val headers =
      Headers
        .Builder()
        .add("WWW-Authenticate", "Basic realm = \"myrealm\",Basic realm=myotherrealm")
        .build()
    assertThat(headers.parseChallenges("WWW-Authenticate")).containsExactly(
      Challenge("Basic", mapOf("realm" to "myrealm")),
      Challenge("Basic", mapOf("realm" to "myotherrealm")),
    )
  }

  @Test fun separatorsBeforeFirstAuthParam() {
    val headers =

) {
  /**
   * Returns the auth params, including [realm] and [charset] if present, but as
   * strings. The map's keys are lowercase and should be treated case-insensitively.
   */
  @get:JvmName("authParams")
  val authParams: Map<String?, String>

  /** Returns the protection space. */
  @get:JvmName("realm")
  val realm: String?
    get() = authParams["realm"]

    private final String key;

    private final XmlNode configuration;

    public CoreExtensionEntry(
            ClassRealm realm,
            Collection<String> artifacts,
            Collection<String> packages,
            String key,
            XmlNode configuration) {
        this.realm = realm;
        this.artifacts = Collections.unmodifiableSet(new HashSet<>(artifacts));

    /**
     * Sets up the class realm for the specified plugin. Both the class realm and the plugin artifacts that constitute
     * it will be stored in the plugin descriptor.
     *
     * @param pluginDescriptor The plugin descriptor in which to save the class realm and the plugin artifacts, must not
     *            be {@code null}.

            final ExpressionEvaluator evaluator,
            final ClassRealm realm,
            final ConfigurationListener listener)
            throws ComponentConfigurationException {
        try {
            ClassRealmConverter.pushContextRealm(realm);

            this.configureComponent(component, configuration, evaluator, (ClassLoader) realm, listener);
        } finally {
            ClassRealmConverter.popContextRealm();

import org.apache.maven.RepositoryUtils;
import org.apache.maven.artifact.Artifact;
import org.apache.maven.model.Plugin;
import org.apache.maven.project.MavenProject;
import org.codehaus.plexus.classworlds.realm.ClassRealm;
import org.codehaus.plexus.classworlds.realm.NoSuchRealmException;
import org.codehaus.plexus.personality.plexus.lifecycle.phase.Disposable;
import org.eclipse.aether.RepositorySystemSession;
import org.eclipse.aether.graph.DependencyFilter;

                + extension.getVersion();
        final ClassRealm realm = classWorld.newRealm(realmId, null);
        Set<String> providedArtifacts = Collections.emptySet();
        String classLoadingStrategy = extension.getClassLoadingStrategy();
        if (STRATEGY_PARENT_FIRST.equals(classLoadingStrategy)) {
            realm.importFrom(parentRealm, "");
        } else if (STRATEGY_PLUGIN.equals(classLoadingStrategy)) {

                + extension.getVersion();
        final ClassRealm realm = classWorld.newRealm(realmId, null);
        Set<String> providedArtifacts = Collections.emptySet();
        String classLoadingStrategy = extension.getClassLoadingStrategy();
        if (STRATEGY_PARENT_FIRST.equals(classLoadingStrategy)) {
            realm.importFrom(parentRealm, "");
        } else if (STRATEGY_PLUGIN.equals(classLoadingStrategy)) {

        @DisplayName("getUserDomain: explicit realm overrides")
        void getUserDomain_fromExplicitRealm() {
            Kerb5Authenticator auth = new Kerb5Authenticator(new Subject());
            auth.setRealm("REALM.TEST");
            assertEquals("REALM.TEST", auth.getUserDomain());
        }

        @Test
        @DisplayName("getUserDomain: falls back to super domain when no realm/subject")

  - Add this Role into compositive role named `default-roles-{realm}` - `{realm}` should be replaced with whatever realm you created from `prerequisites` section. This role is automatically trusted in the 'Service Accounts' tab.

- Check that `account` client_id has the role 'admin' assigned in the "Service Account Roles" tab.

After that, you will be able to obtain an id_token for the Admin REST API using client_id and client_secret: