（类 `SecurityScopes` 的）`security_scopes` 对象还提供了单字符串类型的属性 `scope_str`，该属性是（要在本例中使用的）用空格分割的作用域。

此处还创建了后续代码中要复用（`raise`）的 `HTTPException` 。

该异常包含了作用域所需的（如有），以空格分割的字符串（使用 `scope_str`）。该字符串要放到包含作用域的 `WWW-Authenticate` 请求头中（这也是规范的要求）。

```Python hl_lines="105  107-115"
{!../../docs_src/security/tutorial005.py!}
```

## 校验 `username` 与数据形状

我们可以校验是否获取了 `username`，并抽取作用域。

The build cache has anonymous read access, so you don't need to authenticate in order to use it. You can use a different build cache node by specifying `-DcacheNode=us` for a build cache node in the US or `-DcacheNode=au` for a build cache node in Australia.

`security_scopes` 🎚 (🎓 `SecurityScopes`) 🚚 `scope_str` 🔢 ⏮️ 👁 🎻, 🔌 👈 ↔ 👽 🚀 (👥 🔜 ⚙️ ⚫️).

👥 ✍ `HTTPException` 👈 👥 💪 🏤-⚙️ (`raise`) ⏪ 📚 ☝.

👉 ⚠, 👥 🔌 ↔ 🚚 (🚥 🙆) 🎻 👽 🚀 (⚙️ `scope_str`). 👥 🚮 👈 🎻 ⚗ ↔ `WWW-Authenticate` 🎚 (👉 🍕 🔌).

```Python hl_lines="105  107-115"
{!../../docs_src/security/tutorial005.py!}
```

## ✔ `username` & 💽 💠

👥 ✔ 👈 👥 🤚 `username`, & ⚗ ↔.

	}

	// Lookup user DN
	lookupResult, err := l.LDAP.LookupUsername(conn, username)
	if err != nil {
		errRet := fmt.Errorf("Unable to find user DN: %w", err)
		return nil, nil, errRet
	}

	// Authenticate the user credentials.
	err = conn.Bind(lookupResult.ActualDN, password)
	if err != nil {
		errRet := fmt.Errorf("LDAP auth failed for DN %s: %w", lookupResult.ActualDN, err)
		return nil, nil, errRet
	}

  @Test
  fun proxyAuthenticateOnConnect() {
    server.useHttps(handshakeCertificates.sslSocketFactory())
    server.enqueue(
      MockResponse(
        code = 407,
        headers = headersOf("Proxy-Authenticate", "Basic realm=\"localhost\""),
        inTunnel = true,
      ),
    )
    server.enqueue(
      MockResponse(inTunnel = true),
    )
    server.enqueue(

  @Test
  fun javaNetAuthenticator() {
    val authenticator = JavaNetAuthenticator()
    val response = Response.Builder().build()
    var request: Request? = authenticator.authenticate(factory.newRoute(), response)
    request = authenticator.authenticate(null, response)
  }

  @Test
  fun javaNetCookieJar() {
    val cookieJar: JavaNetCookieJar = JavaNetCookieJar(newCookieHandler())
    val httpUrl = "".toHttpUrl()

        .code(responseCode)
        .body("ABCDE")
        .addHeader("WWW-Authenticate: challenge")
    when (responseCode) {
      HttpURLConnection.HTTP_PROXY_AUTH -> {
        builder.addHeader("Proxy-Authenticate: Basic realm=\"protected area\"")
      }

      HttpURLConnection.HTTP_UNAUTHORIZED -> {
        builder.addHeader("WWW-Authenticate: Basic realm=\"protected area\"")
      }

This means Ztunnel will have multiple distinct certificates at a time, one for each unique identity (service account) running on its node.

When fetching certificates, ztunnel will authenticate to the CA with its own identity, but request the identity of another workload.
Critically, the CA must enforce that the ztunnel has permission to request that identity.
Requests for identities not running on the node are rejected.

	delta := remoteTime.Sub(localTime)
	if delta < 0 {
		delta *= -1
	}

	if delta > DefaultSkewTime {
		return errSkewedAuthTime
	}

	return nil
}

// IsAuthValid - To authenticate and verify the time difference.
func (s *storageRESTServer) IsAuthValid(w http.ResponseWriter, r *http.Request) bool {
	if s.getStorage() == nil {
		s.writeErrorResponse(w, errDiskNotFound)
		return false
	}

In diese Exception fügen wir (falls vorhanden) die erforderlichen Scopes als durch Leerzeichen getrennten String ein (unter Verwendung von `scope_str`). Wir fügen diesen String mit den Scopes in den Header `WWW-Authenticate` ein (das ist Teil der Spezifikation).

//// tab | Python 3.10+

```Python hl_lines="105  107-115"
{!> ../../docs_src/security/tutorial005_an_py310.py!}
```

////

//// tab | Python 3.9+