.add("WWW-Authenticate", "Basic realm=myrealm")
        .add("WWW-Authenticate", "Digest")
        .build()
    assertThat(headers.parseChallenges("WWW-Authenticate")).containsExactly(
      Challenge("Basic", mapOf("realm" to "myrealm")),
      Challenge("Digest", mapOf()),
    )
  }

  @Test fun multipleBasicAuthenticateHeaders() {
    val headers =
      Headers.Builder()

- Fix a bug in cronjob controller...

}

const (
	minValidityDurationSeconds int = 900
	maxValidityDurationSeconds int = 365 * 24 * 3600
)

// Authenticate authenticates the token with the external hook endpoint and
// returns a parent user, max expiry duration for the authentication and a set
// of claims.
func (o *AuthNPlugin) Authenticate(roleArn arn.ARN, token string) (AuthNResponse, error) {
	if o == nil {
		return AuthNResponse{}, nil
	}

* The OpenID Connect authenticator can now use a custom prefix, or omit the default prefix, for username and groups claims through the --oidc-username-prefix and --oidc-groups-prefix flags. For example, the authenticator can map a user with the username "jane" to "google:jane" by supplying the "google:" username prefix. ([#50875](https://github.com/kubernetes/kubernetes/pull/50875),...

  @ArgumentsSource(ProtocolParamProvider::class)
  fun authenticate(
    protocol: Protocol,
    mockWebServer: MockWebServer,
  ) {
    setUp(protocol, mockWebServer)
    server.enqueue(
      MockResponse(
        code = HttpURLConnection.HTTP_UNAUTHORIZED,
        headers = headersOf("www-authenticate", "Basic realm=\"protected area\""),
        body = "Please authenticate.",
      ),
    )
    server.enqueue(

 * the Network Explorer Servlet</a> related information.
 */

public class NtlmSsp implements NtlmFlags {

    /**
     * Calls the static {@link #authenticate(HttpServletRequest,
     * HttpServletResponse, byte[])} method to perform NTLM authentication
     * for the specified servlet request.
     *
     * @param req The request being serviced.
     * @param resp The response.

            final SsoAuthenticator authenticator = getAuthenticator();
            if (authenticator != null) {
                return authenticator.getLoginCredential();
            }
        }
        return null;
    }

    public ActionResponse getResponse(final SsoResponseType responseType) {
        if (available()) {
            final SsoAuthenticator authenticator = getAuthenticator();

 * the Network Explorer Servlet</a> related information.
 */
@Deprecated
public class NtlmSsp implements NtlmFlags {

    /**
     * Calls the static {@link #authenticate(CIFSContext, HttpServletRequest,
     * HttpServletResponse, byte[])} method to perform NTLM authentication
     * for the specified servlet request.
     * 
     * @param tc
     *
     * @param req

    public void test_addGroupOrRoleName() {
        AzureAdAuthenticator authenticator = new AzureAdAuthenticator();
        List<String> list = new ArrayList<>();

        list.clear();
        authenticator.addGroupOrRoleName(list, "test", true);
        assertEquals(1, list.size());
        assertEquals("test", list.get(0));

        list.clear();
        authenticator.addGroupOrRoleName(list, "test", false);

## Changes to API Resources
### ABAC
* ABAC policies using `"user":"*"` or `"group":"*"` to match all users or groups will only match authenticated requests. To match unauthenticated requests, ABAC policies must explicitly specify `"group":"system:unauthenticated"` ([#38968](https://github.com/kubernetes/kubernetes/pull/38968), [@liggitt](https://github.com/liggitt))

### Admission Control