credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary security credentials without including MinIO long lasting credentials in the application. Instead, the identity of the caller is validated by using a JWT id_token from the web identity provider. The temporary security credentials returned by this API consists of an access key, a secret key, and a security token. Applications can use these temporary security credentials to sign calls to MinIO...

Aditya Manthramurthy <******@****.***> 1714599073 -0700

    @Override
    public int hashCode() {
      return identity().hashCode();
    }

    @Override
    public boolean equals(@Nullable Object obj) {
      if (obj instanceof DummyHandler) {
        DummyHandler that = (DummyHandler) obj;
        return identity().equals(that.identity());
      } else {
        return false;
      }
    }

    private DummyProxy identity() {
      return DummyProxy.this;
    }

    new EqualsTester()
        .addEqualityGroup(
            Equivalence.identity().onResultOf(Functions.toStringFunction()),
            Equivalence.identity().onResultOf(Functions.toStringFunction()))
        .addEqualityGroup(Equivalence.equals().onResultOf(Functions.toStringFunction()))
        .addEqualityGroup(Equivalence.identity().onResultOf(Functions.identity()))
        .testEquals();
  }

  public void testEquivalentTo() {

includeBuild("../build-logic-settings")

// Shared basics for all
include("basics")

// Platform: defines shared dependency versions
include("build-platform")

// Compute the identity/version we are building and related details (like current git commit)
include("module-identity")

// Code quality rules common to :build-logic and the root build
include("code-quality-rules")

// Plugins to build :build-logic plugins
include("gradle-plugin")

    assertSame(stringIdentityConverter, stringIdentityConverter.reverse());
    assertSame(STR_TO_LONG, stringIdentityConverter.andThen(STR_TO_LONG));

    assertSame(STR_VAL, stringIdentityConverter.convert(STR_VAL));
    assertSame(STR_VAL, stringIdentityConverter.reverse().convert(STR_VAL));

    assertEquals("Converter.identity()", stringIdentityConverter.toString());

This means Ztunnel will have multiple distinct certificates at a time, one for each unique identity (service account) running on its node.

When fetching certificates, ztunnel will authenticate to the CA with its own identity, but request the identity of another workload.
Critically, the CA must enforce that the ztunnel has permission to request that identity.

		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrSTSWebIdentityExpiredToken: {
		Code:           "ExpiredToken",
		Description:    "The web identity token that was passed is expired or is not valid. Get a new identity token from the identity provider and then retry the request.",
		HTTPStatusCode: http.StatusBadRequest,
	},
	ErrSTSClientGrantsExpiredToken: {
		Code:           "ExpiredToken",

            ArrayListMultimap.<String, Integer>create(), Functions.<Integer>identity())
        .asMap();
  }

  @Override
  protected Map<String, Collection<Integer>> makePopulatedMap() {
    ListMultimap<String, Integer> delegate = ArrayListMultimap.create();
    populate(delegate);
    return Multimaps.transformValues(delegate, Functions.<Integer>identity()).asMap();
  }

### 1. Fetch the root identity

As the initial step, fetch the private key and certificate of the root identity:

```sh
curl -sSL --tlsv1.2 \