sds-flow.svg...

                """
            ),
        ] = True,
    ):
        if not scopes:
            scopes = {}
        flows = OAuthFlowsModel(
            password=cast(Any, {"tokenUrl": tokenUrl, "scopes": scopes})
        )
        super().__init__(
            flows=flows,
            scheme_name=scheme_name,
            description=description,
            auto_error=auto_error,
        )

// FlowDistinguisherMethod specifies the method of a flow distinguisher.
message FlowDistinguisherMethod {
  // `type` is the type of flow distinguisher method
  // The supported types are "ByUser" and "ByNamespace".
  // Required.
  optional string type = 1;
}

// FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with

// FlowDistinguisherMethod specifies the method of a flow distinguisher.
message FlowDistinguisherMethod {
  // `type` is the type of flow distinguisher method
  // The supported types are "ByUser" and "ByNamespace".
  // Required.
  optional string type = 1;
}

// FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with

![SDS decision flow](docs/sds-flow.svg)

### Default CA Flow through istio-agent

![CA Flow](docs/ca.svg)

A single SDS request from Envoy goes through a few different layers in istio-agent.

interface FlowControlListener {
  /**
   * Notification that the receiving stream flow control window has changed.
   * [WindowCounter] generally carries the client view of total and acked bytes.
   */
  fun receivingStreamWindowChanged(
    streamId: Int,
    windowCounter: WindowCounter,
    bufferSize: Long,
  )

  /**
   * Notification that the receiving connection flow control window has changed.

        this.sink.finished = true
        condition.signalAll() // Because doReadTimeout() may have changed.
      }
    }

    // Only DATA frames are subject to flow-control. Transmit the HEADER frame if the connection
    // flow-control window is fully depleted.
    if (!flushHeaders) {
      this.withLock {
        flushHeaders = (connection.writeBytesTotal >= connection.writeBytesMaximum)
      }
    }

				]
			},
			{
				"parallelizationMethod":{
					"name":"TestDistribution"
				},
				"subprojects":[
					"composite-builds",
					"internal-integ-testing",
					"jvm-services",
					"flow-services",
					"persistent-cache",
					"publish",
					"base-services",
					"process-memory-services",
					"problems-api",
					"plugins-java-base",
					"build-cache"
				]
			},
			{

It can be used by third party applications and systems.

And it can also be used by yourself, to debug, check and test the same application.

## The `password` flow

Now let's go back a bit and understand what is all that.

The `password` "flow" is one of the ways ("flows") defined in OAuth2, to handle security and authentication.

OAuth2 was designed so that the backend or API could be independent of the server that authenticates the user.

The most common is the implicit flow.

The most secure is the code flow, but it's more complex to implement as it requires more steps. As it is more complex, many providers end up suggesting the implicit flow.

/// note

It's common that each authentication provider names their flows in a different way, to make it part of their brand.