*/
    public IAuthenticationResult getAccessToken(final String refreshToken) {
        final String authority = getAuthority() + getTenant() + "/";
        if (logger.isDebugEnabled()) {
            logger.debug("refreshToken: {}, authority: {}", refreshToken, authority);
        }
        try {
            final ConfidentialClientApplication app = ConfidentialClientApplication

    version = "HTTP/2",
  )

private fun requestUrl(
  socket: MockWebServerSocket,
  requestLine: RequestLine,
  headers: Headers,
): HttpUrl {
  val hostAndPort =
    headers[":authority"]
      ?: headers["Host"]
      ?: when (val inetAddress = socket.localAddress) {
        is Inet6Address -> "[${inetAddress.hostAddress}]:${socket.localPort}"

   * header to create the request URL.
   *
   * For HTTP proxy requests this will be either an absolute-form string like
   * `http://example.com/index.html` (HTTP proxy) or an authority-form string like
   * `example.com:443` (HTTPS proxy).
   *
   * For OPTIONS requests, this may be an asterisk, `*`.
   */
  public val target: String,
  /** A string like `HTTP/1.1` or `HTTP/2`. */

    assertThat(connect.headers["Host"]).isEqualTo("[::1]:$port")
    assertThat(connect.headers[":authority"]).isNull()
    val get = server.takeRequest()
    assertThat(get.requestLine).isEqualTo("GET / HTTP/1.1")
    assertThat(get.headers["Host"]).isEqualTo("[::1]:$port")
    assertThat(get.headers[":authority"]).isNull()
    assertThat(get.url).isEqualTo(url)
  }

  @Test

certificate.

The trusted roots don't need to be the same for client and server when using client authentication.
Clients might rely on the platform certificates and servers might use a private
organization-specific certificate authority.

By default `HeldCertificate` instances expire after 24 hours. Use `duration()` to adjust.

By default server certificates need to identify which hostnames they're trusted for. You may add as

    val scheme = if (request.handshake != null) "https" else "http"
    val authority = request.headers["Host"] // Has host and port.
    val fancyRequest =
      Request
        .Builder()
        .url("$scheme://$authority/")
        .headers(request.headers)
        .build()
    val fancyResponse =
      Response
        .Builder()

    val request = server.takeRequest()
    assertThat(request.requestLine).isEqualTo("GET /foo HTTP/2")
    assertThat(request.headers[":scheme"]).isEqualTo(scheme)
    assertThat(request.headers[":authority"]).isEqualTo("${server.hostName}:${server.port}")
  }

  @ParameterizedTest
  @ArgumentsSource(ProtocolParamProvider::class)
  fun get204Response(protocol: Protocol) {
    setUp(protocol)

   * signed by the compromised CA's certificate and uses it in a non-CA certificate. They ask the
   * pinned CA above to sign it for non-certificate-authority uses:
   *
   * ```
   *   pinnedRoot (trusted by CertificatePinner)
   *     -> pinnedIntermediate (trusted by CertificatePinner)
   *         -> attackerSwitch
   * ```
   *

- Fixed an issue where requests sent by the KMSv2 service would be rejected due to having an invalid authority header. ([#126930](https://github.com/kubernetes/kubernetes/pull/126930), [@Ruddickmg](https://github.com/Ruddickmg)) [SIG API Machinery and Auth]

### CVE-2024-5321: Incorrect permissions on Windows containers logs

A security issue was discovered in Kubernetes clusters with Windows nodes
where BUILTIN\Users may be able to read container logs and NT
AUTHORITY\Authenticated Users may be able to modify container logs.

**Affected Versions**:
  - kubelet <= 1.27.15
  - kubelet <= 1.28.11
  - kubelet <= 1.29.6
  - kubelet <= 1.30.2 

**Fixed Versions**: