* kube-apiserver: the OpenID Connect authenticator can now verify ID Tokens signed with JOSE algorithms other than RS256 through the --oidc-signing-algs flag. ([#58544](https://github.com/kubernetes/kubernetes/pull/58544), [@ericchiang](https://github.com/ericchiang))

  - The requested name did not match the set of authorized names (`x509.HostnameError`)
  - The error surfaced after attempting a connection contained one of the substrings: "certificate is not trusted" or "certificate signed by unknown authority". ([#120736](https://github.com/kubernetes/kubernetes/pull/120736), [@MadhavJivrajani](https://github.com/MadhavJivrajani))

	}

	if err = claims.UnmarshalJSON(buf[:n]); err != nil {
		return nil, &jwtgo.ValidationError{Inner: err, Errors: jwtgo.ValidationErrorMalformed}
	}

	for _, signer := range hmacSigners {
		if string(alg) == signer.Name {
			return signer, nil
		}
	}

	return nil, jwtgo.NewValidationError(fmt.Sprintf("signing method (%s) is unavailable.", string(alg)),
		jwtgo.ValidationErrorUnverifiable)
}

		{serverType: "ErasureSD", signer: signerV4},
		// Init and run test on ErasureSD backend, with tls enabled.
		{serverType: "ErasureSD", signer: signerV4, secure: true},
		// Init and run test on Erasure backend.
		{serverType: "Erasure", signer: signerV4},
		// Init and run test on ErasureSet backend.
		{serverType: "ErasureSet", signer: signerV4},
	}
	testCases := []*TestSuiteIAM{}

Now let's go back a bit and understand what is all that.

The `password` "flow" is one of the ways ("flows") defined in OAuth2, to handle security and authentication.

OAuth2 was designed so that the backend or API could be independent of the server that authenticates the user.

But in this case, the same **FastAPI** application will handle the API and the authentication.

- Addressed an issue where a JWT authenticator set up via `--authentication-config` would encounter failures in verifying tokens not signed with RS256. ([#123282](https://github.com/kubernetes/kubernetes/pull/123282), [@enj](https://github.com/enj))

    "com.github.jnr:jnr-constants" to setOf(
        // For signal codes
        "jnr.constants.platform.Signal",
        "jnr.constants.platform.aix.Signal",
        "jnr.constants.platform.darwin.Signal",
        "jnr.constants.platform.freebsd.Signal",
        "jnr.constants.platform.openbsd.Signal",
        "jnr.constants.platform.linux.Signal",
        "jnr.constants.platform.solaris.Signal",
        "jnr.constants.Constant",

 * ⬜️ [Moshi](https://github.com/square/moshi): A modern JSON library for Android and Java.
 * [Ok2Curl](https://github.com/mrmike/Ok2Curl): Convert OkHttp requests into curl logs.
 * [OkHttp AWS Signer](https://github.com/babbel/okhttp-aws-signer): AWS V4 signing algorithm for OkHttp requests
 * [okhttp-digest](https://github.com/rburgst/okhttp-digest): A digest authenticator for OkHttp.

- The kube-controller-manager managed signers can now have distinct signing certificates and keys.  See the help about `--cluster-signing-[signer-name]-{cert,key}-file`.  `--cluster-signing-{cert,key}-file` is still the default. ([#90822](https://github.com/kubernetes/kubernetes/pull/90822), [@deads2k](https://github.com/deads2k)) [SIG API Machinery,...

			req.Header.Set("X-Amz-Date", time.Now().UTC().Format("20060102T150405Z"))
			sum := sha256.Sum256(body)
			req.Header.Set("X-Amz-Content-Sha256", hex.EncodeToString(sum[:]))
			req = signer.SignV4(*req, credentials.AccessKey, credentials.SecretKey, "", "us-east-1")

			rec := httptest.NewRecorder()
			api := objectAPIHandlers{
				ObjectAPI: func() ObjectLayer {
					return obj
				},
			}