message TokenReviewStatus {
  // Authenticated indicates that the token was associated with a known user.
  // +optional
  optional bool authenticated = 1;

  // User is the UserInfo associated with the provided token.
  // +optional
  optional UserInfo user = 2;

  // Audiences are audience identifiers chosen by the authenticator that are

message TokenReviewStatus {
  // Authenticated indicates that the token was associated with a known user.
  // +optional
  optional bool authenticated = 1;

  // User is the UserInfo associated with the provided token.
  // +optional
  optional UserInfo user = 2;

  // Audiences are audience identifiers chosen by the authenticator that are

@needs_py39
def test_no_token(client: TestClient):
    response = client.get("/users/me")
    assert response.status_code == 401, response.text
    assert response.json() == {"detail": "Not authenticated"}
    assert response.headers["WWW-Authenticate"] == "Bearer"


@needs_py39
def test_token(client: TestClient):
    access_token = get_access_token(scope="me", client=client)
    response = client.get(

zzoehiijh1ZpZuJ1-SzuVVupenv8r5yuCaFshs/edit#heading=h.dwbqvwmg6ud3))

When a ztunnel receives traffic (authenticated or not) from a workload, it will forward that traffic to the Waypoint proxy **after** applying any `TRANSPORT` layer policies (i.e. `Authorization`s). Thus, if the destination workload has at least the equivalent of a `STRICT` `PeerAuthentication`, unauthenticated traffic will be rejected before it reaches the Waypoint proxy. If the effective policy is `PERMISSIVE` (the default),...

   */
  @Throws(IOException::class)
  fun authenticate(
    route: Route?,
    response: Response,
  ): Request?

  companion object {
    /** An authenticator that knows no credentials and makes no attempt to authenticate. */
    @JvmField
    val NONE: Authenticator = AuthenticatorNone()

    private class AuthenticatorNone : Authenticator {
      override fun authenticate(
        route: Route?,

    assert response.headers["WWW-Authenticate"] == 'Bearer scope="me"'


def test_incorrect_token_type():
    response = client.get(
        "/users/me", headers={"Authorization": "Notexistent testtoken"}
    )
    assert response.status_code == 401, response.text
    assert response.json() == {"detail": "Not authenticated"}
    assert response.headers["WWW-Authenticate"] == "Bearer"


def test_verify_password():

            unauthorized_headers = {"WWW-Authenticate": f'Basic realm="{self.realm}"'}
        else:
            unauthorized_headers = {"WWW-Authenticate": "Basic"}
        if not authorization or scheme.lower() != "basic":
            if self.auto_error:
                raise HTTPException(
                    status_code=HTTP_401_UNAUTHORIZED,
                    detail="Not authenticated",

@needs_py310
def test_no_token(client: TestClient):
    response = client.get("/users/me")
    assert response.status_code == 401, response.text
    assert response.json() == {"detail": "Not authenticated"}
    assert response.headers["WWW-Authenticate"] == "Bearer"


@needs_py310
def test_token(client: TestClient):
    access_token = get_access_token(scope="me", client=client)
    response = client.get(

@needs_py39
def test_no_token(client: TestClient):
    response = client.get("/users/me")
    assert response.status_code == 401, response.text
    assert response.json() == {"detail": "Not authenticated"}
    assert response.headers["WWW-Authenticate"] == "Bearer"


@needs_py39
def test_token(client: TestClient):
    access_token = get_access_token(scope="me", client=client)
    response = client.get(

    assert response.headers["WWW-Authenticate"] == 'Bearer scope="me"'


def test_incorrect_token_type():
    response = client.get(
        "/users/me", headers={"Authorization": "Notexistent testtoken"}
    )
    assert response.status_code == 401, response.text
    assert response.json() == {"detail": "Not authenticated"}
    assert response.headers["WWW-Authenticate"] == "Bearer"


def test_verify_password():