* This class extends FessApiAction to provide admin-specific functionality
 * including enhanced access control for administrative operations.
 *
 * <p>Admin API actions require special permissions and access tokens
 * that are validated against the admin role configuration.</p>
 */
public abstract class FessApiAdminAction extends FessApiAction {

    /** Logger instance for this class. */

     * Used to convert validation messages to localized text for API responses.
     */
    @Resource
    protected MessageManager messageManager;

    /**
     * Service for managing API access tokens including validation and authentication.
     * Used to verify token-based authentication for API requests.
     */
    @Resource
    protected AccessTokenService accessTokenService;

    /**

import org.lastaflute.web.ruts.process.ActionRuntime;

import jakarta.annotation.Resource;

/**
 * Admin action for Access Token management.
 * This class provides CRUD operations for access tokens.
 *
 */
public class AdminAccesstokenAction extends FessAdminAction {

    /**
     * Default constructor.
     */
    public AdminAccesstokenAction() {
        super();
    }

        } catch (final Exception e) {
            throw new SsoLoginException("Failed to get a token.", e);
        }
    }

    /**
     * Attempts to refresh tokens silently using the MSAL4J silent authentication flow.
     * @param user The Azure AD user whose tokens need to be refreshed.
     * @return The new authentication result, or null if silent refresh failed.
     */

- Promoted the `ServiceAccountTokenJTI` feature to GA, which adds a `jti` claim to issued service account tokens and embeds the `jti` claim as a `authentication.kubernetes.io/credential-id=["JTI=..."]` value in user extra info

- Kube-apiserver: Promoted the `ExternalServiceAccountTokenSigner` feature to beta, which enabled external signing of service account tokens and fetching of public verifying keys. This was accomplished by enabling the beta `ExternalServiceAccountTokenSigner` feature gate and specifying the `--service-account-signing-endpoint` flag. The flag value could either be the path to a Unix domain...

- Allowed creating ServiceAccount tokens bound to Node objects.
  This allows users to bind a service account token's validity to a named Node object, similar to Pod bound tokens.