./mc ready myminio
./mc mb myminio/test-bucket
./mc cp /etc/hosts myminio/test-bucket

./mc idp openid add myminio \
	config_url="http://localhost:5556/dex/.well-known/openid-configuration" \
	client_id="minio-client-app" \
	client_secret="minio-client-app-secret" \
	scopes="openid,groups,email,profile" \
	redirect_uri="http://127.0.0.1:10000/oauth_callback" \
	display_name="Login via dex1" \
	role_policy="consoleAdmin"

	return ErrNotImplemented
}

// LoginWithClientID is implemented by Keycloak service account support
func (k *KeycloakProvider) LoginWithClientID(clientID, clientSecret string) error {
	values := url.Values{}
	values.Set("client_id", clientID)
	values.Set("client_secret", clientSecret)
	values.Set("grant_type", "client_credentials")

func (target *MQTTTarget) initMQTT() error {
	args := target.args

	// Using hex here, to make sure we avoid 23
	// character limit on client_id according to
	// MQTT spec.
	clientID := fmt.Sprintf("%x", time.Now().UnixNano())

	options := mqtt.NewClientOptions().
		SetClientID(clientID).
		SetCleanSession(true).
		SetUsername(args.User).
		SetPassword(args.Password).
		SetMaxReconnectInterval(args.MaxReconnectInterval).

	var buf bytes.Buffer
	buf.WriteString(c.Endpoint.AuthURL)
	v := url.Values{
		"response_type": {"id_token"},
		"response_mode": {"form_post"},
		"client_id":     {c.ClientID},
	}
	if c.RedirectURL != "" {
		v.Set("redirect_uri", c.RedirectURL)
	}
	if len(c.Scopes) > 0 {
		v.Set("scope", strings.Join(c.Scopes, " "))
	}
	v.Set("state", state)
	v.Set("nonce", state)

minio server /mnt/export
```

or using `mc`

```
mc admin config get myminio identity_openid
identity_openid config_url=https://accounts.google.com/.well-known/openid-configuration client_id=843351d4-1080-11ea-aa20-271ecba3924a
```

Testing with an example

	}

	if err = r.updateUserinfoClaims(ctx, arn, accessToken, mclaims); err != nil {
		return err
	}

	// Validate that matching clientID appears in the aud or azp claims.

	// REQUIRED. Audience(s) that this ID Token is intended for.
	// It MUST contain the OAuth 2.0 client_id of the Relying Party
	// as an audience value. It MAY also contain identifiers for
	// other audiences. In the general case, the aud value is an

If you need to enforce it, use `OAuth2PasswordRequestFormStrict` instead of `OAuth2PasswordRequestForm`.

///

* An optional `client_id` (we don't need it for our example).
* An optional `client_secret` (we don't need it for our example).

/// info

The `OAuth2PasswordRequestForm` is not a special class for **FastAPI** as is `OAuth2PasswordBearer`.

                .setGrantType("authorization_code")//
                .setRedirectUri(getOicRedirectUrl())//
                .set("client_id", getOicClientId())//
                .set("client_secret", getOicClientSecret())//
                .execute();
    }

    /**
     * Gets the OpenID Connect client secret.
     *

- 可選的 `grant_type`

/// tip

依規範，實際上需要一個 `grant_type` 欄位且固定值為 `password`，但 `OAuth2PasswordRequestForm` 並不會強制檢查。

如果你需要強制檢查，請改用 `OAuth2PasswordRequestFormStrict` 取代 `OAuth2PasswordRequestForm`。

///

- 可選的 `client_id`（本例不需要）
- 可選的 `client_secret`（本例不需要）

/// info

`OAuth2PasswordRequestForm` 並不是像 `OAuth2PasswordBearer` 那樣對 **FastAPI** 來說的特殊類別。

`OAuth2PasswordBearer` 會讓 **FastAPI** 知道它是一個 security scheme，因此會以那種方式加入 OpenAPI。

				RolePolicy:           provCfg.RolePolicy,
				ClientID:             provCfg.ClientID,
				HashedClientSecret:   hashedSecret,
			}
		} else {
			res.ClaimProvider = madmin.OpenIDProviderSettings{
				ClaimUserinfoEnabled: provCfg.ClaimUserinfo,
				RolePolicy:           provCfg.RolePolicy,
				ClientID:             provCfg.ClientID,
				HashedClientSecret:   hashedSecret,
			}
		}
	}