```

### Run the `web-identity.go`

```
~ go run web-identity.go -cid example-app -csec ZXhhbXBsZS1hcHAtc2VjcmV0 \
     -config-ep http://127.0.0.1:5556/dex/.well-known/openid-configuration \
     -cscopes groups,openid,email,profile
```

```
~ mc admin policy create admin allaccess.json
```

Contents of `allaccess.json`

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {

		"response_mode": {"form_post"},
		"client_id":     {c.ClientID},
	}
	if c.RedirectURL != "" {
		v.Set("redirect_uri", c.RedirectURL)
	}
	if len(c.Scopes) > 0 {
		v.Set("scope", strings.Join(c.Scopes, " "))
	}
	v.Set("state", state)
	v.Set("nonce", state)
	if strings.Contains(c.Endpoint.AuthURL, "?") {
		buf.WriteByte('&')
	} else {
		buf.WriteByte('?')
	}
	buf.WriteString(v.Encode())

    "SignerType": 1
  }
}
```

> NOTE: You can use the `-cscopes` parameter to restrict the requested scopes, for example to `"openid,policy_role_attribute"`, being `policy_role_attribute` a client_scope / client_mapper that maps a role attribute called policy to a `policy` claim returned by Keycloak.

claim_name    (string)    JWT canned policy claim name, defaults to "policy"
claim_prefix  (string)    JWT claim namespace prefix e.g. "customer1/"
scopes        (csv)       Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"
comment       (sentence)  optionally add a comment to this setting
```

and ENV based options

```

from fastapi.testclient import TestClient


async def security1(scopes: SecurityScopes):
    return scopes.scopes


async def security2(scopes: SecurityScopes):
    return scopes.scopes


async def dep3(
    dep1: Annotated[list[str], Security(security1, scopes=["scope1"])],
    dep2: Annotated[list[str], Security(security2, scopes=["scope2"])],
):
    return {"dep1": dep1, "dep2": dep2}


app = FastAPI()

import static java.lang.annotation.RetentionPolicy.RUNTIME;

/**
 * Meta-annotation that marks other annotations as scope annotations.
 * <p>
 * Scopes define the lifecycle and visibility of objects in the dependency injection
 * system. Custom scope annotations should be annotated with {@code @Scope}.
 * <p>
 * Built-in scopes include:
 * <ul>
 *   <li>{@link Singleton} - One instance per container</li>

            <scope>test</scope>
          </dependency>
          <dependency>
            <groupId>test</groupId>
            <artifactId>e</artifactId>
            <version>0.2</version>
            <scope>provided</scope>
          </dependency>
          <dependency>
            <groupId>test</groupId>
            <artifactId>f</artifactId>
            <version>0.2</version>
            <scope>import</scope>

    if user is None:
        raise credentials_exception
    for scope in security_scopes.scopes:
        if scope not in token_data.scopes:
            raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,
                detail="Not enough permissions",
                headers={"WWW-Authenticate": authenticate_value},
            )
    return user


async def get_current_active_user(

  <version>0.1</version>

  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>test</groupId>
        <artifactId>a</artifactId>
        <version>0.1</version>
        <scope>import</scope>
        <!-- missing type=pom -->
      </dependency>
    </dependencies>
  </dependencyManagement>

    }

    /**
     * Creates a new PathScope instance with the specified ID, project scope, and dependency scopes.
     *
     * @param id the identifier for the path scope
     * @param projectScope the project scope associated with this path scope
     * @param dependencyScopes the dependency scopes associated with this path scope
     * @return a new PathScope instance
     */