And the spec says that the fields have to be named like that. So `user-name` or `email` wouldn't work.

But don't worry, you can show it as you wish to your final users in the frontend.

And your database models can use any other names you want.

    // Default configuration
    private static final int DEFAULT_HASH_ALGORITHM = HASH_ALGO_SHA512;
    private static final int SALT_SIZE = 32; // 32 bytes as per SMB 3.1.1 spec
    private static final int HASH_SIZE_SHA512 = 64; // SHA-512 produces 64-byte hashes

    // Session-specific preauth integrity contexts

For example, in one of the ways the OAuth2 specification can be used (called "password flow") it is required to send a `username` and `password` as form fields.

The <abbr title="specification">spec</abbr> requires the fields to be exactly named `username` and `password`, and to be sent as form fields, not JSON.

A middleware doesn't have to be made for FastAPI or Starlette to work, as long as it follows the ASGI spec.

In general, ASGI middlewares are classes that expect to receive an ASGI app as the first argument.

So, in the documentation for third-party ASGI middlewares they will probably tell you to do something like:

```Python

        byte[] salt2 = preauthService.generatePreauthSalt();

        assertNotNull(salt1);
        assertNotNull(salt2);
        assertEquals(32, salt1.length); // 32 bytes as per SMB 3.1.1 spec
        assertEquals(32, salt2.length);
        assertFalse(java.util.Arrays.equals(salt1, salt2)); // Should be different
    }

    @Test
    @DisplayName("Test session initialization")

/// info

If you are a very strict "Pythonista" you might dislike the style of the parameter name `tokenUrl` instead of `token_url`.

That's because it is using the same name as in the OpenAPI spec. So that if you need to investigate more about any of these security schemes you can just copy and paste it to find more information about it.

///

import java.security.GeneralSecurityException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.concurrent.atomic.AtomicLong;

import javax.crypto.Cipher;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;

import org.bouncycastle.crypto.engines.AESEngine;
import org.bouncycastle.crypto.modes.AEADBlockCipher;
import org.bouncycastle.crypto.modes.CCMBlockCipher;

In this exception, we include the scopes required (if any) as a string separated by spaces (using `scope_str`). We put that string containing the scopes in the `WWW-Authenticate` header (this is part of the spec).

{* ../../docs_src/security/tutorial005_an_py310.py hl[106,108:116] *}

## Verify the `username` and data shape { #verify-the-username-and-data-shape }

We verify that we get a `username`, and extract the scopes.

     * @since 2.2
     */
    int getLeaseVersion();

    /**
     * Property {@code jcifs.smb.client.leaseBreakTimeout} (int, default 60)
     *
     * @return lease break timeout in seconds (per MS-SMB2 spec)
     * @since 2.2
     */
    int getLeaseBreakTimeout();

    /**
     *
     *
     * Property {@code jcifs.netbios.lmhosts} (string)
     *
     * @return lmhosts file to use
     */

///

### Checking the current `root_path` { #checking-the-current-root-path }

You can get the current `root_path` used by your application for each request, it is part of the `scope` dictionary (that's part of the ASGI spec).

Here we are including it in the message just for demonstration purposes.

{* ../../docs_src/behind_a_proxy/tutorial001.py hl[8] *}

Then, if you start Uvicorn with:

<div class="termy">