}
	if f.KeyFile != nil {
		flags.StringVar(f.KeyFile, flagKeyFile, *f.KeyFile, "Path to a client key file for TLS")
	}
	if f.BearerToken != nil {
		flags.StringVar(f.BearerToken, flagBearerToken, *f.BearerToken, "Bearer token for authentication to the API server")
	}
	if f.Impersonate != nil {

              "type": "string"
            },
            "type": "array",
            "x-kubernetes-list-type": "atomic"
          },
          "token": {
            "description": "Token is the opaque bearer token.",
            "type": "string"
          }
        },
        "type": "object"
      },
      "io.k8s.api.authentication.v1.TokenReviewStatus": {

type KubeletAuthentication struct {
	// x509 contains settings related to x509 client certificate authentication
	X509 KubeletX509Authentication
	// webhook contains settings related to webhook bearer token authentication
	Webhook KubeletWebhookAuthentication
	// anonymous contains settings related to anonymous authentication
	Anonymous KubeletAnonymousAuthentication
}

    Für OAuth2 sind es einfach nur Strings.

## Gesamtübersicht

Sehen wir uns zunächst kurz die Teile an, die sich gegenüber den Beispielen im Haupt-**Tutorial – Benutzerhandbuch** für [OAuth2 mit Password (und Hashing), Bearer mit JWT-Tokens](../../tutorial/security/oauth2-jwt.md){.internal-link target=_blank} ändern. Diesmal verwenden wir OAuth2-Scopes:

=== "Python 3.10+"

!!! info "说明"

    OAuth2 中，**作用域**只是声明特定权限的字符串。

    是否使用冒号 `:` 等符号，或是不是 URL 并不重要。

    这些细节只是特定的实现方式。

    对 OAuth2 来说，它们都只是字符串而已。

## 全局纵览

首先，快速浏览一下以下代码与**用户指南**中 [OAuth2 实现密码哈希与 Bearer  JWT 令牌验证](../../tutorial/security/oauth2-jwt.md){.internal-link target=_blank}一章中代码的区别。以下代码使用 OAuth2 作用域：

```Python hl_lines="2  4  8  12  46  64  105  107-115  121-124  128-134  139  153"

//           # retainVersions: 5 # keep the latest 5 versions of the object including delete markers.
//
//   notify:
//     endpoint: https://notify.endpoint # notification endpoint to receive job completion status
//     token: Bearer xxxxx # optional authentication token for the notification endpoint
//
//   retry:
//     attempts: 10 # number of retries for the job before giving up
//     delay: 500ms # least amount of delay between each retry

		"Authorization":    {"Bearer " + jwt.TokenIssuer1WithNestedClaims2},
		"X-Jwt-Nested-Key": {"value_to_be_replaced"},
	}
	headersWithToken2WithAddedHeader := map[string][]string{
		"Authorization":      {"Bearer " + jwt.TokenIssuer1WithNestedClaims2},
		"x-jwt-wrong-header": {"header_to_be_deleted"},
	}
	headersWithToken3 := map[string][]string{
		"Authorization": {"Bearer " + jwt.TokenIssuer1WithCollisionResistantName},

    For OAuth2 they are just strings.

## Global view

First, let's quickly see the parts that change from the examples in the main **Tutorial - User Guide** for [OAuth2 with Password (and hashing), Bearer with JWT tokens](../../tutorial/security/oauth2-jwt.md){.internal-link target=_blank}. Now using OAuth2 scopes:

=== "Python 3.10+"

    ```Python hl_lines="5  9  13  47  65  106  108-116  122-125  129-135  140  156"

				"application/vnd.unity",
				"application/vnd.uoml+xml",
				"application/vnd.uplanet.alert",
				"application/vnd.uplanet.alert-wbxml",
				"application/vnd.uplanet.bearer-choice",
				"application/vnd.uplanet.bearer-choice-wbxml",
				"application/vnd.uplanet.cacheop",
				"application/vnd.uplanet.cacheop-wbxml",
				"application/vnd.uplanet.channel",
				"application/vnd.uplanet.channel-wbxml",

  fi
}

function wait-for-master() {
  echo "== Waiting for new master to respond to API requests =="

  local curl_auth_arg
  if [[ -n ${KUBE_BEARER_TOKEN:-} ]]; then
    curl_auth_arg=(-H "Authorization: Bearer ${KUBE_BEARER_TOKEN}")
  elif [[ -n ${KUBE_PASSWORD:-} ]]; then
    curl_auth_arg=(--user "${KUBE_USER}:${KUBE_PASSWORD}")
  else
    echo "can't get auth credentials for the current master"
    exit 1
  fi