```

### Run the `web-identity.go`

```
~ go run web-identity.go -cid example-app -csec ZXhhbXBsZS1hcHAtc2VjcmV0 \
     -config-ep http://127.0.0.1:5556/dex/.well-known/openid-configuration \
     -cscopes groups,openid,email,profile
```

```
~ mc admin policy create admin allaccess.json
```

Contents of `allaccess.json`

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {

		"response_mode": {"form_post"},
		"client_id":     {c.ClientID},
	}
	if c.RedirectURL != "" {
		v.Set("redirect_uri", c.RedirectURL)
	}
	if len(c.Scopes) > 0 {
		v.Set("scope", strings.Join(c.Scopes, " "))
	}
	v.Set("state", state)
	v.Set("nonce", state)
	if strings.Contains(c.Endpoint.AuthURL, "?") {
		buf.WriteByte('&')
	} else {
		buf.WriteByte('?')
	}
	buf.WriteString(v.Encode())

    "SignerType": 1
  }
}
```

> NOTE: You can use the `-cscopes` parameter to restrict the requested scopes, for example to `"openid,policy_role_attribute"`, being `policy_role_attribute` a client_scope / client_mapper that maps a role attribute called policy to a `policy` claim returned by Keycloak.

claim_name    (string)    JWT canned policy claim name, defaults to "policy"
claim_prefix  (string)    JWT claim namespace prefix e.g. "customer1/"
scopes        (csv)       Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"
comment       (sentence)  optionally add a comment to this setting
```

and ENV based options

```

//  limitations under the License.

package scopes

import (
	"istio.io/istio/cni/pkg/constants"
	"istio.io/istio/pkg/log"
)

// Required to get global logging to work
var (
	CNIAgent  = log.RegisterScope(constants.CNIAgentLogScope, "CNI agent scope")
	CNIPlugin = log.RegisterScope(constants.CNIPluginLogScope, "CNI plugin scope")

import static java.lang.annotation.ElementType.ANNOTATION_TYPE;
import static java.lang.annotation.RetentionPolicy.RUNTIME;

@Target(ANNOTATION_TYPE)
@Retention(RUNTIME)
@Documented

      <version>0.2</version>
      <scope>compile</scope>
    </dependency>
    <dependency>
      <groupId>test</groupId>
      <artifactId>c</artifactId>
      <version>0.2</version>
      <scope>runtime</scope>
    </dependency>
    <dependency>
      <groupId>test</groupId>
      <artifactId>d</artifactId>
      <version>0.2</version>
      <scope>test</scope>
    </dependency>
    <dependency>

    </dependency>

    <dependency>
      <groupId>maven-test</groupId>
      <artifactId>scope-compile</artifactId>
      <version>1.0</version>
      <scope>compile</scope>
    </dependency>

    <dependency>
      <groupId>maven-test</groupId>
      <artifactId>scope-provided</artifactId>
      <version>1.0</version>
      <scope>provided</scope>
    </dependency>

    <dependency>

            <scope>test</scope>
          </dependency>
          <dependency>
            <groupId>test</groupId>
            <artifactId>e</artifactId>
            <version>0.2</version>
            <scope>provided</scope>
          </dependency>
          <dependency>
            <groupId>test</groupId>
            <artifactId>f</artifactId>
            <version>0.2</version>
            <scope>import</scope>

    private Set<String> scopes;

    /**
     * Create a new filter with the specified scopes and their implied scopes enabled.
     *
     * @param scopes The scopes to enable, along with all implied scopes, may be {@code null}.
     */
    public CumulativeScopeArtifactFilter(Collection<String> scopes) {
        this.scopes = new HashSet<>();

        addScopes(scopes);
    }

    /**