And 6. OAuth or JWT.... some sort of authentication handling with role support for your resources.

Agreed - I've seen this in more security-aware scenarios, but I'd say it's far from the norm for server-side software, even though it's desirable. Apart from incoming auth (which is actually fairly easy once you've got the model), the retransmission of JWT auth tokens from service-service requires the same sort of mechanism as the X-B3 tracing headers used in Zipkin - TBH I'm not sure how many web frameworks support this out of the box. Ideally you'd want it to be zero touch, so incoming JWT headers were automatically populated on outgoing HTTP requests. Admittedly, we don't actually have this JWT-transmission functionality in http4k either at the moment, although it would be fairly trivial to implement since we already do OpenTracing and the SaaF Filter model makes it easy.