```

### Run the `web-identity.go`

```
~ go run web-identity.go -cid example-app -csec ZXhhbXBsZS1hcHAtc2VjcmV0 \
     -config-ep http://127.0.0.1:5556/dex/.well-known/openid-configuration \
     -cscopes groups,openid,email,profile
```

```
~ mc admin policy create admin allaccess.json
```

Contents of `allaccess.json`

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {

		"response_mode": {"form_post"},
		"client_id":     {c.ClientID},
	}
	if c.RedirectURL != "" {
		v.Set("redirect_uri", c.RedirectURL)
	}
	if len(c.Scopes) > 0 {
		v.Set("scope", strings.Join(c.Scopes, " "))
	}
	v.Set("state", state)
	v.Set("nonce", state)
	if strings.Contains(c.Endpoint.AuthURL, "?") {
		buf.WriteByte('&')
	} else {
		buf.WriteByte('?')
	}
	buf.WriteString(v.Encode())

    "SignerType": 1
  }
}
```

> NOTE: You can use the `-cscopes` parameter to restrict the requested scopes, for example to `"openid,policy_role_attribute"`, being `policy_role_attribute` a client_scope / client_mapper that maps a role attribute called policy to a `policy` claim returned by Keycloak.

claim_name    (string)    JWT canned policy claim name, defaults to "policy"
claim_prefix  (string)    JWT claim namespace prefix e.g. "customer1/"
scopes        (csv)       Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"
comment       (sentence)  optionally add a comment to this setting
```

and ENV based options

```

from fastapi.testclient import TestClient


async def security1(scopes: SecurityScopes):
    return scopes.scopes


async def security2(scopes: SecurityScopes):
    return scopes.scopes


async def dep3(
    dep1: Annotated[list[str], Security(security1, scopes=["scope1"])],
    dep2: Annotated[list[str], Security(security2, scopes=["scope2"])],
):
    return {"dep1": dep1, "dep2": dep2}


app = FastAPI()

import static java.lang.annotation.RetentionPolicy.RUNTIME;

/**
 * Meta-annotation that marks other annotations as scope annotations.
 * <p>
 * Scopes define the lifecycle and visibility of objects in the dependency injection
 * system. Custom scope annotations should be annotated with {@code @Scope}.
 * <p>
 * Built-in scopes include:
 * <ul>
 *   <li>{@link Singleton} - One instance per container</li>

      <version>0.2</version>
      <scope>compile</scope>
    </dependency>
    <dependency>
      <groupId>test</groupId>
      <artifactId>c</artifactId>
      <version>0.2</version>
      <scope>runtime</scope>
    </dependency>
    <dependency>
      <groupId>test</groupId>
      <artifactId>d</artifactId>
      <version>0.2</version>
      <scope>test</scope>
    </dependency>
    <dependency>

            <scope>test</scope>
          </dependency>
          <dependency>
            <groupId>test</groupId>
            <artifactId>e</artifactId>
            <version>0.2</version>
            <scope>provided</scope>
          </dependency>
          <dependency>
            <groupId>test</groupId>
            <artifactId>f</artifactId>
            <version>0.2</version>
            <scope>import</scope>

        <version>0.2</version>
        <scope>compile</scope>
      </dependency>
      <dependency>
        <groupId>test</groupId>
        <artifactId>c</artifactId>
        <version>0.2</version>
        <scope>runtime</scope>
      </dependency>
      <dependency>
        <groupId>test</groupId>
        <artifactId>d</artifactId>
        <version>0.2</version>
        <scope>test</scope>
      </dependency>

    private Set<String> scopes;

    /**
     * Create a new filter with the specified scopes and their implied scopes enabled.
     *
     * @param scopes The scopes to enable, along with all implied scopes, may be {@code null}.
     */
    public CumulativeScopeArtifactFilter(Collection<String> scopes) {
        this.scopes = new HashSet<>();

        addScopes(scopes);
    }

    /**