MUST use [[#tokens-id]] as <code>claim_token</code>
+and <code>http://openid.net/specs/openid-connect-core-1_0.html#IDToken</code> as <code>claim_token_format</code>.
+
+Note: Client can push additional claims by requesting upgraded RPT [[!UMA]]
 
 ## DPoP Proof Validation ## {#resource-dpop-validation}
 
diff --git a/primer/index.bs b/primer/index.bs
index 2404cd1..69d000e 100644
--- a/primer/index.bs
+++ b/primer/index.bs
@@ -601,8 +601,7 @@ Response (content-type: application/json)
 ```json
 {
     "id_token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJodHRwczovL2FsaWNlLmNvb2xwb2QuZXhhbXBsZS9wcm9maWxlL2NhcmQjbWUiLCJhdWQiOiJodHRwczovL2RlY2VudHBob3Rvcy5leGFtcGxlL3dlYmlkI3RoaXMiLCJ3ZWJpZCI6Imh0dHBzOi8vYWxpY2UuY29vbHBvZC5leGFtcGxlL3Byb2ZpbGUvY2FyZCNtZSIsImlzcyI6Imh0dHBzOi8vc2VjdXJlYXV0aC5leGFtcGxlIiwianRpIjoiODQ0YTA5NWMtOWNkYi00N2U1LTk1MTAtMWRiYTk4N2MwYTVmIiwiaWF0IjoxNjAzMzg2NDQ4LCJleHAiOjE2MDMzODcwNDh9.T306vT8dmn9gQIMEdG92AM4WRnrhqWZTfDpovwqZ6Zn0mK9yxj0iOVGqXD4CW8-tzDTitNwEGorAo85atL0Oeg",
-    "refresh_token": "eyJhbGciOiJub25lIn0.eyJqdGkiOiJhNzhiNDllZi03MWM1LTQ5ODUtYTUwYy01ZWYzYWVmMGZkOGYifQ.",
-    "scope": "openid webid offline_access"
+    "refresh_token": "eyJhbGciOiJub25lIn0.eyJqdGkiOiJhNzhiNDllZi03MWM1LTQ5ODUtYTUwYy01ZWYzYWVmMGZkOGYifQ."
 }
 ```
 
@@ -610,7 +609,6 @@ Response (content-type: application/json)
     extract information like the user's WebId.
 - `"refresh_token":	"eyJhbGciOiJ..."`: The refresh token. The client will use this to get a
     new access token when its current one expires.
-- `"scope":	"openid webid offline_access"`: The scopes that were used.
 
 ## Request Flow ## {#request-flow}
 
@@ -711,16 +709,6 @@ Token Body:
     GMT.
 
 
-<h4 id="request-flow-step-4" class="no-num">4. Includes ID Token in Solid Claim Token</h4>
-
-ID token received from OP MUST be included in Claim Token which we will use in next step.
-
-```json
-{
-    "id_token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJodHRwczovL2FsaWNlLmNvb2xwb2QuZXhhbXBsZS9wcm9maWxlL2NhcmQjbWUiLCJhdWQiOiJodHRwczovL2RlY2VudHBob3Rvcy5leGFtcGxlL3dlYmlkI3RoaXMiLCJ3ZWJpZCI6Imh0dHBzOi8vYWxpY2UuY29vbHBvZC5leGFtcGxlL3Byb2ZpbGUvY2FyZCNtZSIsImlzcyI6Imh0dHBzOi8vc2VjdXJlYXV0aC5leGFtcGxlIiwianRpIjoiODQ0YTA5NWMtOWNkYi00N2U1LTk1MTAtMWRiYTk4N2MwYTVmIiwiaWF0IjoxNjAzMzg2NDQ4LCJleHAiOjE2MDMzODcwNDh9.T306vT8dmn9gQIMEdG92AM4WRnrhqWZTfDpovwqZ6Zn0mK9yxj0iOVGqXD4CW8-tzDTitNwEGorAo85atL0Oeg"
-}
-```
-
 <h4 id="request-flow-step-4" class="no-num">4. Request Access Token</h4>
 
 Request:
@@ -732,7 +720,7 @@ DPoP: eyJhbGciOi...
 grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket
 &ticket=016f84e8-f9b9-11e0-bd6f-0021cc6004de
 &claim_token=eyj0...
-&claim_token_format=http%3A%2F%2Fwww.w3.org%2Fns%2Fsolid%2Fterms%23ClaimToken
+&claim_token_format=http%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core-1_0.html%23IDToken
 ```
 
 <h4 id="request-flow-step-4" class="no-num">4. Checks ID Token expirations</h4>
@@ -910,6 +898,10 @@ Response:
 
 <h4 id="request-flow-step-3" class="no-num">3. Sends request</h4>
 
+Note: In practice client would need to upgrade RPT by pushing
+authorization related claim. This primer only focuses on authentication so we omit
+this detail here.
+
 With the access token, we're ready to make our request.
 
 ```http

From 963a7f9929442c3b7d25adbfd96a7df7bf96057d Mon Sep 17 00:00:00 2001
From: elf Pavlik <elf-pavlik@hackers4peace.net>
Date: Fri, 7 Jan 2022 07:26:03 -0600
Subject: [PATCH 10/14] Apply suggestions from code review

Co-authored-by: Zwifi <contact@zwifi.eu>
---
 index.bs | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/index.bs b/index.bs
index 2b361d4..240c81a 100644
--- a/index.bs
+++ b/index.bs
@@ -314,12 +314,12 @@ With the `webid` scope, the DPoP-bound OIDC ID Token payload MUST contain these
  * `webid` — The WebID claim MUST be the user's WebID.
  * `iss` — The issuer claim MUST be a valid URL of the IdP
     instantiating this token.
- * `aud` — The audience claim MUST an array of values,
+ * `aud` — The audience claim MUST be an array of values,
     one of which is the ClientID claim is used to identify the client.
     (See also: [section 5. Client Identifiers](#clientids)).
     another one is the string `solid`.
     In the decentralized world
-    of Solid OIDC, the audience of ID TOken is not only the client,
+    of Solid OIDC, the audience of an ID Token is not only the client,
     but rather the Solid Authorization Server;
     that is, any Solid Authorization Server at any accessible address
     on the world wide web. See also: [[RFC7519#section-4.1.3]].
@@ -355,14 +355,14 @@ With the `webid` scope, the DPoP-bound OIDC ID Token payload MUST contain these
 
 ## Authorization Server Discovery ## {#authorization-server-discovery}
 
-When client performs unauthenticated request to protected resource,
+When Client performs an unauthenticated request to a protected resource,
 Resource Server MUST respond with HTTP <code>401</code> status code,
 as well as <code>WWW-Authenticate</code> HTTP header including <code>UMA</code>
 as authentication scheme, with the <code>issuer</code> URI from the
 authorization server's discovery document in <code>as_uri</code> parameter
 and permission ticket in  <code>ticket</code> parameter.[[!UMA]]
 
-Given <code>as_uri</code> client can discover Authorization Server token endponint via
+Given <code>as_uri</code> client can discover Authorization Server token endpoint via
 Authorization Server Metadata available at <code>./well-known/uma2-configuration</code>.
 As specified in [[!UMA]]
 

From 7872a59cad36129338014d65d451f09021c3addc Mon Sep 17 00:00:00 2001
From: elf Pavlik <elf-pavlik@hackers4peace.net>
Date: Fri, 7 Jan 2022 07:27:46 -0600
Subject: [PATCH 11/14] Apply suggestions from code review

Co-authored-by: Aaron Coburn <acoburn@apache.org>
---
 index.bs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/index.bs b/index.bs
index 240c81a..8c410c5 100644
--- a/index.bs
+++ b/index.bs
@@ -369,12 +369,12 @@ As specified in [[!UMA]]
 
 ## Obtaining Access Token ## {#obtaining-access-token}
 
-Client can obtain Access Token from Authorization Server token endpoint using
+Clients can obtain an Access Token from the Authorization Server's token endpoint using
 <code>urn:ietf:params:oauth:grant-type:uma-ticket</code> grant [[!UMA]].
 When using this grant Client MUST use [[#tokens-id]] as <code>claim_token</code>
 and <code>http://openid.net/specs/openid-connect-core-1_0.html#IDToken</code> as <code>claim_token_format</code>.
 
-Note: Client can push additional claims by requesting upgraded RPT [[!UMA]]
+Note: Client can push additional claims by requesting an upgraded RPT [[!UMA]]
 
 ## DPoP Proof Validation ## {#resource-dpop-validation}
 

From b838aeee2ed6161f7c15cb3823bea73ab730f71b Mon Sep 17 00:00:00 2001
From: elf Pavlik <elf-pavlik@hackers4peace.net>
Date: Sun, 9 Jan 2022 13:48:12 -0600
Subject: [PATCH 12/14] adjust sequence numbering in the primer

---
 index.bs                  |  4 ++--
 primer/index.bs           | 28 ++++++++++++++--------------
 primer/primer-request.mmd | 37 ++++++++++++++++++-------------------
 3 files changed, 34 insertions(+), 35 deletions(-)

diff --git a/index.bs b/index.bs
index 8c410c5..391e450 100644
--- a/index.bs
+++ b/index.bs
@@ -177,7 +177,7 @@ list.
 This example uses [JSON-LD ](https://www.w3.org/TR/json-ld11/) for the Client ID Document:
 
 <div class='example'>
-    <p>https://app.example/id
+    <p>https://app.example/id</p>
 
     <pre highlight="jsonld">
         {
@@ -404,7 +404,7 @@ A server hosting a WebID document MAY transmit the `http://www.w3.org/ns/solid/t
 
 <div class="example">
     <pre highlight="http">
-        Link: <https://oidc.example>; rel="http://www.w3.org/ns/solid/terms#oidcIssuer"; anchor="#id"
+        Link: &lt;https://oidc.example&gt;; rel="http://www.w3.org/ns/solid/terms#oidcIssuer"; anchor="#id"
     </pre>
 </div>
 
diff --git a/primer/index.bs b/primer/index.bs
index 69d000e..f17494a 100644
--- a/primer/index.bs
+++ b/primer/index.bs
@@ -637,7 +637,7 @@ WWW-Authenticate: UMA realm="example",
   ticket="016f84e8-f9b9-11e0-bd6f-0021cc6004de"
 ```
 
-<h4 id="request-flow-step-1" class="no-num">1. Discover Token Endpoint</h4>
+<h4 id="request-flow-step-2" class="no-num">2. Request AS configuration</h4>
 
 Knowing Authorization Server now client can discover its Token Endpoint ([[!RFC8414]])
 
@@ -658,7 +658,7 @@ Response:
 }
 ```
 
-<h4 id="request-flow-step-2" class="no-num">2. Creates a DPoP header token</h4>
+<h4 id="request-flow-step-3" class="no-num">3. Creates a DPoP header token</h4>
 
 Before we request access token, we need to generate a DPoP header token. A new DPoP token must be
 generated every time a request is made.
@@ -723,25 +723,25 @@ grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket
 &claim_token_format=http%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core-1_0.html%23IDToken
 ```
 
-<h4 id="request-flow-step-4" class="no-num">4. Checks ID Token expirations</h4>
+<h4 id="request-flow-step-5" class="no-num">5. Checks ID Token expirations</h4>
 
 The AS checks if the id token is still valid by looking at the `exp` claim. If the token
 does not have an `exp` claim or the token is expired, the AS must reject the request with a 403.
 
-<h4 id="request-flow-step-5" class="no-num">5. Checks the DPoP token url and method</h4>
+<h4 id="request-flow-step-6" class="no-num">6. Checks the DPoP token url and method</h4>
 
 The AS checks the `htu` and `htm` claims of the DPoP token. If the `htu` does not match the
 protocol, origin and path of the request or the `htm` does not correspond the the http method
 of the request, the AS must reject the request with a 403.
 
-<h4 id="request-flow-step-5.1" class="no-num">5.1. (Optional) Checks DPoP token unique identifier</h4>
+<h4 id="request-flow-step-6.1" class="no-num">6.1. (Optional) Checks DPoP token unique identifier</h4>
 
 The AS can optionally keep track of all DPoP `jti` claims it received. Because a new DPoP token
 must be generated each time a request is made, no two tokens should have the same `jti`. If the
 AS receives a DPoP token with a `jti` it has already encountered it may reject the request with
 a 403.
 
-<h4 id="request-flow-step-6" class="no-num">6. Checks DPoP signature against Access Token</h4>
+<h4 id="request-flow-step-7" class="no-num">7. Checks DPoP signature against Access Token</h4>
 
 The AS first confirms that the DPoP token was signed by the public key listed in its `header
 jwk`. If it was not, the AS must reject the request with a 403.
@@ -750,7 +750,7 @@ The AS checks if the public key in the DPoP token's `header.jwk` corresponds to
 thumbprint in the access token in the `cnf` field. If they do not, the OP must reject the
 request with a 403.
 
-<h4 id="request-flow-step-7" class="no-num">7. Retrieves Profile</h4>
+<h4 id="request-flow-step-8" class="no-num">8. Retrieves WebID Document</h4>
 
 Using the `webid` claim in the access token (for us, it's
 `https://alice.coolpod.example/profile/card#me`), the AS retreives the user's WebId document.
@@ -778,12 +778,12 @@ Response
     solid:oidcIssuer <https://secureauth.example> ;
 ```
 
-<h4 id="request-flow-step-8" class="no-num">8. Checks issuer</h4>
+<h4 id="request-flow-step-9" class="no-num">9. Checks issuer</h4>
 
 The AS checks that the `iss` claim in the access token matches the issuer listed in the user's
 WebID. If it does not, the AS must reject the request with a 403.
 
-<h4 id="request-flow-step-9" class="no-num">9. Retrieves OP configuration</h4>
+<h4 id="request-flow-step-10" class="no-num">10. Retrieves OP configuration</h4>
 
 The AS uses the `iss` claim to get the issuer's configuration. The url is the issuer claim with
 `/.well-known/openid-configuration` appended to the end.
@@ -847,7 +847,7 @@ Response
 }
 ```
 
-<h4 id="request-flow-step-10" class="no-num">10. Requests JWKS</h4>
+<h4 id="request-flow-step-11" class="no-num">11. Requests JWKS</h4>
 
 Using the `jwks_uri` field in the openid-configuration, the AS makes a request to retreive the
 OP's public keys.
@@ -876,13 +876,13 @@ Response (application/json)
 
 Notice that the `keys` field is an array, so an OP could have multiple public keys.
 
-<h4 id="request-flow-step-11" class="no-num">11. Checks access token signature validity</h4>
+<h4 id="request-flow-step-12" class="no-num">12. Checks access token signature validity</h4>
 
 Using the `kid` value in the access token, the AS searches the OP keys for one that matches the
 access token. Checks to see if the access token was signed by that key. If it was not, the AS
 must reject the request with a 403.
 
-<h4 id="request-flow-step-12" class="no-num">12. Performs Authorization</h4>
+<h4 id="request-flow-step-13" class="no-num">13. Access Token Response</h4>
 
 Now that the AS has performed all of its checks, we can trust that the agent in the `webid`
 claim (`https://alice.coolpod.example/profile/card#me`) is the same agent on whose behalf the
@@ -896,7 +896,7 @@ Response:
 }
 ```
 
-<h4 id="request-flow-step-3" class="no-num">3. Sends request</h4>
+<h4 id="request-flow-step-14" class="no-num">14. Sends request with Access Token</h4>
 
 Note: In practice client would need to upgrade RPT by pushing
 authorization related claim. This primer only focuses on authentication so we omit
@@ -911,7 +911,7 @@ Headers: {
 }
 ```
 
-<h4 id="request-flow-step-13" class="no-num">13. Returns Result</h4>
+<h4 id="request-flow-step-15" class="no-num">15. Returns Result</h4>
 
 Given all went well, the RS should return the requested content.
 
diff --git a/primer/primer-request.mmd b/primer/primer-request.mmd
index 827b47d..33ee34c 100644
--- a/primer/primer-request.mmd
+++ b/primer/primer-request.mmd
@@ -4,26 +4,25 @@ sequenceDiagram
   participant Client as ⚙️ Client
   participant AS as ☁️ Authorization Server
   participant RS as ☁️ Resource Server
-  note over Client: 1. An AJAX request is initiated
-  note over Client: 2. Creates a DPoP header token
-  Client->>RS: 3. Sends Request
-  RS->>Client: 4. Responds 401 with as_uri
-  Client->>AS: Requests AS configuration
-  AS-->>Client: AS configuration
-  Client->>AS: Request Access Token
-  note over AS: 4. Checks Access token expirations
-  note over AS: 5. Checks DPoP Token url and method
-  note over AS: 5.1. (Optional) Checks DPoP token unique identifier
-  note over AS: 6. Checks DPoP signature against Access Token
-  AS->>WebID: 7. Retrieves Profile
+  Client->>RS: 1. Discover Authorization Server
+  RS->>Client: Responds 401 with as_uri
+  Client->>AS: 2. Requests AS configuration
+  AS->>Client: AS configuration
+  note over Client: 3. Creates a DPoP header token
+  Client->>AS: 4. Request Access Token
+  note over AS: 5. Checks ID Token expirations
+  note over AS: 6. Checks DPoP Token url and method
+  note over AS: 6.1. (Optional) Checks DPoP token unique identifier
+  note over AS: 7. Checks DPoP signature against Access Token
+  AS->>WebID: 8. Retrieves WebID Document
   WebID->>AS: Profile
-  note over AS: 8. Checks Issuer
-  AS->>OP: 9. Retrieves OP configuration
+  note over AS: 9. Checks Issuer
+  AS->>OP: 10. Retrieves OP configuration
   OP->>AS: OP configuration
-  AS->>OP: 10. Requests JWKS
+  AS->>OP: 11. Requests JWKS
   OP->>AS: JWKS
-  note over AS: 11. Checks access token signature validity
-  AS->>Client: Access Token Response
-  Client->>RS: 3. Sends Request with Access Token
+  note over AS: 12. Checks access token signature validity
+  AS->>Client: 13. Access Token Response
+  Client->>RS: 14. Sends Request with Access Token
   note over AS, RS: Have pre-established usage of Access Tokens
-  RS->>Client: 13. Returns Result
+  RS->>Client: 15. Returns Result

From 302f5608a0413180343aa8f812fac78ce495dc7e Mon Sep 17 00:00:00 2001
From: elf Pavlik <elf-pavlik@hackers4peace.net>
Date: Sun, 9 Jan 2022 13:51:32 -0600
Subject: [PATCH 13/14] removed image of old basic flow diagram

---
 basic-flow-diagram.png | Bin 51772 -> 0 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 delete mode 100644 basic-flow-diagram.png

diff --git a/basic-flow-diagram.png b/basic-flow-diagram.png
deleted file mode 100644
index df9d36c16a810b3759ba66b0c583be217af20ed9..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 51772
zcmeFZcT|&4yEY0D5wQRwD58KgrI%0@2!u|6(0h^II|-eDqF5+`6cGUt5ReYiOHh>F
zRH{^^7XgtT0%xM|d*8j+{`U9RS?jEI-nCeHk|&dSX70JmHTPUMk2KU3&yimtCn6#`
zr>rEWMMQK0PecS+B_joQMD?=dh=@*wc*`4jyZG8VINK1hL1q8GV-w`Jck}XQgUYc9
z3R<|k^IAJt*m+vGc=5X0c!OKudlxrr2U`al>%VOT`33oT_{Dhy#B}(fY)~0NVeld(
z$}7kZHTv7$!p_F^s6%01e$c^9eFs--Hy<zXR$T|Y2=Ig3P&jx8z7P@m`_@-Phy&b_
zad&sN(YLWgIDn@s2t!4Ap(5b+O@xw;nkt*1EO_ti;A8_XiZ)hGZiJu6+IzaWfIA9e
z;BmY{0%A~J0e-^3wJmHdJRSbM8+mKH<95O#LcGEPe@ATNZDIF!c6MqWI&R*+o_-E;
zq9V3>PCjnhqJP_<Z9Kgk++6=Q6M*u9f&Kl$+t1zR?_Fyfw1X8Gh#(tO9tikIl3*YX
zN3s*scXqT#dO0Y&TNv=Tp}qX99JT&-;%WhA@MjG)fcSX+j0-9+YUFNd#U=<>b5T$O
zR|P_AxQ>&RtcZqzhc((#Q`AC7!_&n^7-it^Zm8*~Vy&v+r)DVXVvF{&lZ9HrRRr8z
zouN7&7XI?uR(3w31Yu|h$=d1o$?^*t__}&%=n1(SI=d)~$T<0GI@-vo$@(bi!WC8Y
zKtml*gr};qyas|_Ls8p8*+bpX5Uem<%gWPD1nH$HtZHX%VdG$^?1S(^xmg$rTe>3Q
zhSrLp3Bt<K60N7}WFhKlA*^X{2bEKmx777k5^{0Sb9A$HbVdq+{vBkrEsZpF3~g+z
zynMmT6l9@}mMTb3aVJ9=w6~Y7vjIxQTGm(3R#ZSn)*2<Kqao)lD=#E$D55N)?`x!^
zqlUH;@zl~25akyYLO{_j;K}M%8c2Ov4JcAuLDb6D-5K0MS-Wf4YJfMQ+5$F$u22zS
zU1ue4d36DMsE>%1AJiSC>t`wF=jo+~G_vvp!!Qy<@(T%ihzt8WXensJtrQFebX;8w
zKwk=ePR_#mg6{fCNR+6NhMt4FvZ1V%iXXp-led?hxSoi(n;O#5N><#-RmsTG+DgP)
z2<4zA>#tzwt|}^EfzVTT(>HW-(L?&_>+0A$JKHLWdF#Msko*FU76L*De@jtEXE7T!
zO@DEu2-?8N!P>~sM?uuy%|%b!0V;?T^i@_x8^H~nm9)_=C_!OgK_5Fc3nhMUeQ!5}
zx2lDvysMtRmY}GNpS^~HxTBYlouIWp+(S`a%+E&5$leR3>jT7KrD$X5r>U#vqobhV
z<tt#JsI4WZZltebYp*D;tR!Tmtg0pF>EIxSls6Jm76KXrSMi4{YZ+OC`J<7lC<DUU
zDaa@)sQbtu)WCaje_#m;>To-8U@CAQD@`A?l7X|Zud9<k!cSLF-_Xrd-@;cFs_Wol
z@1g3X>#Xde4I0`gimHmLI*F*M8hE+N0c(f5$qPc^THfMff+zz^PdQgL!ov;qge=8%
z{k@T{-ZBo#D3qJFwu>-7+DBg2S=hqRQbCAcO-IMk)8AXo#oyNo<u9bJEa>RrVr765
z5%m)F0uuMMcXU@0_Y%<H_mD*i+spB5>8T;DQ66^Uf?(X14mR@gP&qqa5jzVHF-2u1
zK|2q3QCmxYMK>q3wxA3cf`^ihm58pRzqp#Nmm<p5Le@jh)y_@9QyXXt+yias=;7$1
z;p?a+f&iag6t(R<-5nGKj8wdRZ52J-t<^pJwCpv6)HEFZ^pMU*n!Z9->h>!Bp1R%^
z0-_4)2tPx28GEF%gQX)FjxAc(&{Nsl^XMBHG`I)%vvD?5wQ}+C5p;LAMQH1bI}r?7
zR}eTv1$BNXzmS2el7|=E5ImmX-^4vpYL*CBS+txMzp{a{9ZCo#48GD<6ZV6udx`04
z8_8=MSr{PQ<?a0Zl^k>|ojf&NROD5}JbYE;owe0nG^|||T?8%d{Zu_=L=eJACs9=a
z!m5Km8%sq$aR;yvGFA#+e*WIhP%9rb8Mvywy%PA=(7@4B&R<PK(_P3%$KONALfv0X
zQ_h9o%a8CSTm)q+C<MHfn+sY|#ztJr*3k>xSMrgAi#h_&4!5*-g@QY95E|f?p3Vlg
za19w{Athz-5e)<ZH$;IKd6c{mO3l_w&`;eGEn?$nVXJQ`=C5JkC}!&|>gevNukGcc
zXK3qb54zUW6EHyYYl<84D+{~3sOf3Lm61rWe3rlv6wtc9Myj@YT548W;#OK#NDoJA
zK{d2D6yc}s<!a?%M{pjV4z`vy%0Axmj{ZVM^43U4em#CK2Wv|OcW+x|1p|H;cX44K
zOIy&Jj3&W<6aK(V6pnrWpFjXU9|c>e{J6&@HX<S>B4s%l9bdEMvD0;GGY2idCd6CZ
z#b&QlrH860bFy+iB8BtD7;>;(P`UriQ0t8llOToseb3rQthqurRbGE+i*rK1?Cd_=
z%*Rc93-{_a3s^1R@*glt!~1XUng1+Lo!hR%bl@je&9qJY{rzi(Hiow*SYp=)Erv_x
z9xh9{>zvPIc=j&i#>`IJSI^l9m#^R6U3q{qVv>?l_ncFGnkgZk<$fT?p(z$^q9c(O
zS6>_wSIw06bw&UNA!7<5BD_dPkVO47W@*_fjG4k=VxNVJw70R0OmCD(dhS`j%}kTx
zWwwsITz=P~^y0&3RbivCPoY>=R@%guyX{KdcWKysVw_k@40M&bjf8E{9(v&ijF=G?
zC(HyFz19{YbyR%jgXPIg`}eFICQQ-ONR>E=N8)VyQ6!qgQ52BxWI2qF)nDG?QH)NB
z>w9PAIk~1e>~mA?;9Gz}6a$PyKY@pN&`eMDt%;e$ON(JzViHPeBEpNb7ctGewl=NG
zw=_nTZ{0Jo(4PCT25Ty9DXSOS;=N0L&4rE1vtCz}dW2|YW41omWxRNA{R<m@<Ft6t
z;=`9x4d&_$c!YW;o}(q&Il(Gi<T6H`Q&%yT*Y)OZhloh<<>DnP<@pJp`R9QpuGxX*
z!HF07;*jl$yqq&CG%@?i)j!`Rdr-A9J$->TsaP51Gp<;DCV48lRV`jcrJy|v%vUb+
zXsBSkCY<i9HZfPfZ6sVB-in##Gt^(FDdO;ZqWkP>^^+QJ`MAi&LlX6C6E`rcc!j9t
zT`esio@aqJD+zaL7~%qL=nd5`>dwQS`kN#KK4Ug7Iz$u}Xs8s{Y`~`?q!>wFUewSh
z+Fx%mFGYV<&(&Oj=b9JfU+nIo&`{qBtET!ZFrrX*lJl-FSx*ID;rVs?k=EL4Qmx`X
z)8?!%fs|{nLu%M&db<x>)2}_5>0GeV+IhjCm1B9MBjJk2{NeNnY^I5?QmLN{L4U|P
z+iqc~c{VJB2GXMbGFF(rg8on_-_UGv%(sN5Ns#m(wF*&#<R(wV)H{)?M2&vRRH~+p
z)yc0>g9>m%{K+$an)2W(8+fv#R^u&oafk!NN_0(cu`JeKY~ps>0lT=@Y}}Rj4i8({
zA}xQ&7-X^YaB!)jz3thJnS&9&xpWNr9#rc1QIu~QA2nfGQ~T?ur@zB8hq5S?8!nVL
zT@CG`T1#k*8RN29WqihF7mCR8-HeINYs{kJ<InFs?C+_y-nv1b)g77GCY+cU;j4v~
zYdjsA7Cge%fyJ8|_2=CbHSPMfBuDX_`dIJ8^rcPPvA7Obt>x12%z2w@#BicerqCcP
zGNvAjOt>K2A|Kd>UFbc0|CXoJ_A5iKasA!6n=jH7m?l+1$8cIU!;5NK<#3Pc?b-E0
zlN0hRe@&1GVn(&I^rYL<c{|bbyDk!8nXY1HNV_E6s1<5;YOuo`TgUo{&9VJ{IeVC7
zMQ-omR;gNPP>*IV<~Pk~Eu)CQ?RoZBE1Tw}i~1a<64CE+jAbg<b50$PdaW+R|Kvos
z%{C(H>d7qYnczChp5NE(LO-9$>?lOZPWR=?YQ0^#ZBhS&&w5@z6f+n)_2t!;?&rZa
zGBSJCV&54)tx|W_yI2Lu^ovIZxYiI-gTb`KD#T)Uy0r4)cB_2PX_)V%H;$`Ov!Z%9
zt8)&Rzi#i^(eL%M;gc(_B`BZ@D~eSgz@-^O<vTD5<Tm8)xmYQl^a~`E#Rijox!PZ_
z7|iYgZq;TW-%#t_&DDyE=g+@WN;91$rrD{)cxPYa98-F1^5s^9<nTpe5(oq*+7o+k
z<dX72Elh-Fzw9i2F+B*;FvhO7T9ts<6K{~<dd0hmaa%CT#aPiXtjrDbmhqG9^Q<jo
zr>P{1xMX_Hw1)*_7|HV)h+9tfvEebnzR4H4{ceO#{BqR@89Ax5279+;RbBPn?mFLQ
zkI+Wm;Ckfq&6IalW#kk;y>OqU@z+oGHQ~n(b`%%J_DId<E@?eEM=9N?2I11nf4cQ^
z1finxc+_t$B`jD}INFG6?NwvNClo8Pp`$u;;$FRtayMBH0w2w=tJW@Lkm^F5^xz=I
z3-fe6>&b5;DLem`{PScvgS#%n4T}Edb={%ENf*F!7VAxRCPCL%YFFF8B4I8h!JF4N
zjGa2|$(SfpL;O`R{@+|V48_Ikt_@!yCMl&EDt9gZ$QIwam3uIE{{Y#5*B06LGgv7^
zvDK07s7z+?iL}OFy7bgv)NDBqRc1g!3G8K{z&J8sCmWf@OT(oX_uw3Tdut5KY5ce&
zG*6~c7jjBeJ@y_fI^I(_do3<l9~EUecKs=@F?RXp{lXRA`<&?ZchhIn52Y79=+*`X
zzwD(hWx0n+tQfH9GT(`53~f@h8Ngx_i75u2e%SRg7UFCoM4=LDG5?L6jrq^A?5fY1
zets)|7JA}Td(^etnR*3AVFyFyp-Dg!l%yrA+&XIY5yMxgSxYq7oPo4S3HE_#A56*G
z#|C$Aybq>>WBny3O1_@f`u)vQB<{mgvU$F>nQsNL&)r`P?kr4ja>@~fs*>o;GeT`6
z`f@a7UF$dX9z{nd>gMTD?TH(KJ_SOrr3uA+{P;y{qcke2zwsm4j?A5jRqg4alAoTM
z^(W_eww?ckhO<dqkrKY<sMLYg@Qk~{ww$k0XAcK(d0FN-N3C~vm{mY@4Ou!#hA(ux
zenz^n{EtHnf}KqO!mB}_yBHOcOi~d%Ec4hbk$ab~8YVkzCwurIK6ys^8(sBo&AO}6
zrE=yw)s1f%E0n%x`Z}24E_AfmN&^#Q8i0fy7(9V8LdZx+Dmsf;Kk)?^tjFh^BZrWE
zl%8x|i7%bo7R?GQ+e`{SuxlxbeS<2RF*~>{bdO_$R%3e$Tj^YI7PDbne<te|=&mu0
zD1CzDLNXZc3}o?pP;RoVQWCv_p_Ir8<`C%t$VkHy$1c~qt~CwVl<HwL_GgUE#A+Nc
z>1GOI5;^P7>uFgln^~FdGoOADqKyfU^t=xWcawp5kUXbs|B_CiN$g`?pPyH5UL_X&
z<NFWCc8ngB;T7i7wmy@#rNOW!UVh4=g->2k6`M?EPoR|@9pApgChO}PMRkM#<<=&K
zV^ph?&Vr{+E44EZSK7XcD-fWfAfa@ZW|~=2%(U-6h%Itvu|l(K<RNgYMVORn<PTw+
z^BZ9t!WWg)Zu72k?}j4wg_qB<T@R7=1=3rq8v-`+`jQ568Odp2NFMKS6@MoJD5J%h
ztD_YfU(OfY#<3n&!F;mcV9R$dIiPwrEhw7LlldCn*#a7Tir$3HhPQQY#->yR*i97>
z;M6%=KQeoE_q`#8-5|6>t_G(1Bbz&1vusNv3Q6(>$(X2ySZuW^s6fCiJsufXqZRk|
z;+i}I$~%JKje=DCH`W$JvC3JcCo}bCv}VzFxWLLt%M!z}57g3GNhG*mF-&f6&u(Yx
z#J^`SV?)SFV?tA4?1*v1iz^fxPm*iBt^DEL5}q#dcOwr9GCmlP=Z{rstEWkD@+|5-
zoO#!IAHY2WPU-o|xM%Ny3WbH#yn|uB(`Poy`&fbR&XZpq{}q$Tu+v@j5$3vF$M}`Y
z6dhw?Qd)eEO+Xm3cY42iDJ1_eC|u(6vJw7q1~Wl%GDDJju^v+j4xeA&&o`~rv+aJ#
zQD9stB7Q6RI*=vZNf9-!n~9^hke<`L<mVt{VmI9vccg~vURUebW0Zc7)@`Ep#>zRB
zzeD`4azDzY>P1dAe$QC{d}%2Qqi80aVeXSdMoiL4PPx~mQgRJKCdcLOJaJ{Xe3_WT
zJOKSpwgli<1Eyjd8!iq*pQw+L_;2kS72D%CA60uA@N>&DO<oJNx}n|{LD3LTW$Nf>
zr<qSeOcHoQdVbrq!;l{mbvg&P8|{kMP|;II=aaH45QSn$&;|6|e(l0>RX3Ug6UJu_
zlG&uB&NGrwl3ft<VmCFz*u_Wu4CdlJ#?M5M>m+DQzo}=c@>AwS_a~I6&OmOFEl)@w
z)SJ^1stPj_vSFX!R-6~sJOTN3x=t`4D`Lqb8I97UJO(hYk{h=UN7?T4)*;s8nT+QL
z=of!w6M)Oir1|0X4O|&M|64v#u>6Z71fdeV%EU>6)n^qdCybu-rKy^TJ~>bn-uSBt
z+t!^%O1-yfe@b^AEcIYHw2!dt1ShL^CU9%m&U3^i#{ByZuJcT$NkNiC^~7Q`KLdn{
zJm<!a8~*jVbQm0l{{09%>_((*($N%|w6oRY2_89w_(Wz9Zp-3{^UGL8&OT#ykJHsn
z<B8XRBKU`Hd~LD$dINPDKk!xXbs`BF-fWTGN#+k)CkoYo%(TZpi;KIcc_=!%cDR)3
zTmAaIDD#ICA7sUUOF~MhloHJ^>9cIKkR}_Bf`R)u&E?P^;TL8q4LjUz^s+B{(EY<<
z(X$`Zk4Y!w1$l5l4r&lAZ$oIW+cTaff4Pv})fk1+vp_EiPvz&K6dPfzyO*?voEKH=
zd_eY5HKdmj>d5Yy2c}n$lHq#P@S)D+Xc^wN36>7i^4OAXlmaFfR1vXE1+I!$+60eq
zJQH_lXZKb(`C-^W@x$TEq0h-E_pCm2vbxgRe?7QfJ@;l^z#ML3vdkFL^m415&e*wt
za#E}mF7R8R_>+hcF&~3$o_<k664dTN=IMszv|h$ofEONC6Q#pur&Z@gh-vn)yS^_*
z+TWNRjZ2#84TN(a>F=G_=hAX--;%t?nk<ZxX~XLw6D3^w{z0u%+>>f;fB#!v-&jKm
z)QXvZgcTS?QvVjru8d;YQ-)>Gto;ypXVFAzSmB(+@d7{+`l9XI74IaFtD<bp3S=ME
zfjn+I*?Q&@ZEw`R^N5Q)(iF|pVKv$2=NQOvj>enc*AH@9hv|ro!HQNC3+DW{l_iEk
zh9&D^WyOq_pY^&aB)U*OEC5rg81I~g1NogvR%koYBFcDaJ-gi=$ui6eYuG`~(Eqtl
zpe;!$GZZviC#){)$u6t|{kX)m(K7y$&XgUfhGEmqOGm2l`U06$hnvVU^<D<EogIlY
z4b#R*d&i_1kWxVUlYHW%W}Rdt-Rt4>Tc`21-ovECc3>*qRnWXA;L7Vro5lRssHAlu
zi{$~=Zh1d#{JPV0EusV0L}L{|vJ9R*;?{YV7hG%WLgS*3q$EHM#uV}55l}Q~pkSXK
z1cRsJ%75n{>+J{dIh?C`i)@GwINgcobSAuD^nNEe7>|Z!31$;bCro|)j!{Uj+l$BN
z@Idpoo#qThk32&dm-IY^e#B3zVsp>{D*&xB0Xn`;s&%~gIaX<S<2#_!LNxSyx}d>e
zciFLSlj(ysF1$R#at8|<1cOW}P`HVibD4q1%AW*Q%eGH7EW`mUmjkEB2EjUtQtZZ#
zm#q*qFcGLwYzzhs@Xei*p5WR+ue5vI01AS0XHF6s@mEM#@K+t@d415p{B}>x(bkj6
z1T?6!bdC<eg9f<Br1vx6nkf2o{kVZGh{w-0p;VAJ04%-99qKIt4Y24`6w9Pp=*EV(
zVWn$I-R6Mt`mYwoj^;@EEa%};t$Kfy-^ORfnE_+B_?;c!ZQiHtRMOJM;Mo-g>HLgm
zDEER!0~1_<lDl<3DgdFBA{6+sw)xK)HfxjbV_&>@;h;HI>ywx+8?K_I70V#6eG)?E
zs{rJeq*qEwahh^ZvQIU^G8%}3L0>_hh&X^`wmXF@T4Md-bZ3(G-saK`g06hHe+FS>
z^rG(Y0N0E~C@aTMu_!3@q)M_~zy3ZIewhY@8xF9lHY0}bX2Gnw=;i#n!Prt(iD`iU
z5(jSee5)*lq;(kX5%mp~Z1ogYUfz}E?#0qWunE4LxMS|sB`g@Q<vdl2kpdDA(FL94
zvC^F)UIN-XU?>=?2xP|K!rcLHya$=U9M+Eptk!Ea1nzR5z;~zI&O$8>tPk6zwOuj~
zye>KsSayod-~x!lY(N!NQvIk}f$H^q4wWV&hQq?iAY@hYcNV^62|5q)S5MwOWBnoQ
zv{vz*_rFypD&5kk_WDm8kl|eyxKYfL3_#EU{_<G|R6y&q2lIu1xnsiImmd&8j6gKm
zt+f9PKfp~Kwx41QWEwQb)F+^{E`t8Gfq=UkG|MZ&u*X;U^2(&a0ueLIf~nC$z_vq#
zVRA4V$ymMGfU{noZfll3*!dH^z<LzKT3;o}2WDq%*QUe(tSjJM3HKRdu!l1!fq$!X
z<HK#QChq>8L*Vx|gK`>UsiYg#!6;K|A|j=&fr_<`4s|F3@i7V~XE9G&g!aG=M}6bd
zYU(gMYu~@*>GQS4u!M)}cYXo!>@@fx^<w8E=`HYsC`uAI@b=<z;EOKEqHxgSS**WW
z8u|X>m*7n#P@d#O`JZG=uX2gf&A&ElBou+UHMqi_h_V3BknvFje3j7%Jpc5V&qRE7
zTCkCpmX>v62=SL%A2*QGh>n`kq6WGLB(WOGUP{tK(7iz|TI+J4dybmTvP7W<WLIIq
zCe2aTxMUxk6?mgvw61N3tImYc?sbNSV8G)JeoAr;0%I?7bIVbs27_mhd<7yQKhM*I
z1lzE{O=JwSy!B|6$CpwY1laC~N|MqO++GZr7K^48BgrzsbuM+xGZ0+ot4G|##Ehp&
zP8~d^;cDOcHTB2Hs;a~oIf``v=2ig%jg$Dz{1gl@E#pKeC6Lj1D)7aV5P$oLOyy@0
z*&B&G#(Hnml5I(X32G~y545!;)|P>!6DWU|aY+^u3|h)XqC=taK4fXIC~>wcxdZGr
zBM^IxzLTNO`Z1zz<7E_^+Q==p|B5Zq=|pTSAt3~3lYP5!pX?>@u5&p6&w{bY0(3XZ
z^s0NE;@T~p*k{kw66vq5oW{Qy9-;*MVW6pAzD%#uz$#%=HDZ9*3GTWA7bjzSn%np}
zLorJ+nnBRw1IbtTA2;@p2*M7=$euoQHuN$8pjHpNbXG2c7*OV>a~vs;;}R7auqO((
zkJ}9(NZ<}AiT=VKViHyGLp68_9Yg^9vV}4^cN91SAG?Vhu=n_bD=fk2qwB??%#=W=
zj4BUTgZL=b=3%~Tuec40rEhu9PX;Iw9U+iL92oKH_H&vVBv^okR85bFlgy{_oXgSI
zZtFEi(6MAFMze3URN1M9AH}F{u)HZAc6ubGz-qh#0d8P=*~@r!s~^K_T#@fQRzqWT
z3^p1sfzHj}CCS$Sn6z5@K+|>kWM|lcS5xq-b`I?~?g_9h9xH{T*6vE64W-0a=BJTB
z>P;s?Z+36k(QNfUeK|AN3qP7X7N{|Pz++&E6sRM8ja+0Dxi$I?thTtvFj#Tq)AUjN
zn0y7aTqf|10@E3S4<dzFyj&2a-V*QVxqb{?k0YzG9q6fhEM0_$q%Y~<{k6Q8L07Qk
z2kBC3FN9(^b>D`4>nvTJ`tgICzGGRs(?O4O|7Y>JiOyw);Nr-cD^}u(iyqu_Pi9O?
z%#8Ern!YS!Wbco6pG&C4E_2>9JK){09D)#&97pA9-8-#$zpXz-*s-y(eJVh_I*zH*
zOzaTTRT?_c&|XGrXLgy!OfUh~i^;qCOzv+mozDecABcO;YbZs4NY%2TiUEoH)))EX
zA>swJcsmK_l1RNqiWUv-!OI=hI;%;1->}4V+uNntQBF^AzlGu0@^Jo)>y*H<V2*Io
zwHoQQd;5J^c-s${YR?(#jszaFY>S{H(S=Bp60a=Gg-A=ofM9|p)0w+SO8xyYIcqSR
z_KOR>>Gy2&(y#ur!biY1LOK&TL#3Ia9#Kfr{e#9IWw(F#3<pnKW#$H%wLiLc0Psdn
zdPqnx&<VUhT>iyr>q~pG_c7gDP6Mj#N1&eA7??-Jx}X?@3am7XrPU4C>F1~MhJ<Fg
z1tp7uqfr9$y!`JY{BRndbRUCSg>8f0bpF*F@DKoC-h^m^-ZFkz*}=%<F6`ZFI=p-G
z3>iLHOv8ZX2o{m0r`;nW#)I~In_-WIs2{R#I8|Kyr=x#hAekI1Fs_G@Df{5MtzBuz
zb<}|z@XOH((Lq$jiXiwzb7lAw^f}$O^f<j)3}BQS7vDV=${4T?%p&OZXJCzyW46b0
zq6B&myCS(I-$;mql7$hA*TFUXMVr>Kt?Gf#1$Aemq~(CH9}W$*A%QGmsO0ivv?&Dc
z+iwhA0=R+<zf~ppHXK|T9N7{7i+F)S^|=f@KC<r5z`8R&TbYwA1J5=x)t<v}0XXlR
zB<_<(%Xo~3|6dh^v{?G#e96?8j6<a){;B$>+Os{0`fqjK-mDzg(KQ<LNi^{=6o2&O
z$(d?K`YPE;Y`}KM-NQh3#=ugohJAFwGR)WDZov3!&7kVHa6b^5d|K`b<;C_E8Oq*N
zJXY%?74Fq;EbL{hGom4VmbT0)$>6{v?#ViTT1NK`iF(Q{9=C3P^S%0=8mf&loWxLR
z%-NtVkLtC%uirG=W?+DDubw;JKm7&#M37k$=5zRz5s~=MCjyjHKaM7;XBLw0Y_)6(
zdM_K7T7MdBHk_oJB1KHyb`#dWZ0vC3X=*C37i}PSv=mfTD|(;D29X$d>cuEW`CHwX
z%sRj6>0IsgrXKp4CZt|_dq3>*=7f*WwIu%6(HHrQ3~D#$O(@gN=T<b5X@N5Ee3Pa+
z_JI)MS~%v;f^p@~I1$rlHvN@OS+Y+8X8P0XBSTtSf*{5RqZ}083oLnq``i?j4af)E
zKiTEUX~f*Fw;*3WeFU9IY-lov248(HBxuOs|EdH>yL{(USn#P|N#Cx4NBL|#;yeP|
zjef+nve;X<^SifhMElAX76oQ?UW2Lfa_Kkk-q)5Hf}{mD7%f%?n(*>rN;=avUh6ch
zuXDF3;cz+LKX1d|G~h#poDB5Y>tAx8JTrYJKpngCchgdNw1JR2a{p;(hOX_=tmbb^
z33hLp2k4&k3;1wG>(`gkx!k;`Vm{w5BprSiG~E0d-Awo6%Ah&Rxy6B4bQgW=r%R^K
z9kTl*XUzkDXQ&3vo!DLOSY@-p@lGv!b<r2av-^y(chQeuKe>Lxre+nOD(g)OSckC}
zEnQ-U+dj*uD(iax{=6)!CjnXAU7|`WCe?z=^!xlxGDsL_o8&E<Tj)DobK|7xv-Y2N
z#iyjU9js2ZV_|r>0`eu#;^T)k<!_aHx(l+<n@inMeqzFEvq4ot_n!ERS(ZKUxtus~
ziN}Qh>n_V?=Sq?69kq75?xm*8{ZCn?_z`H(xaHLQ=uNkR>wMc7E#8_n2x70W@Jep~
z&UMX-djT+Z?ePO?v$R`Ct>{c;pi<9Ht<-+qiBUF<SzF1Z`m&Ka0xkHxu>cix?~|jG
z@Q;=FrGcP}*_V3|tY~@pZAEtNyLc`>KE`z{iVT1K(NN<mSXnG1asKgsvXdN0{9ez-
zU|o7?XK+vsRsKDgQ}CW{>il-B#~Eo`#&UcPv1A0U>D~m<E4bmr_o9v=Wv^0`Lh>AK
zg>4w0eQtPf?wy<umU?LwT`MtE_!>K3$`svntb6*t=U6{YWFzBF9Ji(_ZJn^zTT}hE
z9ewj4tU5!0ZB;(rM*9uh+wyvmWx6SHaxMwkYtV_J5vJ{m)$5914ia*$NM8;{Yv9sw
zL771mBufdAONc@fad~_d<<8A#3s$GvcIbYe8|nNIcxS}4c3Y+PMrvXf7gl_=g}Bxc
z`rGQ!+vr}#mCqly8UT*L70z&9KJswP7mIIixb3(+kytY@XQ{HKZS32=7I0RmyImw-
z-#B&kS25KC>I*+?=2j#HUDrp}_ulzwWopPwbynT#xVEF3TBdPp^NO>H41b-Qes%po
zWGt7Rx~APB))@ChLfBsQP0s}l80`kb`eUk{eqG|l)4zGH3_kmC^321%6?}9;$5Vl4
zk<i0AEQ_heF&9AUVfWkKB8k4HbN&8|P7|GCP5Zb3m*!!w&9p(69W^7VZ;ElqVnkrz
z%N*&q!OI#HO3v<zJX2qG8>!bbew{^;<>sBQ*`&7!bDkNf|9axftogQ5wIEwlu&}uh
ziWH80tB+?AnoerT+^zR%O@c10&qZM)MiixRi?^#+-)B$1B~P^W(}ho>?|We)N^3<>
z&f$BMd$Om0)vtnZ-2fvYIyw+0eg;8@1*6c1liziA*GEvzGhZhTcAijmW=GRM|1Rae
z*(ge5rWlpxAkmNc@UTJawQtPX_&g$*=Lc0k^t>2L2$CV*Iqdi3n&iPJsphQlx!{DL
zUy%|}>z5u0=J=bGRds>iTevb^Dy`cR<MiKP1(g;DY6O~SNE~0%m>0xsjp67k&!`6G
z7I{1Ne;jIV?@jB!cP<{W`o5@@>)D*`!um)8EX$>GE|L)ep=f{7{B`=frSHZ(tbNCV
zbxrd<uHwZYed4b?BGVe{N6zM5mt9icr<;$Nea6nQG)K$5Pn#^;ftp|AE=V3v`5u6B
zz}9@3y6>SKVJrl(`uJJ|IuI5NRdJqj0%5vnr02(RD&lOYk}T%3c59?=VXQtW%w;r#
zao-T@Q6_|$rW<Z>s;oO4=xCPwnG^)se(!eRRU0Ve^l~(Cs+{gaWla%oxbRx(xfh`x
z_hbXmiNU8PR#W<;&wU>KS_I(nrj`7iddKAa6=nU+b64<hxXm|Hepx9EMs0Vz>B1;1
z)2YMy`zaTl59z<obs*`3VQ%^;n#L2`V{8-^&aAqex?-!GA@+NP>}Ss75wi{Ko36RR
zX6F{eZ=n1zMWGpyjA7kD^_hFWUh5_{tbZ-S+KFvhY9`Y;!Lf8~6~72u$-$p?zsRce
zn0R>92$_uEb3KGpFS@0w-Pz<UkQ@0@Y$4m0a{ITBMJ@XM#VD|mCmW*KJF)7npZG=}
zyRxWyV)r#$8e;0aWMo-W(%2Fskru^fKwXb}lEC4FprbT$;g=HE>GP;XK|h+n+ZFcK
zqgS4eY5(ZwIZ?p4YA3P5R|ai-ueQ6tB<$(*RdM<S7vD1<_Oppxyj*q*Ne48mYH`Mn
z`(Cy1J1dPgbKe_&GF|CWI<K(F^wH(E5B+tMF-J<@r<Q95rniJd87eOAJ7VpZ&W0UK
zHdyN&io)^}*(tVS;V0KS>K^f_WIaxNIksGn!Ehcf_T6skXIbnp=%;N@KH6e|h=spS
zL<A|M-uYQMk?Ay8SZduCtLn5mUSE5buyu?T#6ZfIXjR{Xt$U<&W;(2_EPFB44V8um
zCQpd+Uw*z%Xr}X}X@}x+pe2&0BFH<Kcb4~7Bym|@tLd+K2PqD6a0jco#)y>y{SjYn
z>A-y$(1<koL(A{hQ*T4_rLYGLx+|;u`5q#-iwoitx9x;6lN`G~<LGCd{w_)h$az@h
zioIl$qZ~VZ9wYI=w=!fx!M@)3%gu&g3M8AF?=f=N8>}2|3{yRy2k6M~!}aIjU0(BR
zR0|t@cc!{dg&H&UVJRAdEUgb2nxmCMPsugEt<V?<JJ5g!t_A?DU!@=>qI8dMOqC4C
z^qT8l2WRhu#7U&PdAXymc<_Ez9d4!eOOZKD86>qpZt991{$85N&$surxFKZr9CvKy
z_0Q<oP0n%e7%&9cKL7Qt-s^-p|6PCGZ@>8>DLQ6G5sR{>j)i6z(K<KL>V-Y0h{J=k
zH#Y1l3cAxL$a{)k#B?=t8brU~N9@(Dz4(=ZT>DA?dB6cAAlD%j0cV4QKP13>+E1A7
zU8ca}?tGg+>jryh<1%bWy;pGS0$ocP2!1^k3HPs0Du;p`3cW=GfPjKl&1b9UUq9(C
z)W%28DL-RxV~Lhv_8CJZ{t7Cw{3Nl^_!^{e=!o-Vu}1Q1P1}8Gy7Mdj)m?sxJ9*(b
zxf(gC(lD!0rYYi}nBcp7!iPQUd^W$n@X6IDAcOh}NPkZRYPwc!y)A}ggzWbEC07?^
zLgvh<EM^tMm3lUe7yMiqMY5Nl+J#3_quTa2^hs^~jXzZ5u8MgZFf57>`OcfKMGJ$~
zQlF<7%_xd$+kIvx#K20o*0n72xFkQamvLbNy(KFx2cRk`8Pg<fsBHLox={16mZI)O
zQ5XM%ui2H(!^|$<-o?Q0legt)W@K7^dhBY*fMN~_IYY8chIbqe*t+(#yFQ#Q6j_f6
zo~?S{%(ZzJ=Ei4aS(m`uCy9^Ye+ymb+{qi<$_=kL7qH^tS7@v_B^+YAx<D~%%-AN0
z4}~_zgdH>n&7`j^=#QN9^}Flw#$Rrox;bbQ?MKQGxIN>uG(C#=QMQQG)0dYU*>;Cx
z*0S~&-#_~KLi8yEUa>ulZq=r08dm(kU_fC$dfH6{$Fz0`R_pvpLWZcZ2DOxFSZ3Qi
zj0dmExmsDHTDJ%jP$XF<$3IrQ52Y#Ay(6(5w7wXy$-8Hpl1jC?SDl}#l}1xmBNWj3
zysf#x>J%*gyKYEm&|TTNucqJHdhKdjbH8TyJdi3wu441l)uvR!Eal0Q{GXby)q&Ye
z<`I|r-wIkAISKK)`9w)l_FDJ*@6`Y$+O*FfH0M#4;YfHh^owZD25ZX*1yNkpFTVn_
zt|MLld7AHXk4x(cwXePTi0$^nMZat_Sylmo#7@7U=W$rEsl$m#l#5}1*9<;AN~vMH
z9yr<Ua3UhIDup|rU(0`~^01mpJpidCM5@GLKr0nEM3iRIgP<P-qm(z-^s}$5%IY(2
z@>iy&jJyoWuBl<fI!#asZvLc*U_7bA&uzMX_jf|W_e!4T+Y7&Em4)EOWe-qnJCe(W
z^`(3}>+6l$hy9a_?=dd5Y>0-;IzfEAj8^49<eVg*%_n`Qh>qX=6tq^Pn}V~tJtP{H
zrsuA1zBzkU{8!x#>?v}JanV?i2`Z+a@XJ%Z{8?Y+B46x#`6L32IvreKE|h8;CAukc
zFCltUV0mf6NY-rrYrn5C+_vY%?h+Q4x&5@Hnf_AuxjCTC-ATdag^m5!PMv?Ff*)~g
zMHC@L_i_uPT2r|6A7r)Eh`_N)EYU8Mt>A#J$0C#n;!5?L-{P*s-h76jeJ|5gXb_-x
z4V75geE)FYbA4LbY<Mm~LF)#Dm$n$X!If|ggC8VYUJP1)zddlOwJ%8*rCdW^BC1!d
z@<8INylb9c{d9Yhwhj@_yT3Aa|A#NjD5*Km9f{x8TM)nLh4kioKlacVrEj8c_F-0=
zV^P>G0=#JNaO-Rp^4<c-u1*S-`irwVy+?`{fIDa^$E#VLO4gh_vOc=)PWW~yUqcLz
zA+X(7<GXfrd3<X0I}uk4vhnS;7$KIciWm0c)rvb#sIA0FAti3=>)zzE>(1<;fVss5
z^EJ4dbQkgJGm2(bUTi(YR@TZbI?Ph)!G1)fiXlj&ldSVigBAzgvY%V(7c_HvPMLOx
z#Cdb7v5q3)N{^04y(VlnN0{VLj8ZM-`vaiD%#bA$F;tw;TMXh&N0f~Vz%PmnBTRp?
zD@4SX&YWeCFi6E5__3@d-qeKeZ7i_l=H|{7Jk;N+u4;>m3YmqV!-LBMY1ES?M@PsW
z&ppuD#OqHKJ!?s&b0xv$OD%S;=Qa6v%*^mf)jlF04hqNeTHWYs^Ms)mDsO2QnPDzn
zy`{^ftIw1(nbtqoP`lJRA1WEi$aNRCxE{2b(O9fM-tIj(yFGp#?9MFeR`|a3x;4vp
zWh~ate~8dmBurjI_dRAj91+QNtuLB+I4G`uk1BgX5+ztCB2bLXL_Gj(vB3ARzEREE
z7asS+_tM$(klaok`J}w7qFzF!kwquPzOF89mHCpGuu+oXFPW@i58uD(-h&<NOuasM
z2@>6P&2Ftvua^Qs0-aP~)y85!!gIRy`&(f`$eQP&e9{ZnL;ri=^iC4#gBn-^>T4}D
zY^^ERLE*X1s*X8fFG@ke>70jaF&27z!)GG6Y+AW9h~bUD<KZG>a6;uQx8V30MzYt0
z%*INA&y#mGtA*T6rgtXV$}Y8kiJ!QfxSl88A5VI11*`9<o98)Be+qIkC#c_M-%T}*
zuR|}G<pwe(HrXwoImJj=pgRy#iN2SE>&`fhcPtD#b)K$B`sLwwEh{P1tVvhK3Q}MH
zI_pf=enqj8WEVq$<9;*@r*eQ_;54iae&(?mx<}&wCYZl^ZY#OREc9uARZJh9@;pUD
zKTEaZjfIKdF=drWVy5)z6U&+{XfhIzR1?1nf*%hgw6|!ni?ff<u=JzvkU2Q*u^F%P
z)5_IitK^Qp1<p)PLcWIuU*ZnGK(!V|WVa{zS%KCf8+bN#(`E%CVy=^rbgcj8qM%*(
zRSxrm{TtWwI`I9&hjdWe*3oLOEcqw2dI^mNAbfcNkkLaylu(of67C%p8gc3%2&B}=
z@PLGSO5?`D*DSy#@SIEWxl**uW%O>|FF8#r$OvTZXYOAzd#ahCpd8I0DGd(ZNVo}S
zJ_>EpWCq~Gv@#+#w2p94>S$+p2{KN-GyM#i8I0c>esDm2L%p@EN6M-0i`)LrujVEE
z|Ly3Af;=-bQz=icfRI=%z4IQDt5@*NFHgdKGDKpdSGHLe--pL<F82R^MS=in?QD=l
zQg4IuK@7nmhWIT?vg^S5C_%oi^3U<i-quep7R9JIUelV^hg2-A91ECLBR$5=LI+e4
z*8eTGX4QP`yhf>Yv%X@rO+nuyBEW>D+}m6}qq}Pi@{g+rW&YGaMAS;ocZne1$ef3Y
zWp1IDZvxtY$jTt*$D<pW;M{Y4djdmmw~YhGkBg6qHkq)1u$LC}Dc(Oa%|B=2Te*|X
zY-dulPaw!chPs0t-}lEQl8`Mh-k+kjq>12aIxgL=*cc8m588~E*c!4@2<cgd-f1LS
z7^|(EZu{MX136qN2@L~5hzQ6px=7n7k-P?n7mBA_SH{8VMgX=YpOTo5e0jL6r792u
zRHxbSkXin*(o}Qg%=d6c5#FEC(a}A{&T#CdXvjdA^fDMkiKv|d2^^^4|GW<k3x1~I
z{6P9FXesc~meU7FWo%gVEzmYX;xBXvjM~brJAy0><Tt}F{0Nu;H-a!^M8|2o|LZx;
z_har$<$dhb;i}Ah^z*1|RK;o_%S+F5B0wHUKVH4`{85^bjEx_)s6!{_{wk+3@SWR)
zRNw4e5OSU(IpP{+u_^e?Z2{^ka9!OxuXW6$4`a~)2@L?1sWvf9=Kx2<J#&~gbO=b$
zYO0f)mlm8GRr$q%J=LF#pT(J+GW@mMXo*^LvG0HiA|iU5=}s-MF|;MSJK_5CT4wO^
zXuz>T1<V%)B{VD)`ad7#lNtZRV{vvwOE;o{{r&u?I!U;W+*ZOL<r*m;N!!}tKr$bW
zVg0gvFQgu*TtE=r*a?WsHyG>osE(8^7f9DW88&fb=Ifc8DgRXCV_<|E6ii4hdCB$a
z<I4dCzN&9ibP}8`&a=(t7<_r>OL3_6iMxEb8yn%%mM2Io0nZ^?T%5W_4X{+)q*7-q
zN^_4H8<Y=oL&y)GF^qAdMuIMV^&@clN`YE=h5d`vk_1RC{++X0)B<U!Q3Fc{J*I({
z$JCg?6STpGTuVX$8{yb%72lJS##rKh7GV!Kf$c(tO>kR3BL{KUjE&3+?ZL6@eFDP;
zr1cqD?B9445g0C&K03$pk2ynNxI|t(X1KK04^tD@0_#S%2^JFQA*l{*XO8pm&;DV!
zB=ovnc-}?%FdZcS9}KC^5KfnG;}rUjC0qRu!v*Y1Tf6?3KB<oxE=?Eq)QHMXLj-_^
zv|N6<FbcS7KIT0+|0K9B9Wz{5wr!Cl%b?i^Pv=e{fsE2{pZh4+3eFji87}Oh!)J+4
zfhnAS1<fK%X=U+J|M8i_^nYQvJo*pAg<y}A{~utu>~0R4+kDAXF7^FoIb7wDp_6Z*
zc}2*cX{-kI3^3KJeLM)dYXtmWxhut|T^-<jzBZRR{|2`EThAFplI}A(jfYz!ZXHw6
zFkZlefEB$ewdrUFd&KDm+{!a>c0YIK4FoV%<A8V3{%I}10M3j8GGn-#j!y-NAOmOe
zjVslSDx5j!MVy~zr~0e-Z!L4MArj(DYteKThck)h30y^WT7=|LJePh&1Catq_L~!&
z@mMfz(J}i$3Jfa9Uxp2Y`TCGs9WZbfs;sV_5Y8BEpb*W#1AL^N&#l0nVh_JV00IbP
zoG+Db=G|Lf8rMTYvcQiK;&f+;5kPel_yr#(f}miw!s{g4Xbb@d^zjUm{;grBsja`g
zbNEtdTKk(e2Z8~np9NAF&Cw9Q_32-<kUU_z1X@hgI#e8z1fq#J|G&p-5a7yeyJAIL
zzJWONMQ2g2(FQy<Q8>ag2n6(P`D8=ue-7tJEO}makLTfbptW@{9-gkM3zJ=<6VvMl
z2BHskDc6pfl7%2L)xI^oxI|!5pGM6BlDX2!3fD2mmu-Y}%7at8*TmeV3H%Mf_laBV
z&+CYwgHEq^@I`xH*^&iTEC~1)UU&W{ass8+oskL`LU}|I4AYSL=1uCD6y{+6OTHnL
zWhaqCn|)f$nGgv77qXZXwHRtKj%q9X96dV>zwy;C5BsZ`J~A68YTqmUV`?hsO_L`8
zey+fsjeUrSmfitJlWSc=O?E&mX~HjOm?tek6^3HeRgNAhTs}cJ3GAosF`u+w-=t8m
zL)<Es5AafAQf~YF;fMxouf#rmI{AY}`xe060J9Aiu=L#v0q3?EME^z>X^e&)+$0>`
z6L1@-YnTE03oF_HbqAM=mOGL~i#n4<k>FT=I$=ih2A~cR_%V0cHD9j+)o5@MKXd+=
z+!hj|4f&dl6omu<NzIfGno*-D4y)592lpZwVdK6iM#9FskrPZ$H#Xv42ntMViJPu1
z16-p;5^Szd%7nhZcdFxe56sPEpon20v0oAw`jhnB73<N79zq#SF(7BS#j{Q^-AMuK
zdkdkko&&BKkv4{8z8WD=JcBbQ0{*{h5eH?rB!02s@Z=d<rE<r9OG9QapzSR{Ng3Su
zJG=lyo``qJm^T2*YL(k%0=!aWh`;~g+V`eN#1;r}P9}>*spIBV?iN!Ect*^A2{0W+
z5!cb1_5Pc&1Pa^AXmun<Ki26lS!TeO?9S3aK?cYDAh596gmn~2wQ&MW#lafMi`n-8
zA`j=)H~}GhPNVU?!EK^J5WPIa?E^LgPjYa3PcCwJqUqsSLyHQ)Jz56hzRE~84<gfG
z(G8tUz!)?yd!TV1sN6*{ui1!vvw9<TWGXizkvASNe5X1OT`I@e0lJ9;Xf$p6DGZKL
z(h~uv4#(hDI)VW7NbPQI14KAB2<1EiddI{}F32!pw<7f~oBa!gI>Fs8@e&$H34u(b
zm0WE?Ak)~4+&m`JTm|H%+acX?$H%;Prjicsouar>^l`B_{Y3Xsm<|b<1J6%&6FB1y
z0{O&!wT$T@ayid8=J$g(r<Vn+np*)!@HD=}g|6(FZY>K07(SUq8|qAu1p}FZ?;Dud
za^7KnYC=6~NiX8)^Z+<R0QiDF+tMxw0%hyCqEKCOiQntZ;b<{qj%Rxu$IF@MppNHM
zM~7Eefz!B6(({hY{Y{z`QE2PQ(ldZP5hP4+x62}Ghdjc6?u5NpN>GNQ+Zp#a6C-#V
z6fK!G?Oxd#TquWlha0gJpw9h)l_7axaD|SSKJ5{h(9aagI$KZPmBl6jzRf{v0RSU^
zI~*lcXZRfEj3<LhxoySk8s2;bKb(xx?Usr(KY6H;#;*24DV|do?qWN<?cw2(5NU&E
znib-rIY19RaI-~IICrVsKLTJ)d=>3Yd`_F|w|p@DYNXixl;Ni2pCHLa3OvYVCg}az
zlMm`{A@w?a^#J8<w4U;<;xS@zrk(dMYOOjQ7Mz?!#}HZ!#%|$JQo?u=Vz<`<xJ-*_
zAo+RU+8%J$RC_kEv$MnV+ZN9~|LXV|)7(TmVt-QX!E2gMe~k0bGF_G_r!==tXKgdK
zjgdhG1qCK%z(tgEUY@=Y>a_~UL<b%5TsMp>oPSYMI}!Gie>fUp0ej+Pl)ZpTRb-CL
zQG$l%r;amn?*HBZq%dVb3i~6}V^A*5<P5qTvR<AP4ef+u8l@%s`0~~OYX*CbBmWrN
z0@XP2Z)PHmPKW92%sFFiyE2bSIR68&1XNI@=@OcyMP2-d+JRMnoXB-0FvF~o43t#b
zgAyw&Zy~#fsUi;&^IF%1N98pci8nPFNT<^t^v@guB5JRTVc)%@?FE?uZ?T68L#~Ef
z(nq%Gia=*l5RcYQ{wYC8>tovpN478oUwFv6aVnhPkN~U1yRlgBuUG=P*N%z<Vp)7N
z8M%tRNj9j&P=RUAgz^CMv;>VuQIOAJ!Pf?5)&4OkQ;6}beyr9YD`EwbI3j#<3X~09
zhO|%|vfsvBQJtq~ickx>2|}yIS3|*L4i0NE9_FK*er7c`kgW<O#w?A7H(G|W)atjt
z#~#SeR}RI0mjIz-+d$S3xSBu9F~nYs%Ug;4t$O!jb!NGX7e7C6V3&rlehDulU~2QC
z$mWD#;2LlxOZjw1tISL#R^<_Ub!;y^F8}4#wv}ZdBib{|MxqAmaZXDAho}5ojY-8n
zPbn>pkITOu-s_ec!GkAE#%j<IdOR7<Vh1Cc>gfSLiT5xqX;4JKOuRXL(8cuvaephE
z3{RUR81WBJ_ecSaNzj2`<kl}W$dH?OSMp3jZ-U8Ci`7lBC`+!TnCQ3>r%zm^Gv57g
zjP8eW(qn^%M|D6k%iVxo2@31FL51ron_8B}C-t!4C#rPK|HQT<-@pUOj{X@lVV9Ud
zzL|(Hfx8;d-q9eTY&B!TZ+Hy9%ZxG^aI6Jo-8VM88bNvnu==J>9Ep&U3@L5;BTc8c
z^dje1vA?y2+(4`@>6zDz>`cBDN&Taj2vR#rk~+ew87Uf49IqM=q565*7^=}e@Z5e|
zCjv0&lgKgy@eeN+d^2B<cafW)Ba>kQz!VloIq^?P?A#gWBy(lnoSiCGn!NL%vyU1~
zE~}2atIdO%ps>x(ZblVzmcCJE1tf=Ri|lkFj+7rD;Zu8At}m|JxL%$K6wnC?i6*HC
z8q{9bw|A0g<XZy;HS<Jwa=!!E+9YZPO3416hfALZTk^kUbd!3PQDh{R*WInRRfd1#
zlIgnF^ZY<S=(RgP2;#Hp$Sv|?Hx_<UOBBn33%<-f<EW0Ry6{G^7Ew%m%mrv<gn-IO
zCix;n!hYgtn#Friak`PFs{phonlfta=*dLHRGP?jq$)R$Jm1p8QxLMDo5ic!9G=TV
zTV=>)iqyxwZY&bAwSbbhdcaT$F#MkZyQ@!r{0_7Jw|dAqatm8fCg#38>94$7Qx<nP
z*h8pxo-2s!UHv{=_HG_Tz0dT5kfUYUF$PX-b+X4Q%cP5Aam5m2RqRi~eMu>?z#JV1
z*Z1jJTWgqf03bXA`s%+IePojy?7c3_%>J1W8~-eYGt`f2Ewix@b&riVH_XJq37)XT
zvJp_a$=!a8xsKK*_|i~CRn&BwPxZyT-r?1YfVzSp*>Zisq!_)=ZgYjZ2Q2}|vW=eo
zp$o#N{_T#MBN2gmM}qpoV0CKb33b|pI^cn?p!zZO0>SvNe%mZD8C`=aD{-sOZ|nFN
zs;UwI#*D4tk*wCLLi~#-wxU<!;92xk`;y~M33h2A<ol;8`C`BLU|ufV!*!=5LGfFg
zcVi?$MtxhF+VEIR_H3{29!9Z6vSNNESNECcb!$Y>lYn~R+yK2c`OQm7<ok|lpv2cZ
z;mS3jh_@AbJ|20+Neg0B?%}^xT}$*&G}YTW=$-yARoB<~7AR8Vd);&?F1I`b5gAz#
zFMkX>*ddF#2Q6p}$0f7PcdWE;GnIAYLPN|TE$0gpvB7@I7Z81&TO4>pUA6hayfmGR
ze<8C!?$TF%a<W;u^xw+WB`c+9!=!~ExZpJA08AP;n`6{7IL&Q&p^JZ6j!yv8;7hSh
zIi5mhNKFr>XVJ`aeT`9T`Aayf`J->@2~DG9V!VHh1J`2RW;m(EVHT9RfZK+0z3g4}
zz0DzgOw&CU{|o8GSs&}w7oi}e2ykc>-Uk-FQqES&0BV$#Mrw_=+=7h3zdzvm^mZ!|
z7z$(g<-g?DQZSs3F&meo;k?QVshK`(L}su_UDqTx>ysu=s6qU=;JIYPi@FZVi}n_#
zJniQ&)4frjJZCoqI0Dt8AM(xg<Ws^iIzKJ!ih#w}k6R2JlcR5)xvFf)8ZJ`LrdScg
zx{DZy5B%h$GH%(=s<`s{R-&2<0pEhaw_m?aFJ3x_P#!B+U5~FeCfD=T0AA~&=Y+fH
z-wK}w0OW9Q$GDIGKZOvDM$ryJ&G4oJCiteq?L<Vk#3dEW_gri~4G32KFQ1yzs68*m
zgk9Zb<-LBXh^X&f^Z_TA=@(?$)34c4tqW7Qnd#5iX}ND{p8Kt~;%NJOzveQvP^=3-
z9>ijur;5$qUn*qzQ<SqE4<w}j)3)Sz!7hYa;Raeu>Yb){4$`Kl(<43CTSYWsXJ1Ms
zaV}~(#CRv>%V7o0jW>{L(Z-lBhS-xMdYUgi5GwHQeT7#&NktLU+y<JSm#P&mJkgE+
z2%tvt?r7*~yg-I6vnU}gJ0$FQjMhmgAL`thYz!3y$>XWC13XUg)>)hbpxO@R(8awz
zV%bw2c^jsXkRYJlIOmirNq>q5YT&@1Jr>bq{Z|8d(BKJ^@RbL>MVio?^8bze3A`Q-
zfW)ogTf&0r6C8fCsQX~@G%l}|j$JqrF`=T1R>o22Y`S@dt;XYH`tp%<Kq%Y-TZo@!
zC`W5JR(rj3i5$2Yu5WTN|7t)B8t~lhv%d_-Ds;WNcuX?>$5oRo11le~Tk2~C<p<MA
zgEU~w`tKew|FZ)i;RecJOp^PVKP))%g$&0Y=x}rCG|iDs14lRnHd2*61GzD$35N+q
zTm;l^Pc46xqXP{LfD9|iv@$Hn@K=QIX>EWfE)7z19`owKb`*eCx3mIn7V5o}SUWR)
zu<0=U%>MY8c?lYT#HSlora}|tp0Fcn*74RY?8prR$N-jSLdrN>fqmmPTTfjf*f`a`
zR=WriNk^i%1BlNP%u10Du5UQ?omKgK1d~BA?vW^t$|ThzRsR$cnS#uTk9_h?!hb3F
z8&ClRf@9^MUO6ZGABFgjLIAD!k3t;T#(zA-e>}v0LWbXeLdJhE1b_%Z75~8y{{fXp
z5#jG)<o}-(;^9kiFNKQz5=|-7_4GjeCr`ueCLhoF$>0n%-NGW?_@X@a%@qgc!7&Y4
za1fkggFDYKbfdoJU3`2;qEZJsS}9G2g-t*px&&VW{vqtp?|SQ%jYppHS?z-8A6Gdr
z4)T%b?{^}=f6GiX4?fTo+279)3V4;VwP|F^bW~h^jM#e(K`PwKhdHlnFx~t<-mPKJ
zWIPZRM%5=9RG8~|Z(|Xv<Jk9><=3xYb1p08y+y%0zQ6kuZ3g;8GqwL8_TDq9sjll9
zRxBV0hzg37P*fBI6r>BGNtIqA(o_Tlq)RUWX%>of=|(`B5CQ2WC<@Y%E-fIvw}cW%
z^6n^H-s2hf^L^tT@89bW0Y>2L?6c0=tIRcLyve$IhcDv!tu09e+L_l}=5I#z6J#ef
zZtmLv*e$qXUvooc)O*QXSt82%>E>W=?_}K2%4z!LjY+krba+;i2Go}e!tbjgY`gt)
z;PO>dUyo`_)4A>M(NV8C6@xjy*dX9-BBm-W3T5YQ7Dv56j^YI;8vIQ%0p$=#r$!~%
zycuzNZ{TK&4vf&vW9jMhPP>+=5O$H?TFGv~Z7y}@_y~r!_#5?U@hn3+p<~d;Ul+Po
zYvWFzJLk5U{hbd}wbsdwc?J3{VTyc0|CA&t<N@w1LRTG)_dW;U-}8`KC@ghl<eO-{
z=|ZXJ`rb!a#_*+h%b`r?t(L`FZ&_3=xo1W!9gZ{B40@0j9Rd_sq&&K0(Pq<l7F}qY
zhw-dV$u1r^7t6;paT&!4Gxe&;Y0niTq?;%S+fivkTq3;sO`1SM_5NN$r~S(xdQ5aU
z<6gd(|8z1=J=X>}mrHMht9JP?9ZC2&%+k*DA1@WFpj;zq%ka^fou62%5n6Qfn{#RL
z3wa~gN*0E%#&W}i=yCNPo~Xgi4Rc~7oZnlquVAO4JX0DkjYt*i{ABKxqrcHtY=2C&
ztZxj$O13qg2hS?7+n!7hdN&V)iRxC(F;py!!Wql1oaHvUS%3Z2XbP`}<S3tNaJ*>}
zUl^fRrM~_rE(*|8BnfaFB$j@4J7oLa_c!kuZ$5r~k&7#7baXK|(6?B7`DZ%}0mZJe
zbFLC+>fOS2*SR`OuIc6Ve)?djf9tzFUIY4ltac=fhpq^hZFm|-&Bz;X<oeAcDVYgp
zGwKwAfxmyXSLti~zCNe_I1QtiiQNaS-Nmgy0z4ZOGV$2^Z2#N_(8~Kljjs=;j-E;N
zYIo9+MNMUd)6V8~qIR}Sr(T2@UeNf3G}+K++`*l!82h3fC&WJ3i8O(1-zf`kNbtet
z7-!WE4}FS_sm=~v94u6mx_46}4qh~{t)7B~NVygndG5qA&eIl*0|SqdBd0wNqw2}&
zmtMB(89u)dp~f^hQlS$jawa<hH*Pj*(>?W0U@8=vw^K%}=pC@DD>e>;yTOyxo$R~G
zLy1PXUrr6N<i6XWQ`2eQ2bc-|JYJ&w4wzZ39ngL+=6%$jEY_88C}K5SUU=utbs3eI
zD-S#Xkh4XZ1=0ya5QmU3m4(YLCo$9c5P|l%nWpIeqRaAUZ~<vTZwq8+1s`YJtU(zE
z8`6UR!};o5HE#g!X}lcyR?EniaI_3RiXAkHq^g3)F7%*u$E%5}jtzMf6B831c3FID
zaI5dm0$%g(6KHA{A+5wR&+7rlG*)Kjz?M(_=ay$5)&FppeQBsHzS?7>nS>SvE=?;e
zzPCNl*YGY2OAomD+eO&$l(d*E9CbACj0SyvN`Mtqu&(EX*<{dR4W^P?JFU`l!%GQw
zz`9FQq^y!psx4bR*`1&C&_;dsF$gBi9Iw8}A`VR$?|tSU){DnSxIE_ea$Sk)V_}W9
zB(J?#;mnoF@~Tr~wrr7~{K((3jQq8aUR!o^!xhEXjLJ1Ht0!Mc5qD|Ez|o4gWIDqG
zeR<AeFVvSIpsTMXc!ub#W}zS9$Xg>NHQt1|#s>4<^u~^;u5<AnMW2@7c9E<RrNVqe
z_CJ^DCUX70e!bPO`B^Bt|5SJqCS13AKJiW?ZpBn06Bb`uglnOn2}^fn!+^P#z1`0M
zIQyq#bBJu5Dm&U2S-t-9*3M*fSG9-pL=oXj5V4|5WRI>G9nfiClD#oOhvQw8$w0s-
z_@T;W>RT;+ZK#CGC28YC=xT*s(f!fZja0Q$Msk4vwmDnGLM8IuH$h|bY}m=uxD$8=
z0`~ruzYhe((LSW9eIOp(pO(FyjZA>4r3-!NdrlVR!Bh5RE)Q70|JI`!VvV(WR?9B1
zn^Svr)gNfyMFaH4qSb`?oFdiKaPiJ(8A7SVa%8+oQrvhdaqPwkJc5|G&W7q#cmlBh
z2j!)Rx*VOX3^<YSF0}{Aw*ry8CmFp6hiwl6M$4f~3&Z8Llz6Bw>YjLMd5gP-PxQ2H
z29ata6t-o6eE~QXvSE`!x%SKNIy!1Suj{@Bz{9TAZAk?57JupA^5jQ#HitOk*yn(T
z`dzz<DTamP9S<*(Fp)RX>R<@dnwJIrX10&o%1o7ene3w?0msvBuk$>4!1xg_CfaHp
z%Pu5RUuS(%P2hs!Y{br*&2C_z@6d~cg9b8abDufv!jBR!Mg#5`65B#GZayz627?-Y
zFa!F8Sp|Y-yWALvgsX0_BwBS^J?(MwINYbX%1LKws6Gn4-l#A~_<m%40q61`=k>R2
zSz<0dz{sEKvFv=_9~Lry8#jIjp5c_RqBvXD7yaXJDYEs%;$Vp?09kO6pcigvA6TNW
zt+id_l`;+h*UcVZ27A~H-PXqKp9E=hd22=Uz12VMmC>n0s;QrnV#MK<XK)A6t;T0*
z{rQpYwoFXO_JzH##SJ{Wr%#{e5I3U0(-oRmoI#-PX(*6zN`I~nxC)!N($3Q^<rx&e
zZ%vgnYz7FG|GY32zRGRsx=F+qHn$^Gbyu-gYGM(;iol(zMpkN%Wx}$WSloofs|+*Z
zxAHy`pO(?APtCN*OF9xW9d$C@Uql(iInQ<;_8{am%Gb=VbWy^T`%Ul}j|-_nmw-K0
zo*xB1{SSlV{&ui=`U3>eD@ruLd&H42VgNaF307eAgZ9b8qq3+I7vpVzRdphl!?Y}S
z^;TgJ7gJy2_=N1}5FE2|lkvu^L4pvL+6;Aht1NaVBs|u8hf1CW*K0ZtQ>2OOSD?Pp
zFfZXA^J$?+?bokg0+PuL{O*Q0No@9-^q2R%gQ~=HCO5D~{?6o7*dvFLixaUve7h@x
z&HtRxx7Z!V>JD2CmF8bFslLm=XLKd(0^a%EkL6>haZ3#0`0ZLM{LAg(LrA`|m6W}A
z!@7Cu@8fYR1EqQjGz(lH%;=x(EYZtrS}ly8>S{r@b{2wpvpktnJ3`ww`@^L~`;7Yt
zjxNj2mac58ypz~$$Ti>XO&-QoBiKX&*}S#ijWZT4VM5kPxN-L3e-60j_ta3;vaHnj
zf|{t}J$8=G5W6Q9lXu`xk`oRHBu+_>LHq%OlrlK6!Q7M9sK*RT#jlq<4;$nFbD2x)
z<#jLxSQ$dI93LNyiFC727k_0u-kdkpeq3!Tkz3@vWjk@VU)`W$&&+_(gbG{gRm4kQ
zU;WlURmo(X+@JAS7Db6k+w=0T?j&B-vS-vxW3ujv3Rb(<oJn60Q%_F&T@lh6Kb3Y(
zxP3LRLkAz+Bp0#Sx>_%tUA*=AcF3Ucwk<i}wrtn9#W}^FcO{db@7#Lx^EWJ?g*D`7
z%NXB`|E<cmpSk<#apX<A;kzVQrJzMCiMXrr&I`Z@IR8d%a;Os-sF5tn2Z3*=R*O45
z&(2y8!DXxBylzP-sl;(d&%Fnb2cfr=ggltfWqxW8bzj_C)wLEa7#TQ^4q1)j*qdT`
z+=7>6kL@_f66bWX9xbXKG2a_FC(!z%X6q1$Vo{n#soSZYD=&nLC=Prs;M1Mg^O5x0
z{5>)Ncy_}C2|s;Es4m`npI(>P^fv=k9Erh;4jJDGxsg&TffL7&S2|t9e)KNGQ5h6s
zI1Py17k1WmdmCW$4}4;gRa({~`Wkjfbf>$JskgUxTwACxhWxmG8N|DCQf{IZRXJ>$
z;z(PNDHF}0J^$`iJz;!&n5A`3`t7Lr+k#;Cl_jh777geHx#V37GTR6{DoRd_q2KpY
ze@~_N$9gtu4~8^k0**5h#d<=(SnYQ-`V0;~0@sIt#!d%2m|)odn^UU(fS2fk#$p;6
z`nr=OtOgv`IVVp53ga-f2fbF8T?6kc09<p0z4oB14q&QLhvK)qa*~LKR3OBcG{4ON
zf@a>YkNzH4hnGN)cd+crBH0Q2gXqG5G!Xau&I|v=_mGIJR?dSj$gB_FNnC_MZ%!T%
z3Q@4V1+#jly9_}f3xYloa9#Z${4U@O22@KdN5B_s47~wp*q5D(M*MZXp8)>a2L0|M
z)kRE*S_6$QsR5WX^Z~HF?Y{>!w`$D7O03@;U;#+KNG;-^0;^_tC;*ty_Ro1g62aJ#
z;aOLIz$@7_@cDnx#DHxirB5fpmwp}nM<l?SETGZ;#}jv&fTYdm)fc|kV2XfIVp|zp
zC(EvQAIw8qj4Wy^ob<)B`Q<eLjxl`Rq<L^{Fl9nQ6x(YJ06$cJ8H`neX4QW(%utY;
z;iEUe7ZVMG$RMy%svC@y|9nVk(j4(7FJ)ET8`AJic*}E{j%JMVM5ye-NVj}&n6C~c
z!!>5taq&fm#Q`nGO>h1L37>a81v;h*wNi4F^n9MBpKh<T$7QkFTkh>l^}kn5hnI9A
z7O&Ze;@lFm6Kz1cY2IQQ_n<0(d{Y_8XKOySekq|qZz1Tm7Bd1$dCT=54|~digv@l|
zr2+~qazuM3cqEs2$u??p`RM3-Pa<)9=6uBX8_On54(`*p%jw%VIb;zrx@S3JJd_??
zp^mwumBCbLr4Y?=n))KWKu5h}YyHZa@m5)fvE|UrVo8TVz1tFYFhVf`U1PAji}y}T
zn<5ZbYWi?|J2v=x=^uYxQf;x(LC3f7A<vX(vd}({?}TqI8W@yLsxk_Fib%fYA#37|
zXUTDwp_fHHKZSGIOH%v?J#~mo9c+6_6xPlNCWorz7)AA`D-6KWMkLBw%tq2;8@({m
zVA{qj>vdDY#3f8pzg7v(98i?)NY8dmn$pw)#=ZR;I;INl2mesqgC7M!0Qk72ingO|
znt`-Mm(t$4Eao)%ItPimB4llR)r_k(W}_WBD>3pIH2kTGPUG-J3{?vk!E8aZ`(Nu2
z2iD=TtUhh+%!@(pjZ1iZ#M(wViT-r2t$AE{x(hMYrqEm8P|e4C5Bj=--hG=FP#|sd
zsj1Dnok+C$kB0?3iZ(xv8@_V5gdvT1nXpRAn=lIM@@0D$R^PNLJ<F|o*VEOCAMI1q
zS;mB;!`VunD`5`pM4B63`D<)-B!(rqkE}EcDzoTH^JvWMu)aPY(Im0t3D=QSFJ-4G
z^*eZWHdDey50_?Crb)d5qjsQcJ*}jhukQ}kWR*QblSDUH^A`G=z%oa9(I_h8M_5@4
zOWU&A2q+h5Zm454Fc%&#@_e*u6!ut2xhg=cDKiI&ea524)KqgGGSVV{P<e@GL3NW^
ztUZVK-fUT=7iv&xWd#b4CsspMYj=T1#!d*B@s-5c6rgU~*>q_)$4Elul2V4sn!jie
zInmb$y1v9EORed7ou#fs?cLm9r-c;WP{pgQ3)dy&FAVP~kmXfv<&``cDpHoh-4FN1
zersH>-!je0k;}i`8_8=}`h4NUisR19SaWPMBy{w{U7W48eE|Vx22LRVlZ{0aEA$97
z&FzLi)ijcmSp5U(C^E_7K@f|NIZv&T8=luou%9CCWKDHd_z0TGq127NTB0>*n;qn!
z&TPz5u2HRNf^zR`*0jI&=5~%+c2YGMA3bs6gjM(nT0HkKbZCN(Q&RzV)9Q!5CoS`(
z+b<b3HX2<6fx&GymD3%0G~LtRwRG>Z?Cp$|v2&B{7Wo}JYcjppcS>%oH}LSEhk8E3
zoG=X;L728d9ru(x7TV$kKV<IIuw)pfv1?b$=QuZ0uM~>AU9R3Xs%){|(uB>8T0Wm_
zO6tHFK<dFX_xX>a2Rvn<skjB461r?P`IsmxuD1$Jj-BIP=}2{LfA2HhhX3$n_8es(
zJ-1%mE52HJT{d0+?NQg1$y{(ZIj@FH)mIcxP7tdtuj!7+T*m~RXoz*%Xk>OJ_Rd}w
zbH9&r6f!XWS(|QPbJZX>bg#%WXm2;gDhGNr8$uf#>dC9N+F?D5E^{k8xx5?beUoUM
zehVx2Ev0SfJZ!snriEWB%EQ^>IqrdUzWM5R*wp6xd~NtwQJ?vkYOx2Q)z?2E9jiUt
zMp@eKHBFT)D2FGDg;kwnfY;V-b72DNI5jYlT%I)7eQ$|6{wn{lV;;+_E_KmfBZ<w_
z`<7`;zGsqbQ<wQAw`KVWb$_D@C)H0p_}mUo@-21znk;rIRhU*K#gjVB(HFm?m_Qu8
zvtzb|RLJi~duN?w#U`HRF%eL+=fDmuzB9R+-IpFtl|PrjZZ=5>H*Vi?Yz#*g1o}#x
zW&8&LC|$=7wi)%b*)t_Pgn(V>1GFW)Q%I~$*!{jdA_b>>uoR+yJBP?>D+k?JTAz2v
z%6<NL!~Xkiy}Yb&x9L{Kou{971)Ms&8+eyX3aalZpahJY<MLj6-pSw@mc-G-(nLH}
z)frkgmUz_jdQ@RmKW)_^A+{4~7my}pRef@yf8@NOanQ<7`>$d!RPWN7hTGgJN8V|P
zOS;clSBKp>KO{k|Q_WRt!4$UZ-pYBG`KH-^i}TRyfl~UeD;-xbA;_u01^Zav`Ud5S
z_1LbScfQr<g+3vxCCsAMR(cJYdv;#GdBcS*Uu8vim!>;jLVL&G-cIbvC!{xMsBJmY
zEWlaXC8Iji=p}1k{q?pYz#*Z<8EQ-v<xrHCI$Yt=Gsib?awiDvp2>l?VXblnh*#bg
zyr+fi2A{olSM=f3v~;%Y!p1~ah6z0_ZRNBy3&Bj*eb&CawwO+ebA+STWkX?ZZ2<pn
zRO%EfU-4;NuiiFm#3)xw?JoB(+A|1jAh|VmIzVE@j(56^E`906+k)A=ywzrT9}Az=
zk{emZ2zU#WDPxG!Hni$ek1y3ceW-PPgHoDgm75ANHD&6RhSYUgT=@%o)s#wV&R|05
zGT}N>Io~wJPzYJhjbnsN(1EAxvncaF2Yg*Wxb3E8{14Z{gMBxacIS-4sA=sPZD%cM
z@U)VB-Q{G=RsoVF+Rmr+U_W~G9O!9!8<}yvON$eiYt4omSm&aD(4I2@<IUYQ?MsOl
zbT%19RR-NW1xALt`}22h<FMZHFJrG<QZpR3T-13x?Q1zGzhgb#7$sur%P8#m?ku17
zwGqLmFL7(;bvofd@u2S=<@J@dx58Sw5oaECq>f~_4NpAYz4d10^a&z+eE}*r(6@@j
zje8J<)zO0WL!VwPy}&|^w^qa}N(|fH@=DSAC=^ns6mcjp?h#EOQZ0!m%)XLyq!*-(
zz>tU3rdz#r_$ofcg{Ewm#vt9t#Sp~lp%r0P9wlzg>m!A6{CI`In-%Tb&e-#Ql<D))
zv7OMhOgaJ2?cxSe!5Ln4=MsrhhI<l&Pb_C*eX;4!Jy|BU&mCui=2q`)KD+5gC!gEC
zCmiAccTV9nP2^BpuHYXzX7TB=4fl@-khqKd`X@g)<i8E3v>G+|<#-&gVe*DL8YQ99
zy5)LhjwoTQPsQT8INh<fvdR#X#w_7XD&iXv4<_iGagO#<*GY-><~NA-U*G)|&I_Rl
zwzXZ5CF`O@>7{w%*ZQps$S*n(WEj?)%>&7N#R%f|nwh{uX$`aPs?ffq*lxAnQp<iC
zgWUydgLUk=hJ_7T<XW*H#_%UCn>R~S2u-u#2qaEJYOk#D@Wd<(9d$ah`Fu!1Ky@XS
z*jKg8j<KAQAFKKsMNoVNQDns77OoI+23%WNf1`EeXt3}2ibDjZ-p`{za~4KyXMS35
z`ZLS!M#rof4L*Mveiui>YWqYg{%2=e!rNpmAL}hVeM_y-vzo!{j!X7XCJ92;mLoSt
zaq!}GZED7RXk6Y_Av4p0*m?0(9(+RVgxBB8|3QS?F!nFroux$wNitMogfX0$EInQ1
zq7IUanfT>(4~!~UA`ha_lSff(-f~&T6#iq|OcsSLj_kA_dCB=Vi`)Zjty^%~df1rK
zENtZoq$ew{8tRqkXaffYs?7W2-zC;VD8*gYGrViIb<E=TFs|txfDc>fj<-$i+7lG+
z(Ub~2L|vm<r-LRQR5v|5GfgE`iQ~ftT_EPmS;<58e~j$0aY)h4H<4?OMPA8li4hdu
z(Sc;8&ULgJQ&|Tzrbd)R^P{%EZ_CJzjGAUU{K$3*POCPWi$D=&9^U@@sYgM+RD*SU
z=&C47L_(1<>VQY8%FQm`f_JD1aMrxs7O!4Cmf&U<@d=S8HhFt!uf00bblY}jx)c4b
zEnt1IvoMNFWAv#{8`BP!5%Vm23@MdRQ)B8QQiDIvL5~oYWnOQMF0yU8oa18d<FUP#
zT4cYn+|xgq(|=A%#4gH6k2v@gedzUQI?eckl6}PC;smkmB$0I;v)c==#4Wmmp_ztR
zeec?%LxtC0m2yH6=odug`*#kW+e7|rAoQF-?v{oSR$;@LTi(7GoA-~Mu$iu2uTj&)
zn}*!5oH);HuzIhy6c3HV8_wI-*PZ>^W{p?p?{0X0am(sZnbp`xl<1~C5oy%wMH#q!
zbKCPrRt|FSRVgE)LS3jfrEDv2E!oo?f`AeT<RSk7(wilXN>xD<a@sdLkp;_Ji(MwQ
zyPgkPCAvdGx<7N8($f#fL7ZoiE>pb%xY#-EQllW}zWh`dxbv6u9uFRyPIQ>~I)@Lt
z8+P|hv?5ILEtbKdbS{=Mva(;q%yJ-Xp3t?oA53-v0#}4y1N1LJ>zy6m#=NJcJLAz@
z(M&7S_o*h5#d|YHvFpRPCqJfg2n|)soW00e3<w8Xx{bv}i@Z=5(A5ksS#<*^1j8V<
z96p<iqgU}>u5tWQJ8Zwqm<x?+BBlmf_og(_;|YY;<~7NGcK0w8SO<QfB-Ex<5(6i;
zad>>HA8Bx&9)}I&ulkhUFStdxPc_lG`kJLy?0z(ZZKfrPjue^oAUZ&EfapPFVI0_X
zOg}Ev@LCJ03~I{V)cE<$ZIdIZ@kw?z7Ej#I;TDH$^^RlbqAqBL)LxeXv9JKP1Dt4j
zZ~i&ZS5iw^GG~hGGePMpXClumj(0~JckAa5ibdd!<$}XguiSnW`&tjm7fr)!FWi^C
ztbcy(SJKQ;Tk}Gv9XEk;d)S0a077FsZ?&~-*7WJxrS&eR;*72!z3xvuHAB0-GUGNC
zn>fQv^hZbS0`JV5X4xW?p%(^WqbWC<wzq5{?sq(~kO$Q#*fB3IeQ$L75bMm}btCY9
z-6$bUny90Z0?o2*paJ#->Wf{FM$iyz%20Fj6gtiM(g5>%&$Rb^0a=Lzeq^gOTGgh9
zp+shQ_-D8I+6+}_PEVSo$R@Rx+p#y$=|g#BpD0(jZ=szOohxdrc$(65>nK`QY9udV
z=iPTh(q1q7guFkI4bIJ6){=3=dZHLsDE$_F`HJ<Z0$;@<B_QW|Q%F-{p_hbv@M~vH
zXR_IoC=jk^vqaRjG}|I{-dlOxr^1Ic2BIsiSD6S#mfp}uh)p5Q_wyTHc)F+Bs|>Sl
zBnUVr-x3+SI)T0#P-R#mvX^IkPlwcCo{oIJ+P1}!e;e=asF6gTsa_KtCE@mN54RBk
zGNOd_#zE6Cu^!qZM-)Ou`pgMmPfwbO^)*+Vn>#NHx0u>yJ;+7<{2-vz;k$URL1^d#
zaQhyLUiwlsMe1o%y!;WY51%~ElA5N*x3aIqHm!ghwIdn?%ks=B$MC-OCNcBzCcf=y
zNgx~kVzQfieErwP5$z+jJ5=1;QkVgqb?KR9D>9V$<vfIG7^1*e!+p-fW25)SoU6)+
z0O)(fPpyk%yN16YQ?V=EOY9S2<a0hfw2%?p$v7(h+{+rSmHiYWk*wr*%cjqH6zSNQ
zL4!IQt8+{hU^uzPJjjj9;gGA{qwZI+VPui>*1q=SbA6Udi4r$u8^4i0t#C0MsGR)Q
zLxwMyAZD)-XIV+yV)Wj~TY6|N2<5mx+R1-w(pY<g(qQi=S;EF<()t7~S~;9qY-&C@
zEYxt7*t<RLEbEy~<LpN*`Rt?HmU;qVng>+GA&e{4FjzUVh9F!~r6(b_viFiMExrtB
z93}SHZo>(M`UFXv+-rtKcl-8=n#-Ggzs15@sLO6fCfV7?;Z&*|ROvrKlSK?`x7}+U
zFPY+>zb#13gBbUuQ-|4AkGMO_t|I~z?4@>A(N0*@g_i6!ov{9^iBKE3F|U2KfJ&{w
zUc!xVT%d3_DHdIu*N0={4!h`?)<kJY2EUbJ?=W1cROG9k{dF@!>y6EG(o^*0!_56z
z_y2AQiLVf7E7mGmlZ;M#--6*em+Q48R$js!ee7TC^CQ5kk>(;dqVN&B>6>*<an|kL
zo3(miNy%sa9&R$A+}3DXb^^Zzz2-w6p}wW%w{0WF^AhlQKwdF4{{3&;B$kdXnp8t5
z0+46GEla|9I50#1tpe5xDqsNSo_13PM}~kZ{bhP4RRRgy666$k(o3GL5gh`p@Lwu$
z4?zV^1GI@UPIR54z{~uPN@OEiY%C9~VDE#H8^{`#S>8$g^~Mt5<GEVT-(WzPMo4J}
zy$3O?8k3yC-_IKkYJe;cuunB*QCWL;3IIWf=@yL^5dS);A*O&okr2Y32LwlokZf5X
zmxX#ChPd|k5{h7>!#{e8Ujf7azL)#KwjjMivVnTnewF5rP(q?-=<V75bXr}+{wzPk
z-%D_UODNuzWC6oOSE11hfa0USMy}^zmI5Hke^UghNj7j`7JiWDb^?k5q?Oqfs=t>Y
z>FIEONTpGk-HJ(Tasd_8g;DnTzfGl&KpMh6>piO(9S%EtMDH=cTJ(Rq5%afZJN6uu
z_~`UC$S+~MnmZ;dN!6*9Q`o;P+yO8TT&ANFQAmOJ#Q1aH1T*zEgXf$7R!bd7ld%+e
zSplbUl2evWBVgkz-JawAmZ}y(g>)z<r}1u}uOv>IJ`tRgLbfN(|6T&jDbBhD_IAsh
zz^ASYRxE>E8Ih3xhmidcnJf5{rJf$MYqBU-pSP51;1Y?#!9{;B!3;uri7)eWZ^5k3
zPJ+?D=J2mM{A&)<b^m&Y-!9@`@9?{|^{+YnIhp@8hkwoC{~~tqzkBSxdI~pa){wZ7
zoNF)eV)9mUH2^=7SxVf5BnX?m0N)4!^y7BZHFW=D+RqrwaURh|$R4|DRQ~ZKv*>lT
zZ4G`*-bW<i36X#&5o%u5&3=tNA=X8TE&po}Ds6F8cL2t20#dC*h*bzHPVRx}F&`}B
z_4|H~*C0d?!s5GmxUnP>pTpuhe`9n}zEhQhaKHl9Q=z+!B;knw>rdiMD-J-*C{QpT
zA_ahllia9@ltMTe5TJV>dLC$a5k&t(DCOuWCC>Y`gZ4qed3*XX7zr>xN@Dcj1S=)Y
za2~|Chk#%Whw+kzJz2r}kjl#ZeK5IMk<e-nLO7I5sOR4*-$S~Oo+W8{dxhEaF4qvI
zNMFsczgkfT=)6+OyA^{SdcKBD#*om?6>+gMxIevjtpk-Apn7F-^quk23^&|D7yA-2
zaN+<9utNigG)y#K1cOUcC&?-w#PNs7N+};bC0)8y+e_d)0)58yGWJgc@16QTAH)9x
zMTQ&cO$J)M6IK6PpgO>PYR(!8+p)d0`Q*AR$`W&DksNFY1n4mRy__pWpea}%iY0e6
zLS}ZWmR$F3AxJJJrZq48jr{Y;rt|PdQ)RJz-Jbz(&i@ki1{Q2O$D-Bs>>D{SUJD(I
zi6A-`vOhKTH*_B0ep|5F|G_{9h&o>iqNFc!d2)P%q_-C)QM^xCqjh=zvPV_M1`yOv
zi(|*dQmd8KGoD08H*Pl1oe7!5<d`{awqB(ZW4c0Hb*{?A@?{KfLdWuhBf=)nE<S2u
z|LJ^DWz*=`Mazd;O|f8{S)H5z#W5b0hyE`MJiwSNm}CA^{Q75(+28$)roWWO45e7L
zR}k~hDg_`_%l2YNRr%p4M--0+T~mUDGN{OL{dArbe#QVf`t+10R60e<#YjEvPGodr
z^wifMK2D3@rNms_Lz2aPmDU;ZFYmnSkIRTE34<I@2I31TQRc(t;F)W@&17(N{{wF8
zvU&7Vij|v3GLP2Wi+ZUayBEZxR4Y4mNs+HWcK1_e44z1qrJkYG?62nJPE=4H-L0DB
zH<6=E?N^FY=_ws~4rnN^9%%r$6=-T@6VR>x<0$#b$c6c%e3+myPkt7wB2M>a++VXc
z`n;vOku7L(*hR7K^N7u4U4al7khi+3J??r{w?M0PB4g{AEXp?K<k<-DXt^(P+Z?1!
z#>Z%Ei6)zSVv0`F%{;f8jrevb^*T#*=Vj~Y{9}$VnWIa=nE4A%?Zqz)+HarMT<egV
z?GRu;^0k<>uBw*7{dGy7^FO2L+FXFnYHH$?0P3%mQK;|7Dq|E_DBL+5+|i~*UK`p?
z31u-c*@Nm%Q@jat;uQFV_Y<#Vz`l_qT0R_bCRLx+EL&f>D`@aCHjnFDb1$~&?6iWk
zgui4`d~<3WS~bU-_7N@)E{k%t&16dfS+BTDz`^FQjUIK~!&Nd%u2#k5_9(4ij14cF
zDr7zSgibWE+SqlkMrr+QE_WuMhv+mwt=@=U3t|JnjDY`8T(Ucn4O_LvTZK-3Pf%^v
zt!>J;N+1Uecux$8ImzN4vdt!=lJ8-Abbt`g^`#q-R$TdXePVxnK)Um2&&IByueV9m
z%b56IGa?j&>jr>I_VfV0qb#c0K04X$TX$UA2H^C0k<8x+l6>f>MC(CrTBimW*hKgt
z+(D}P@f_w0<zhn4?59M?c1!u<@e=T8CzsTcvwJ7-j@_ONzkZX@={4-ngZr~lW*g!}
zc$uyQy)=~{qy2TFF42}=^E0t-8Je-DcO-pu9)O`^Q$PO#e5eq67IVpc2Qd~~2W>g7
zlDZdEk%`Vbe%*ffM7AN2tRLl{F%`OAUqXkQD8OF({##=)G4vo$m!a3J!la26hN$g6
z^CbId*LbvN+V`gueTxGO+!nLFlgywgM{u9zusJ{}@E@ajVsdd;#ODgV&8M}ZlhX=p
zcE^N2q+ShbLGuMQ3%x8?kcAJIrUv~4L*`|2kvH~@iY=SWdZHGEnq!~hx4q;Mr9vL-
z4<tjg>wZiw70tyPXy=U2K4;pc!?8?RI-r0*!jH<#A7IS*kClF4zWU<DPR8AeN|U(H
z!xUd@>QdWOrv?hoiXrup&V4Gg5xbkkbsxaVRs62eZU1~=`%V^83g`DCCf3{HWu#8r
zt;!>t7bd<t_vtlR=0avdeCLWa)0_W!ssQ^3>*TxCj^x>SW%O26xyN7Hh>Cf1D}E7Y
znWJkh8r%u#PqA<;1=R!FsYloMojt{KzrkvLk0Fk$uzV|N{Z;|GPPzLVi4{@0@3j)u
z@a0`dMf?9O_b9=}0Ag^x7iQXIgRHqsb&f9va4a_o^&4@vC5glXWl-2l2HuyXBJEhY
zUuCmtk*rS>Ec@An^Nqt~6nh$MQ*{bID;$**^YDSb?Wc|kfTz#d6L2@A9VJOt0-4MP
zXrvT&p+7#}#8cV2H+L$_oOIr8-ywOkpSv?pavZF9()83TD87c&HJDl`|DZBd(S9-5
z@Qeb#_5-Fr{u-2U*zX1d+}6;s_Ebrp=*wzRBxcCwcz%9B_!V2VQfqkn%o+3U_i6%<
zzMo3C<xzCgc2JiD$N%=~Tv^TW<0Pw&@f$3J!u@|~XHS~@f#s2tk-HMEh0rdkk2Ixq
zuE?Bu(**@*D-rWjg^r@K4oDwQ0eOpf{@QI>i`F;nKtVxSuE?gJ&tn!5G8sTC^%|&#
zwxqa?GCmdP1MEaJ6v<MKN`3sx*YxIHV*{UvF~9L=r;}z&totdL^=PCkK4aYlsSHk;
z@-7H<D3rDoJgWnEODx5<^4JQB826w)_yy(GyozsvfO-2>Q{$x-GzvxHX9r9WGg(u=
zcT8T|b}YWg`9(~=Q=SI*`#VQ}>D*tajJRmpglh=)1r5Cp)?)4?;J}1s1Wp2RP`<Zz
zL<ks{S))auH(WIjkva0bwOazx_4g>_vKh*39zCGgmKhr>5Q_44sB(M-I%>2m=?Wd-
zAEf>eya8Azu6+bdb-!g*zrCava9cJaO^UP$US|fzz_#8vvy`cwPkvFcz}o?AXb9=-
z`Htq{YPl_P2b9|e$lq`JgIh<g_D&wKMrn=#iaa2ha(beV$dB67X7#~nF^V~5Otv%<
zLy~ns1AdWS6!4ZjF%;70HXdys^=G689G90?w=}vl?zGtj67I~cW!8Zw>qxgX!%J!4
zSU#e`@XEvvp>t+uCM~{^)ho0P;x=L-Lov(#HgyJC<dqYX;~mX<OzRlgVZb6p&}lNP
z=0iZoW)8PRfSTOQS-|;;qFfxQ>L2(_?ACy)8Os96)6h<Iv89Hxipu&z7fDe3CjCH#
z#mmW7SEH9P`RP_cF+tKFk8au;^Ko@dUdE8;EqxFM!hP@$51D}(R8o*;^TJsqE_-ZD
z|E4w+BLJ$!W}sj(xz-2~v0Li^;;npB+JLj^tAE|}RDFiSi)PZn=J@eKoSz@@7|qJA
z>gLKl4bU{^G4LnR`*681f@KUdkkH7VY=`>ZxB>=kr>R(2r7_tCyPq^O)gE5W?W*C<
z@un1{JTo#XlN~^?C$3gKTEKOjz!R((V?9YErLrkvfY|Y>|K#MOiA_S;sHf`XJ8#&)
z#EO$Ocf;*N{)Z?(m=0)h_f@B*>>e5Liu;h|H~1M|pF0QQ#UVMpO0e}Vb4Ojkt!5zu
zK&j)jtk;0}OR?GA-`KH}{%EKz4>0~nVEiP4bLyk*sbZHF;=;KwHl0)|op(WX*U|Y3
zxT#$ft!YqG6YsU#Il4JfYjDn*D0?7(?1c8&0wV(69Hd#VI9|hdq@g9i-?llS@8lSe
zS{l|U4ftVQ{7cZ`92m=#NV;EO`Vi7VBK!FoUq=hwV*|vXHyDI~po>*cwpQXXAXB4H
zf}eX#Mk<Cvj$3r3^6KU4zTiKq4;bB2DL>%LGmVDd#%Bp#7bBy{pufAjq$CUFI!49_
zj&Lz30E+RG&G+F=YCM}-_)*t{tb1Mqq2}|Sp<qU!2u}1(5O>Kf^di>!?EY5CEwO<q
zD=A%%%W}oQV0akP#CGrgTN7*}30m?TFtS1N&Np(7Rf8wO!^~o}0=&+UG_}bt|DGZG
zksea0Wtu@!20jUq8ZIA9<7_0RR$Ri6FUmitpb!Q8E^ZWY59q!>1CE2r-CO89I1%q-
z67)DuX^=HWK;nU`Yng0{CMjYx#QL}}{llo4tC#oQWSll12pMTu9<q_ClK?Tj+h%L1
zv?nmGcIu<=z>O8Vy?;O+I&1@eYopE_<VPZV6e&q)i3hKyrD5;(PqVrs;P1(2@4S#c
z3&dBmD9C6`=AeN6o|J<DMdgSCf;)hh_8VN)sX3ORiI7dmjqOakDqI`rmk$1$q6gzG
z)}sQ>nI!(q@Fyh_n?TFs1b)qd<Kyu^#~2ygTUmIS-N+;`h#0O^caG^*z@}cO{N=O{
zpu*WQZn-jG>wi}kB?cHZjcUC;NCe13mjJ!jejM`J%Ab;+`#Vq*20p<Cz~d|vQ}{W?
z-hf@daqoEexx+kQ@MkfkPYQ^h7OXe6yr>iZvjO1vtQ<sxN4BT8;WXg{{;-(x-S<e~
z5^DiVrYHMrtyvBJ#XRwf=9SxJZw~k|7f(?bFNs8$U)no^Tk5ntxi5{}^w{yrsjC>v
zvzu~9jiw^%qx~=aNo`J@@?Xuv>(@gOP&O`#7R(<?rgwMwkG3MvDg!Vfr&#nW^&5b|
z_II~t;3~+=;Ge(_locNd4f2x&Tj<5icq#mt?kuDWVKHyF$Gxq%n++T30Sv!`5B7jL
z|7r8Q&94KuKNLo*xckO_7ftZtswkI1J~kci0G{ABxR0*@CAo$_g1;jYIXZ8<_^{<K
z5Q?qHud>^*t4?(iS4A!Zcz`Z|$Kp3N(A86wT~NDWQ7t0#E%)oz2ypVKd_8<{$qK(-
z9z00EZ<;J+5yn+e(`uR3(jZ1T^3#=p<(2fdAYT6q%JaA#n4>JbQ-451<>#kQ_9Jyp
zB*e$%6$-a{2c^%OasDV_cWZqpGHP}E%{R-cQag$hWEAqJl<c<%kH^zScEwWmjkXR+
z#<(;Jxe9Km^6ZvPV~#{B=%K6)8~0hflFsOaT)1ls+QZv3)+pY+lLuo4tQ7K<&1qT#
zTo|v;i|^&@-T~X-I2&>d#+Kd*;oWmCftJru^ZbeZzy-!(JNbb=K&8G)ZR8-sxS>j>
zFAMh^Ps_s_yqjs+-+?iI=~-_0wFjiABK^(j!>_>YdZo$CU<3>np0SFwBLebVABV#R
z2e)ZkLE3nVcIhjUVE;HkDvxR`!8cEvImFKk{NdJzgr+RAgcJDbRjB<apt{rW()ju3
zLPr5tzAtuu{BFJPcQBOlNiZ0TlL7fd2%lDZ78!s7q%yQ0C?@;)wSa#X|2cu?FctWQ
zN{RV2iJkQ0ZpZw=V_gY8e<i&l$5<TrhSzF(Eg!s=<)=IB2bK=N+pY+RcC+6H7qLJ5
zLhc#ByU@B44J7xi?Jj7~8J7K0IywxBMpc*EZq<Tj+HR@K*#ioFJ`hhE0}kJ#*MP_2
zWph;e2=3D7WoX_(fV}{gwxG}a!p{(VQ<jm?SO#9vrQu%=)@Tk)wq@*2h~F{r&9RF#
zC;kbe{@D9{(53thzj9Coi;cUvv8@kYhx)Wc_t#i{4fs*U<hfHH0l=)x?<@Ofz>ZH|
zMf||J-*o%{)|hYTc#+HwSo;W2A4dbz_4yC_MiRL=Uw|MB83S+%46j8m4v-x2R$A|V
z&gSO=mgd3}E?>tBzA@}-oiGHi_J)e%2j)Sds55tXFINX#IhyQr$Wfr=0a*k}9{U^p
z5j0B6?7l@(lmmruH`PQBZyw<CY!|K^fGmx`nyXH>Kc%<}Vr@g|U$5_jMF)U68W4c|
zzDOTfV_&}L>BD7Ujdsd{5%%C0wYDrl2W$M-7)Uj_e~p1;F8_Ll-@fDj$rz&Rz=T>R
zNJh1@HQ5uyoZp}2y?6FEgZytrm5h_mrQ^UOXmI(FpF8l9jb0%J5VAFXhuKbc5`X%g
zG$~`d%DKz3@V&BRdX6zb%83^AysW@x3?eKpaxyLO7$<Xp1l*D|vD)(HhFJ!PFB=2^
zSZeul3FliBD8Ld~wH~a3_kCUv;|bRS9)<IK2q)=OC5iTYvgub>PZnh#DzgXCcrVLK
z88!lV?;4m7n}h@R1eE3|nSoc4IN7=iF7u|YJw<{f?^$HlNMnVrt$DgU3@8}i2p<9e
z5jb~e*8iqDa9??>Cr5`w?Z^oAt*$2E7PNuBjaBDcz)Bp&N)9p=3$O>jK~SP3$&&WC
z$O!<hfN+I9Vx%~F=YHP@gZ0&VS|;L2CgD3^>R)D-c0jDoiEfod`xqqd%<&o&n$rZ2
z`d<O3f;t@-R7sMa#d?F(G#bb@l4JpaAm=4enHP%kq+2D8y@ddt_HxpG`@Ax^uTQ!G
z^pm^b^Szf=QF&RYLz0Oni9$HF3H6`vK7$)sBm)I9BXBM{cy%;m!RfUy#KheV)`(Q*
zyaFa0-ccq?di9kTA?@ZMHy#FJW`D>5u`nPF#N7zOpZoFPl6=YyGJkju<3i5@5`BWG
z?X?zJHkxBSy?a1CLMi`V$)jIiUuajmul49TWkP9~+M`Z&YO>`a;L}wQ)uC{FMnmSg
zrp25N<=EyavwKrfnR%I?!)Tk;!WNoZMM6}5a2zwk)kc%Aj24?-R`)f%H|i6hTRXPb
zlhc=vzQ{YY71@j0V@LaLzVAUAa;h=T`E=ym1FBejBe+mu>$X{)42Q!xI(d~^_8XVO
zGUsp8Uu0+hoKy4!;`V(bI)nJ}MAw|Zg}`P7D**G_wKy-1xM>dF+Wz2Oxw`vYviR0(
zRr1p~<7XBZh~Qkr4@qz<vMG@v`ZvJmQW^DHk<0<QABj_dBjTwrpa-u8Jd}#1rq~Tg
zSFRjH`A(}(djun65Fxa7MmIhm%m?f#?`)``vLsZ>8V8lanSZ8mxAi%mz?V7+oF^jy
zgWRox>qbax9+gE%#bMju+^8=X^dpf(llB@~^k|kQP|5B3qq8_cT&l4o6$DHYBn|uK
zKV2R$a++%OXn#r)Peaz?wJch3cZF?7`M9@Hgs$SQ+?_D>Sc`>nz#%~r4uO*jeIw9Z
zMK)ksgtt!<T{zyBfeUPQrfDhG(BSp$e26Y>rd?}m>_tz$A-gc)3zKayobtHrF^rT}
z@m-d(ElaxBNY1xO;6W@4*90qkq~JHSE12Hk21fo#<$+aM)S$fUmn34GVpYWJuFRKB
z@KF{XSWmTRpH3sJ@eIy~M9;zof-q<$og(nc1YqQNFZm#fuK|8c2>5Qeq`=Y=?bJv`
zT8l<rKVuTU#NIjN)-WRBgK-)Ayn^pl#qeezoF2V3%^Pz`6{fsC&Z%A2p6N8CMm<UB
zD{I=Bi51VHNAN5oc+e7VE3s=}zWbR5ir&SmHdn?6)xyb}`DMpk8)aYX0`=}>j1E>x
z^0K>83#pAX{j?Ixt)-h->Z`Io)4{Vb%E${d(USZ%m)?hSkBAg-nT9|5QeNBe-sOkX
z^w4g;(Hv|d$h!xgDr8>%sd^VxwjE-JfZ61`O_>YKR`i=M!x>Z)y1r$~4M~J~Qqtc6
zI8-R>9-&bo;ihfsHG)OZ55p3Jv0hm3YcIp$i*6&XVUsOMTqS#Wa+;=q2ryUABw3yG
z)a!#wCDVyoF`rsTk!L&Vfsf0!ctU8QI|`RkSbxXV$<_q9<;tadW~_SfPhnsZE0x-#
zwD?ZK8pHz|CKlx_`t42C%$cpGZ+hGcHsfOOb_HKj_5LlXdf(^R_e$EEQl1JA^f019
zC88OquLN1*CpMVx>rs@mk3E`&AvBlb2$S9EVQ-lU6@^;H6<I&270OjXY7(0Vk1vo^
zWMmiW%JQ!05}2;AQxLtmA`hV~p)IlJrbgBp;ix^@+`}dJ(rcl%zt}3?%kWM_ybIcD
z4fZXm-DREUPxD?g4)))gG3{5~*i97{?oSfLd*t{!W@cykpFt4k?3N~5?0s*t9;WcA
zl<HDZpqb;YaGp6WG&8#<_-L}+sv+Wfq*N}7KOAUKs!GoaZpM~ndZpc9l+wRX7_Z-(
zkXAsLVoMEIZZyzRMtTlcd3o(@kyA~*`UaIBu7T#wBn+ODSxUc-PdS#;ZK}6>+QYKh
zA?Gdu4&}aWJ57Xu@Ra+Tqd)ME<fYha%>LyhY^9!r!AY_~N>M<f<Y(K9KspK$N2f)a
z-dc(`9i#7v28T(@J7m1-%3=PNf{|VMkrN;@&RcPrz4e_UwG2J1iQDp3;zNCS31)QE
zN^Q}+6I|`W1-T4YjjpRXzy=VVrtjS8#5^%?*6_6&l5D-X`Z0o*?aeRK`o8OQgbIdN
z5h{7iabG_-<S!#4MwoVTAkw;HOF!J61pAAeeVK1k2*X-j#sKk0j*2Q<eltN-$298U
zuoyxLaX+6>Ou5uS?KylMhGf6x_$wwERvP#NO26$zd*0p~H8f$Hu@TUg`RD})kQ%)T
zbk8AEKR+Xz*JEwukD<#(&nM%W>(PA#UfyN+JsRda>RaI<owSe;o$w3~3|mbn{EFD^
z%3DHR6vNgN-{=BZ;}wXxW_u3n{lUBf_Xp$+wtJl>ZfQa_15p+~!Z+@C<Un2rZ?0V9
zO*FDkHX}ay$$n0s+cFth=nFLQUOIY@fpgm*DA_2m@qq))@uxmRke@4=dJtivQ9}vo
z%ipAW#)7fTL&JNGk@IXKbbj6%oGCyY_KO?}M-U7!75ZZCi53azSf!q8EkmN=E4BiJ
zAQNr2tEP!N=X`ep99wE|Zvv1zibsH#AUgKmtC&c&Yw(V=TN6PO2rG=7nLks)uBGr7
z1`|@MHkGruf}8e^nWk(6C|<dncOAO5bS`791eU53fcu=`F_aZ1!S!DK{FSYeO1&a;
zRi-CxGWYNU0@?OloPkNmUwK30X>&VuVrAPJ$$Pc8)+Ze%=w8PwZmIalgPnum4s-4m
zglUe?lOJ~}`)*h)B|wN3!wh+(=D^r!X7LX1Wqm~j5a_O)4jCCz9#^sZfn`6Bdr0TN
zjmeW9!1-HFR+&RpJr8eU<^%-*X;(w<)M_WBlB3#uq5Wxn);-Hv*FBWTlgJ1(gdfa{
zT#vJ-!EacGMM~J?`^B!!+xZK#qzT!Xi9q|8b!Q_O+~M16B34fJv}O^{?%Gk6UBLA^
zw!jFN(@nfv+&7JV8YIzjJ+`|DMNZkzxWQo9_f}=OFw5~ah)d&_k6O{0=+6Fk%X<({
zKIoqCmZlPF2bULCb?7BMZ;bf2&vGGQjgmbC>S&W?F4|EzY(DKaC7w$?`Q~!KZP()m
zSO8H?H>EcaD22W2EP3iG58gG^ay}%Tsi2BG4&^(?sybU16e;t!IJ%!2XZh(Mhzpl^
zrV<TVh3(2xC9z^=6V*y-9q0I?nN~a(lRJr@6-`@=^DA3=VaAv3HCQc%#aZUkWrxj1
z6wkvP8*lZG418*19^^4~sIA`W+i?1MDYj#$(nE2p^Rf>jV6nCadeiO-MF_dc#uCw*
zn)A3zB$zV2XI&zOF~of#LNK#(yrGtuwxp$?XD*GdYN0c0K%)4LV8&008XhcyKU<Bk
zY}Ie*yR)RRGe6NkWr`(M*?$RE8=4%Y@iA{(fv0T*s4GCd<tg#=g#mrEQf9aEAfs~5
z<I@oLRv2zcyn`>_7f~%?E1!s`dN_A`yD*UOVRmgqn$$A@0y_uT6=4cddYonLZlU9X
zuO|~GNQG7sWt<~xkgzkYdG%h#+ciam<&c@duQ5wjI+s^q^_H0QfO80FO<k4c%3-r~
zXvu=NXIXESC7sPI?696>0CLp(KFyx>-eZYL%SQ|*rk?)8-Y%ows?|Fo5lXNn&R&K&
zHOk23R;d0PITX{3!L=EOSx^eH=-F0(OM05EMPB_OC1C3$GxgocH1b+1Nf2HY$Arix
zd1j`FVUk2*iYrB-K)B6>e7cUQ62F%#9-myCbN>@INe&)8gp6%xNn(;{3W2XrwQ$Zi
z#(oKkYWFw}efl8<0ZoTcaOC$_XUSwJ3V^BoHihZVl?D%ne0U@wxigJXsP+trO5^Qd
z+rvLq7K%@GAdENfd@Cd1FeYu)UtrwIU=l*;<Q+3tq1QNrOJkC}jid3rZC91!zc%a!
zVxWij3>C^|Lcq+03Mx_JsjA0p{^5D*BZwO6cOwFj6QAcn$?wq8Nj&3-CvtSa0iH!@
zu-!pej_Y;US@qrS+8yTvgXZ6Vn61kr&pqn;<Y6Ve?mTg;_!q11Nd#2T+M7!gL}k(?
zN#Fh;fKIs|)OO|Z=)3hO9Rw86JAJZDk!uWs9>2bePGdywzS_J4_iXDI!-SBJ&g=0o
zGEwGMv2rZULza%Z31S-8@4#n&gkj<M=xHED&AO4l=i~YGluLZW^BX#0)MVX5$Do6P
z`0mRzr?KyYl^`3mr>1%EcFC4MaOdVgPbEQXLc$-MdgT8w`1{vUW#{36sE(4$^GkaY
z^tk-RQF|KSaUjTY-ps?tm_lX-j4;^vQ<l$%9pPQ}x@T8en_6h*^O<bNOgwAkBtGG1
z4YbCGUN&hnM~&6gn{d^mlIU)LUx3UJRwH9acIBLNAV#1(9JX=oy#;~z8H^oeucb(X
zc;!g19mBzhF-L=*uS*GfukbV>g%Uq~KhN$5>_Mq+(>tqqK~#(6EliTBeO4{>fsv^g
z^2rNl&-?~Wrm?BEq{r1o`5w^?4L8I?eDzGP1oo9ra^&b1eyGMZFq?&?us&wk*jcog
zg?-E4whFsxzxyd0;=1qGvB{ETtu;$OGV@O^5VI$N&|ll2tQ&Rf?yBnCXl8yWBUG*c
zwao3Y5$j6_nNeE#5zt9E1e&L@jP@rZ75aNXc}hIq6YJG<T^~%xxlP=9Re|7;o$Uy{
zfIdMIc+vc;RlvqE4%^KShG)s565$ijp-`4Ry+bGveK8IawJP?CxD~8kp$ynNPI}&s
zLmHXwZ7Egl<>h^xXMoeQE%fACcoPSY!_Fg%bRO9LfVBWue4+>!4-K^>wn48w62cJ6
zt@DQ+HAK=&=gyF;PS`AD)V4^avrK^GqJnE$ZJ`H+Dp$D;L_dDVVsAPu%jAfFlFS^l
z&DiBt=dRqG2CI}DZE$CjZaRH?a<WNheX0!FTnx@!PcOYC)kn=XM?$f;ae*ce&f^3(
zY|hn3kN|USbZLxxxmwYlB@>;5l*~DnenupduD$Ac%<zH$DFmxe07rMcdYa`8kr?p6
z3e=vt2_D!^@%97!ne++y%0W=FmSDv74)ef>e8yhk0?**vSxVz%>kc6nMPuFem%KSq
zorP%PYVp%$;V%@Mr12(7{)pvEvHYS??CTF87jxc1$b`_k-|5+y`JJMjGa-I$T4~|b
zpb;Us><YV`x1oRsrN#;lEp;NTwViWcOF9kT)PgN?`t+Dl@rTV{EwR>Bb7Ms1;|=c(
z6F;rhtABz>2@F1RKojH|d=DY=cE-=RKK9CDRu|)Np7xELRsqg1A(k~5QXji-%%5zx
z-VWd6Uq`-Bm%e!MqUen$m1Yea-fPvuy_zEZGt)+PNZ!#I=PEZ7_v7a3o^!**jpw$H
zhB8&-n}ImuyDv%hyKdr`yoWt{J9GB@uYaz<FPr*Qb(LSpb1hiu%E`QVc{(m`X;*2R
zXSem0XiW0Mz!H!z-5fPT%D%rKx3oT5^po1Dg&KQFBX!uSFQvB=d0fYyVHW!2nfLmR
zTSIb$RFA9z?SjQ{UxBqgR6fvDsD0M!#S1HYdlB-{)<wfp_dcEjBo+CoD=-CXMQ?0<
z819BV{&n~EAWvrRh={_X>UNWrZ_op<G4E;&NWhDR9qeGz%8SY=(-9X<l%3k#K*0;g
ztl&yP8GPsI9Lrq3toGt;I6EgZU~c*SMEC)cJ8yAbO`CrdJp80Tka6#!ZoI8Df^WUO
zi)vmIrU;aU`)7Esx5tcY7kV=?DVRTZC!xvY&KU%xlW}9v+GWquo!^kdP)?OQ52SWK
z6@Kl?^&6UbncMP8tR}JlRf#}WZ!vUp;$zrI>%7Rjp9Fw~C~_E=RjmgUQ|<0G=pQ8-
zE#Ig;4RAE%KY317)|g5PT%Y{e9wq4|?8SBe=0VlmP1VoxcNu-Zw%w`B2K;JnpXLCp
zF;_$1ex=_E@0)Ah*j__QuGg_qu>v513^n|<!*+^PXyRi#1tzpQt{yaPWX^nlyhTuY
z02MOw9**L{^QBy~)~T=ArD^^g5E3>s1~uOHi4$IR&Ux~FZ67v@BeepMzFNG0YU31-
zjM-}P_QqkG^_IU>;C)N^;j25p%$+8TBQjYFggL$K8#c6e*RAzK0NjNXIdnaaOYi^>
z-1O4+0n~6?gRM)C@c04rlZq_L3r_%1vPX7{=FSGP&1r)grix~zRcdSDb3z`nSPuh5
zA(8xdnxr102}ub2PaD9U{eEq;z0l$rT+QrRXO8<MUFo(L>13ckLF=$#07NiJVcX#|
z6vk5#q<0;0efQDG6nJ}5odA1K5hGQxL9O5%Nu!s<k=bdtSJ+p#L`oEH0ex41BLoWG
zY2ej|q~QG<?sw>LKUhhDmLMG&sU#VfBYHiXRP=C7bvZzteE>h-{U*wKm?V1G&LkMn
z0bZr-*`^NK2R5KK(Vv|_ahTLcXwhXpuM74^Q=+4CzfbeK;z0sL_-%kU%!DO;o&m3E
zBCppE8aYCs=xEb(C(w`7(J|+yIhhMQeRhiF$e-O|JCz51*1r+1SO>Nqwb9V}M;e|<
zX=ncpV~Jp2g{&{j){)vN0`%m^NiFuC_F}tzOZ)$5x&P@JI)E)-xgd0g{XS@H*(ba_
z5&)*hXsu@qMD}mdR}yotUg!j!10c*=slFk&Z3JF7j%!Qpzo8tcmbrx`zBu&}+_kbh
z-~44rDRIfh2LRXjeT|3U=SJ>^H40Hc0^m0KhS3|ecD6i@T!rkv!3fmHsubGfDei*w
z#qj;Fy0@UJ7BJ}17q;KYDFi>8(NDM^O$KF52|za~1zvZn{bLSVJq5rdNC?%V*T7xo
z)p5M93GS85(yfJkPD=pq{+&1eYYxCX{yPHWUvv1^JNySA=l|Cn2=s3xy-Gh>_j1=C
zdph5vOp<6OiAb-==70|EC-6wy^q;1bl?FYVqZIOBbkq4I@X_d_!6z9x@Vi@FnB9EG
zo>$V$;Bc9E`{Ek=GVsTa{n`wVK*<?xr_}()Te*&bQEv{7TWf)L68}$IR~`@5`v1)|
zLP{!2MNyfuD`iWV$lkSUl4YhFxt7V2Xl!FDsc12lsmQ3vmdG~tktL*zvW_L$cgjw)
ze4i=Py|3Tv=g;w)Gv}P=IiKhKoX>kXVLS>j^)@lpD0N5hX$k@lWhW&&Yeaz}0Rg|p
z^LjwOQxp_f6i5iE0BY2r3~Db(1J0_N?JHwjLFQc@GsA-D<y64Fd@Jzo2PmP4SD-Ag
z$<n;)>>?Hwj~`+yp_QIF@8gB(eH$a;;zvIvn5LS<IgfsPVpZ_ZXS95x?ZL1x5%4<-
z-H08$DeMc={dai|-MLC%ppLv3^NKZ;2(e+ucHg~wH&m8%0Z>gi<$s9nI!?s6SpJs0
zIs>_}_XWgELw`k30Cpf;ba*l=CtmIAb-ht4N$H4rQtbQtVy0jRI`Y)xO|&O1Ps4Ew
z;6@|3z{x{APnvf8b~2Q1@c@fN=RR~Oh_RCO9<1e?=qn@tkk!5xL<y|a(a=~+%*ndX
zybYqP*XBp^PoAh}({SR!ZI6Gf&I>_;qrLGx{^Ym$z+RO@f@kqyoSH&b`i}66$Ug#c
z(hd1kZMnY^R8^`g*7E`6|IqSW&jpY;l>e^fodDFWbVvFcd%gAt)p&;BEWQ!>)oA3y
zUPD^n=gGqcEzm>n@6Ru`nm2)7p$mQW$9oKYluFBY9RV!TXv6*3GtHWFr=A>lePEO0
zq$L19zY|b60Rv#gBni922t+wjX?PChinlf<taOm|?dEp2CALfTExs?{tgc_!?*WK+
z55e{9R|}iiaR+c5#tHxoqH3_Q#7+z3PaY6ZO+OA=bVH<Dw{CIq<=TJ|0E04@qIl`h
zBMmmp=>?n#7+|R;U(UCIK@T1Ul-dcvMP-Lax8VT)HVAR9Ss9F}8@T7K?C9@l02jJG
ztr}E;8w&AIZ_)?D?aspj4xT1>DEC39cWQIrb%IyD53MeMvx7|oT-O6{RNn|SBSa4Z
z-M2&<I~cq6c@^8e6w_1WyYNY^$=<614!V1qu5qAmNd%VVsLItres-jJFLvyikMuhN
z;ONPL(?HIDj6|%1nb|Dxhs_4adlbfU0+_kFMV_?3Z!ybeOXdEWNHcpz`25n)bna`#
z$of<caiTTN6trL&d8Z};OIQLtlOZiqCR-B${P0$AefMYm75r|32oEegMk>Wng4gDi
zK|;M-cR|K*6Vcp%rW?-o+>Y9(*&(e&H~i&(3-Y&JmL}Vk*<{4lSND-kXeZFH1P#po
z`cE$xi`l>c<6-yM5uEgI`>9^RF0vO1q_&wmg)Ft-X%&{SI`jUagc4}15x~q(-LE$u
z@KW<59zh2S{Sc-8bqfxBm$eji&k<mUUvv=3M=toG`iD(}b&)P0IXcgirc5hvi?PYD
z0xxT3RN0+on{<nTL=Dggz3j>b6BOJ52z(GICvVOTl!DIJ2Vyyyz}*0R6k@i8a|7z8
z#JACWKQ``TQv)}^3AkArJpYM91|xBK+jCBCaSNc{<X}9c<*UH_;8G){+V5&G8UGJc
z&<msdfFl}#1p^4R;<F&Fbp^~`pPmaMmx+kW!0Y!XAYi|U5>sowt|juk|IL-7oM7K^
z@P*D2%{CDZ_Eg}n1#h=5q5!EnY5KmH+J&UZO&f5N3!(#V8lzXs{UH)e@pAw8YqY~?
z5NaI3Xc?ZoW(Sl?*}_{nQFj~}5;wb8H5BEKpNA=LVN8IOZEfV*CCkzC9E8b(FO(n?
zBE=S?B2ocyanJxgLw+eW@Z(q{)gRM$^omHGu3)aUq}4c8dOBisRF?A05zR4J_<pl$
zj#LyUd#%h!w@5rxnz(nzogjR^t65`d>JZRm^t*{XhC{B7lXot+J3EX}cWR(GF6AT+
zPZ#Ao{9&wB*g_Th1MWR}=AP$ym1ivyD2$7WKYx0QPKw^Aw!T%{?+=&VzNFm!O${t!
zV0CqGU@qD1yQ7h9QWq*-^ftkcVIb()=kPM&YR3LD4N?Lym{BE<)qI&`>FVn=Z;uaR
z2BHF20!@6!<aUId76*>(5BSB+X>j{aoY{DQ!&AOsg`<lj8uRV;6>JWEr4vux#zq0y
zl=AxprAKcKeHAmT<cn{$J_fM!c|rB^IVBp!qe9AW-^vKha4tiMmREu+Y|(utek05k
z>e`$bhwOJec(c3xk<ZZkJ-=y&S^<66h*`*Wz!VlMJY2RNZC0kwQrlnDb=g*uckEGu
zhu>Aj_Mp+G$^Ni{{)evS`#R$di;PJ1UhzQt($!-GyvXrq`KEhH9n6v%75KDJYopU4
z0d3K>4xYu)GRBocWN5uvB7w}zcQDZIt~&p+w6Nb~HOJ!l4bQIJ16Lf+@7{p@l7hzH
zsz&vFomZ@6tk({Q2_g`i@R%u`xbnIwlj^EQQ|i|*$)!Syj|^|-NkbqZuw{vpvJ$wT
z30ud#ZJ)k)eGBJ5*O~UvhO?)g<rUW~I9-&zS1wM`YpnU!NAQn5Tj-3|6EfEM2~y?i
zuI;o*(fGIpQ_<U7A+WPhmS?{bg;8Q#s+zOoGyLUuYI~>|d}C7bzNnHQk%=aS`_Vis
zNmY`H2Rzw-mK8MOTrz$;gK%^z@|tV@*vCUEnX#WUjqaVU^1!!G6*W%87^b=mMJmg~
zE7*t2(QKe|Hd;kh@o|UX8E7||^DmzEShG2{k6{9{7Y;S@kejfDfyUKpS>z-JruBfE
zpNq>QP?Du`$0L@kDuN+y-cJf8YO8B>kpFTuCI5j=mM~+VnWlKg+21Vk>xcv#75h$*
zrfSkb)E(JtT&<%SLp5{CHMr0p7=BLQYAe)<znt;;;d~XQJ;mWJ{aD=J0xb6-3Q%a&
zFNO$ko(dRU)_cA7fE}ec-zKBSc4yvO%VN||qdumHdeCU>Yx{MAP35dgV^UU_6d-Xd
zd(QEh4kw8z5mSOo7!@Zo4XY00hhvB4XI*s~?-)+H2A&aSj(tin9H$mYqBtp;IzSag
zUl5g63^#Eat)I`>1L@}%?^??j*DmNOE<}Yywdl+Y6%t}&rHJPgXMS?$alxhqS6vwX
z#%5;m{$vNwdhe(|fd(*x{|I2Rs$M?{KbRczUjYn@pOMuu7ay*3B}Ox+>`dB)3~mS&
zrhT5Cb)xb`RNHHZ-u%6fcW>+@1;1xi_4oS`3Br@6mAb<8QrM(H6%i`KqxzxwzG;e8
z&9RInG30tX&YHZc=HZ~XMYLh4sm}5QfGpEGel}lG#V1Y4%RRRIL%-Wa05F6KS%|H}
zz3in%GF6r?t+hpkd2y@eJdrbY*}F$<HC#L6IgY7@YhuP8w_?rTt8|nMKZK5`B9K&#
z27+nBZ*Ip;?|#71U2)+NTfqDA4Kb5o!&3e~K+*844lGf>oItMGZUcv#dv{6MuY3DE
zqBTqEn5ZVEv`=!hRqtEZU2A3RtTMK!FV3m}{bIj95Oi>6rygFfheE8teTu%P(!H7+
zXkt)>gNmJ_#&XnEGTJJOSvbw00SVt}KmU@_&D5`}IdwLk5mf<MY9@a#w|>d{q3^%7
ze)q-^!w|{bZD!03l^5P04R-GexvmRV8vgR|YxSWE!EU-N=J1fR_q>(c)hXdqJ#&7@
z-6&1Sl056<!_Zj#_O`fc<MK+Yvdxx)8>hJng14ie&9A6wrO;EerObDFZCP;KB-14d
zHH;xQy#ku2)Y~uN$ghO4w#37WSvrj1HJ!X=lAf>WCMVm`NCE2<3{(PFc1}^764q-m
z7TojR`A;g1<T%vbn!-rX9#&-~lXzeEAA?-8#|_Mr(`e<?Q#1`=BsVZ_r(;~VaIYyf
zZcU~6ZS&FGb5P3benqjO>G=KGik+E?_t?Pf*T!e?G`c<~r|HSApp>&C34<3kUPB-l
zSW!01CT~RcFk9%@_w?Xx=BF}&riLeSDI<TWq&k0=!ibzXz^i^B_o`RkN2XugqPw;I
zhq#8hTA?UT(~TGA^o``Q32x4;wxZKF<H=lH5KWjrYav@)s~pu#aYx^-(cj9L6zgY|
zI%?Zj+C6nd-Rz^!jPqXlM<&^S3df3U_r3JY*J^I(tmo%EV<8R*@j1YL>}ds_$wIQB
z(LyrzM-)414+6M`?(Z1!MXyL$F*ET5EhPRUAWLVn<Y|&PPi?6Hr+~XikBd$)ap6_;
zj~rji5~!~s<KBbjns1zWzy&?%eu?s_DZ*rc(9Xw96y$ZbLU1!Tl#}<1eNd~p6HXJ`
z_oX`xkwaKMCD|7X&&Jnw3bt6I->G?|_zm=yCz(^1Erd5_L2X9Z7UqVSbL<>Tedbt`
zuNk863yCA-gi<o4+{ckT8Q&-_E0!g1Lv61t1-!vUO%uXOQ(5_NN)xtjL2%Vk*>&$m
zwMSIRCtq3WUvJ&r7=2tc;ir$gB-#>z=?<72=93A+uB4L}6Cw(P*4ssaF|8b{OW}S_
z>77pudDZZm#a$K&%L)$55pAXE>STaB_jA&M@nL-FjzF`y>S$u?E`=p@p=8iAt|cPe
z4-R_~_u-TXr@}KY7n|Y&YwQFV?p%c>{XL|dn5jvJhAFzd>YbX!9Tqtw_T_YQw-7yH
z)tS~bg+EIjL{vQ&8$JE67I$0m<|aeQY_^Khg*rNyYE#IQVo_r7WbiIvhwN#aqJMQP
zaPl4fD059IOER2)xUsD^m=DmJ*-NS^?yEF=j~KMqcC;|~%DdxiVi>4ffE{Lu&>Evm
zt+;_GYXKRjH*eVBqt45BH}r?h|4|M%&oBIpKJm8z<N0ZA6!T&5YTxFJYd^5>b?%n<
z)~2au&1Z)N`r}5r72fNRQI3{Z(yvx}b?S1s++heo*#Dz;=B>`NI|R-6RedWlI*pCH
z3{$$o6;corfp#5@e&fjFbLQHLBu1`rJhMp8-ND8n)6wFd9Lw$s-zH~Ugd+{L0L)Yw
z^{N^66|ue7U9d8Vv6@*m^C7>7eV<VPhKmcTWPIkd4f~-b!rByAKUG7eX?d<hU3jMP
zyTNv;17f0k90y(Z5`kt?1I`nW6TPXdqv1(wTB=ca&+!mBT*{Yxp>@4Yvs%~BRx+>&
z!K@yC87FCq&8eJp8)@q^g!vr>4%#TFrlao%A6hYn<k^*n^p{YVU&<uLZzje?zu?}r
z$)mdZ55%VMOU+$4z(bZN)RZAjtv+WGDBj#aDOx_<5J#OeeaQ^tPdpiY5Ufaz0}L@Z
zc5aS9xxP*2y3-+JS<4>(J@&ekl1$sFfTl^Em4@!WeoC3oCR$~lhsazwO7h`BSXG{B
zjCl<F1{)M<dGM~v-J7Gl@N5duUF)=w@wYLAMBlS*!i)+YYv=kTJ>SJu<C5aw9T`3s
zk7d}ETo2aEJ;`}yB+<}GVO*movSFZ4Zn)vA3W%787=J{W>|79ucEH{<YVI{AXt`=P
zCLK}>fWfAFTd*aQTbL8p^&^XoLK@gpc4p#zN9rF;$6SgCXvi3fkn;NM4z2}bENiFv
z3i-XR^m30LrG%?+qW{&t2<NHUn!KwlOByNotkr|0*r6jJa>hGY@Qyx$VG*n8>fcB_
zk|tzk5=#hQFrp2vr3Pm}J)1@OrT+D#(-vh5BgHj~Pd_-~Mc5_NGd%pZ;zj6gU=02^
zJsGas@f{mEluU;W@uW{{?7WX49e<lX`~hj;dnArndqWuh7NOtSv5JdZcq}`CwYB8}
Of5!S|XWr<dZ~PB8CA~cW


From 8a190579defc5631dc78e33490d0305dd6a6abf4 Mon Sep 17 00:00:00 2001
From: Aaron Coburn <aaronc@inrupt.com>
Date: Tue, 11 Jan 2022 15:15:45 -0500
Subject: [PATCH 14/14] Clarify UMA requirements

* Set UMA requirement as SHOULD
* Set OpenID profile as required for UMA servers
* Set WWW-Authenticate (as_uri) as MUST unless a
  different discovery mechanism is used
---
 index.bs | 40 ++++++++++++++++++++++------------------
 1 file changed, 22 insertions(+), 18 deletions(-)

diff --git a/index.bs b/index.bs
index 391e450..56d585f 100644
--- a/index.bs
+++ b/index.bs
@@ -81,8 +81,9 @@ This specification uses the terms "access token", "authorization server", "resou
 "grant type", and "client" as defined by The OAuth 2.0 Authorization Framework [[!RFC6749]].
 
 Throughout this specification, we will use the term Identity Provider (IdP) in line with the
-terminology used in the Open ID Connect Core 1.0 specification (OIDC) [[!OIDC.Core]]. It should be noted that
-The OAuth 2.0 Authorization Framework (OAuth) [[!RFC6749]] refers to this same entity as an Authorization Server.
+terminology used in the Open ID Connect Core 1.0 specification (OIDC) [[!OIDC.Core]].
+It should be noted that this is distinct from the entity referred to as an Authorization Server
+by the OAuth 2.0 Authorization Framework (OAuth) [[!RFC6749]].
 
 This specification also uses the following terms:
 
@@ -320,7 +321,7 @@ With the `webid` scope, the DPoP-bound OIDC ID Token payload MUST contain these
     another one is the string `solid`.
     In the decentralized world
     of Solid OIDC, the audience of an ID Token is not only the client,
-    but rather the Solid Authorization Server;
+    but also a Solid Authorization Server;
     that is, any Solid Authorization Server at any accessible address
     on the world wide web. See also: [[RFC7519#section-4.1.3]].
  * `azp` - The ClientID claim is used to identify the client.
@@ -355,26 +356,29 @@ With the `webid` scope, the DPoP-bound OIDC ID Token payload MUST contain these
 
 ## Authorization Server Discovery ## {#authorization-server-discovery}
 
-When Client performs an unauthenticated request to a protected resource,
-Resource Server MUST respond with HTTP <code>401</code> status code,
-as well as <code>WWW-Authenticate</code> HTTP header including <code>UMA</code>
-as authentication scheme, with the <code>issuer</code> URI from the
-authorization server's discovery document in <code>as_uri</code> parameter
-and permission ticket in  <code>ticket</code> parameter.[[!UMA]]
+When a Client performs an unauthenticated request to a protected resource,
+the Resource Server MUST respond with the HTTP <code>401</code> status code,
+and a <code>WWW-Authenticate</code> HTTP header. See also: [[RFC7235#section-4.1]]
 
-Given <code>as_uri</code> client can discover Authorization Server token endpoint via
-Authorization Server Metadata available at <code>./well-known/uma2-configuration</code>.
-As specified in [[!UMA]]
+The <code>WWW-Authenticate</code> HTTP header MUST include an <code>as_uri</code>
+parameter unless the authentication scheme requires a different mechanism
+for discovering an associated authorization server.
 
+Authorization Servers SHOULD implement User-Managed Access (UMA) 2.0 Grant for
+OAuth 2.0 Authorization [[!UMA]].
 
-## Obtaining Access Token ## {#obtaining-access-token}
+## Obtaining an Access Token ## {#obtaining-access-token}
 
-Clients can obtain an Access Token from the Authorization Server's token endpoint using
-<code>urn:ietf:params:oauth:grant-type:uma-ticket</code> grant [[!UMA]].
-When using this grant Client MUST use [[#tokens-id]] as <code>claim_token</code>
-and <code>http://openid.net/specs/openid-connect-core-1_0.html#IDToken</code> as <code>claim_token_format</code>.
+For Authorization Servers that conform to [[!UMA]], the
+<code>http://openid.net/specs/openid-connect-core-1_0.html#IDToken</code> profile MUST
+be supported. This profile MUST be advertised in the <code>uma_profiles_supported</code>
+metadata of the Authorization Server discovery document [[UMA#rfc.section.2]].
 
-Note: Client can push additional claims by requesting an upgraded RPT [[!UMA]]
+When using the <code>http://openid.net/specs/openid-connect-core-1_0.html#IDToken</code>
+profile with an UMA-based Authorization Server, the Authorization Server MUST be capable
+of exchanging a valid Solid-OIDC ID Token [[#tokens-id]] for an OAuth 2.0 Access Token.
+
+Note: Clients can push additional claims by requesting an upgraded RPT [[UMA#rfc.section.3.3.1]]
 
 ## DPoP Proof Validation ## {#resource-dpop-validation}