}
            }
        }

        formSchemeList.forEach(p -> {
            final FormScheme scheme = p.getFirst();
            final Credentials credentials = p.getSecond();
            scheme.authenticate(credentials, (request, consumer) -> {

                // request header
                for (final Header header : requestHeaderList) {

{* ../../docs_src/security/tutorial005_an_py310.py hl[5,9,13,47,65,106,108:116,122:126,130:136,141,157] *}

Now let's review those changes step by step.

## OAuth2 Security scheme { #oauth2-security-scheme }

The first change is that now we are declaring the OAuth2 security scheme with two available scopes, `me` and `items`.

The `scopes` parameter receives a `dict` with each scope as a key and the description as the value:

### Promoted Server Side Unknown Field Validation to Beta

- Changed handling of `CustomResourceDefinitions` with unrecognized formats. Writing a schema with an unrecognized format now triggered a warning (the write was still accepted). ([#133136](https://github.com/kubernetes/kubernetes/pull/133136), [@yongruilin](https://github.com/yongruilin))

- The list-type of the alpha `resourceClaims` field introduced to `Pods` in `1.26.0` was modified from `set` to `map`, resolving an incompatibility with use of this schema in `CustomResourceDefinitions` and with server-side apply. ([#114585](https://github.com/kubernetes/kubernetes/pull/114585), [@JoelSpeed](https://github.com/JoelSpeed))

    authParams["charset"] = charset.name()
    return Challenge(scheme, authParams)
  }

  @JvmName("-deprecated_scheme")
  @Deprecated(
    message = "moved to val",
    replaceWith = ReplaceWith(expression = "scheme"),
    level = DeprecationLevel.ERROR,
  )
  fun scheme(): String = scheme

  @JvmName("-deprecated_authParams")
  @Deprecated(
    message = "moved to val",

- Kube-apiserver: fixes a potential crash serving CustomResourceDefinitions that combine an invalid schema and CEL validation rules. ([#126167](https://github.com/kubernetes/kubernetes/pull/126167), [@cici37](https://github.com/cici37)) [SIG API Machinery and Testing]

- Fixed a bug that prevents kubectl to validate CRDs with schema using x-kubernetes-preserve-unknown-fields on object fields.

```

In case of a S3 multi-part operation each part is en/decrypted with the scheme shown in Figure 1. However, for each part a unique secret key is derived from the OEK and the part number using a PRF. So in case of multi-part not the OEK but the output of `PRF(OEK, part_id)` is used as secret key.

#### Cryptographic Primitives

    return response.request
      .newBuilder()
      .addHeader(header, credential)
      .build()
  }

  private fun schemeMatches(response: Response): Boolean {
    if (scheme == null) return true
    return response.challenges().any { it.scheme.equals(scheme, ignoreCase = true) }
  }