int byteCountValue = 16 + 10; // guid + token
        setByteCount(response, byteCountValue);
        byte[] buffer = new byte[byteCountValue];
        byte[] guid = new byte[16];
        for (int i = 0; i < 16; i++) {
            guid[i] = (byte) i;
        }
        System.arraycopy(guid, 0, buffer, 0, 16);
        byte[] token = new byte[10];
        for (int i = 0; i < 10; i++) {

    /**
     * Constructs a KerberosTicket from token bytes.
     *
     * @param token the ticket token bytes
     * @param apOptions AP options flags
     * @param keys array of Kerberos keys for decryption
     * @throws PACDecodingException if ticket decoding fails
     */
    public KerberosTicket(byte[] token, byte apOptions, KerberosKey[] keys) throws PACDecodingException {
        if (token.length <= 0) {

oauth2_scheme = OAuth2AuthorizationCodeBearer(
    authorizationUrl="api/oauth/authorize",
    tokenUrl="/api/oauth/token",
    scopes={"read": "Read access", "write": "Write access"},
)


async def get_token(token: Annotated[str, Depends(oauth2_scheme)]) -> str:
    return token


app = FastAPI(dependencies=[Depends(get_token)])

{* ../../docs_src/security/tutorial001.py hl[6] *}

/// tip | 提示

在此，`tokenUrl="token"` 指向的是暂未创建的相对 URL `token`。这个相对 URL 相当于 `./token`。

因为使用的是相对 URL，如果 API 位于 `https://example.com/`，则指向 `https://example.com/token`。但如果 API 位于 `https://example.com/api/v1/`，它指向的就是`https://example.com/api/v1/token`。

使用相对 URL 非常重要，可以确保应用在遇到[使用代理](../../advanced/behind-a-proxy.md){.internal-link target=_blank}这样的高级用例时，也能正常运行。

<img src="/img/tutorial/security/image11.png">

## Token JWT con scopes { #jwt-token-with-scopes }

Ahora, modifica la *path operation* del token para devolver los scopes solicitados.

Todavía estamos usando el mismo `OAuth2PasswordRequestForm`. Incluye una propiedad `scopes` con una `list` de `str`, con cada scope que recibió en el request.

Y devolvemos los scopes como parte del token JWT.

/// danger | Peligro

///

## Retorne o token { #return-the-token }

A resposta do endpoint `token` deve ser um objeto JSON.

Deve ter um `token_type`. No nosso caso, como estamos usando tokens "Bearer", o tipo de token deve ser "`bearer`".

E deve ter um `access_token`, com uma string contendo nosso token de acesso.

import org.codelibs.fess.app.web.admin.accesstoken.EditForm;

/**
 * Request body class for access token edit operations in the admin REST API.
 * This class extends EditForm to inherit the necessary form validation and binding capabilities
 * for access token management operations.
 */
public class EditBody extends EditForm {

    /**
     * Default constructor.
     */
    public EditBody() {

      # Ref: https://github.com/actions/checkout/issues/2313
      - uses: actions/checkout@v5
        with:
          # To allow latest-changes to commit to the main branch
          token: ${{ secrets.FASTAPI_LATEST_CHANGES }}
      # Allow debugging with tmate
      - name: Setup tmate session
        uses: mxschmitt/action-tmate@v3

on:
  push:
    branches:
      - master
  pull_request:
  workflow_dispatch:

permissions: { }

jobs:
  code-owners-validation:
    permissions:
      contents: read
      id-token: write
    runs-on: ubuntu-latest
    steps:
      - name: Get Secrets
        uses: gradle/actions-internal/get-aws-secrets@v1

app = FastAPI()


@app.post("/files/")
async def create_file(
    file: Annotated[bytes, File()],
    fileb: Annotated[UploadFile, File()],
    token: Annotated[str, Form()],
):
    return {
        "file_size": len(file),
        "token": token,
        "fileb_content_type": fileb.content_type,