```

### Using WebIdentiy API

On another terminal run `web-identity.go` a sample client application which obtains JWT id_tokens from an identity provider, in our case its Keycloak. Uses the returned id_token response to get new temporary credentials from the MinIO server using the STS API call `AssumeRoleWithWebIdentity`.

```

	return &plugin
}

// AuthNSuccessResponse - represents the response from the authentication plugin
// service.
type AuthNSuccessResponse struct {
	User               string         `json:"user"`
	MaxValiditySeconds int            `json:"maxValiditySeconds"`
	Claims             map[string]any `json:"claims"`
}

// AuthNErrorResponse - represents an error response from the authN plugin.
type AuthNErrorResponse struct {

    /**
     * Sent by the server in the Type 2 message to indicate that it is
     * including a Target Information block in the message. The Target
     * Information block is used in the calculation of the NTLMv2 response.
     */
    int NTLMSSP_NEGOTIATE_TARGET_INFO = 0x00800000;

    /**
     * Indicates that the NTLM version is included in the message.
     */
    int NTLMSSP_NEGOTIATE_VERSION = 0x2000000;

				"AWSAccessKeyId": accessKey,
			},
			expected: ErrSignatureDoesNotMatch,
		},
		// (6) Should not error signature matches with extra query params.
		{
			queryParams: map[string]string{
				"response-content-disposition": "attachment; filename=\"4K%2d4M.txt\"",
			},
			expected: ErrNone,
		},
		// (7) Should not error signature matches with no special query params.
		{
			queryParams: map[string]string{},

    /**
     * Retrieves the node status information for the specified NetBIOS address.
     *
     * @param nbtAddress the NetBIOS address to query
     * @return the node status responses
     * @throws UnknownHostException if the node status cannot be retrieved
     */
    NetbiosAddress[] getNodeStatus(NetbiosAddress nbtAddress) throws UnknownHostException;

    /**

<img src="/img/deployment/https/https05.drawio.svg">

### HTTP‑ответ { #http-response }

Приложение обработает запрос и отправит **обычный (незашифрованный) HTTP‑ответ** прокси‑серверу TLS-терминации.

<img src="/img/deployment/https/https06.drawio.svg">

### HTTPS‑ответ { #https-response }

        }

        @Test
        @DisplayName("Should be usable as both request and response")
        void testDualInterfaceUsage() {
            PreauthIntegrityNegotiateContext context = new PreauthIntegrityNegotiateContext();

            NegotiateContextRequest request = context;
            NegotiateContextResponse response = context;

  - `response.patch` and `response.patchType` are not permitted from validating admission webhooks
  - `apiVersion: "admission.k8s.io/v1"` is required
  - `kind: "AdmissionReview"` is required
  - `response.uid: "<value of request.uid>"` is required

Create a variable `ALGORITHM` with the algorithm used to sign the JWT token and set it to `"HS256"`.

Create a variable for the expiration of the token.

Define a Pydantic Model that will be used in the token endpoint for the response.

Create a utility function to generate a new access token.

{* ../../docs_src/security/tutorial004_an_py310.py hl[4,7,13:15,29:31,82:90] *}

## Update the dependencies { #update-the-dependencies }

#### The time to answer helps the attackers { #the-time-to-answer-helps-the-attackers }

At that point, by noticing that the server took some microseconds longer to send the "Incorrect username or password" response, the attackers will know that they got _something_ right, some of the initial letters were right.

And then they can try again knowing that it's probably something more similar to `stanleyjobsox` than to `johndoe`.