token_scopes = payload.get("scopes", [])
        token_data = TokenData(scopes=token_scopes, username=username)
    except (InvalidTokenError, ValidationError):
        raise credentials_exception
    user = get_user(fake_users_db, username=token_data.username)
    if user is None:
        raise credentials_exception
    for scope in security_scopes.scopes:
        if scope not in token_data.scopes:

claim_name    (string)    JWT canned policy claim name, defaults to "policy"
claim_prefix  (string)    JWT claim namespace prefix e.g. "customer1/"
scopes        (csv)       Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"
comment       (sentence)  optionally add a comment to this setting
```

and ENV based options

```

		"response_mode": {"form_post"},
		"client_id":     {c.ClientID},
	}
	if c.RedirectURL != "" {
		v.Set("redirect_uri", c.RedirectURL)
	}
	if len(c.Scopes) > 0 {
		v.Set("scope", strings.Join(c.Scopes, " "))
	}
	v.Set("state", state)
	v.Set("nonce", state)
	if strings.Contains(c.Endpoint.AuthURL, "?") {
		buf.WriteByte('&')
	} else {
		buf.WriteByte('?')
	}
	buf.WriteString(v.Encode())

  /** Shows a browser URL to authorize this app to act as this user. */
  public void requestOauthSession(String scopes, String team) throws Exception {
    if (sessionFactory == null) {
      sessionFactory = new OAuthSessionFactory(slackApi);
      sessionFactory.start();
    }

    HttpUrl authorizeUrl = sessionFactory.newAuthorizeUrl(scopes, team, session -> {
      initOauthSession(session);
      System.out.printf("session granted: %s\n", session);

claim_name    (string)    JWT canned policy claim name, defaults to "policy"
claim_prefix  (string)    JWT claim namespace prefix e.g. "customer1/"
scopes        (csv)       Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"
comment       (sentence)  optionally add a comment to this setting
```

and ENV based options

```

/// note | "笔记"

注意，请求中 `Authorization` 响应头的值以 `Bearer` 开头。

///

## `scopes` 高级用法

OAuth2 支持**`scopes`**（作用域）。

**`scopes`**为 JWT 令牌添加指定权限。

让持有令牌的用户或第三方在指定限制条件下与 API 交互。

**高级用户指南**中将介绍如何使用 `scopes`，及如何把 `scopes` 集成至 **FastAPI**。

## 小结

至此，您可以使用 OAuth2 和 JWT 等标准配置安全的 **FastAPI** 应用。

几乎在所有框架中，处理安全问题很快都会变得非常复杂。

		"Comma-separated list of output logging level for scopes in the format of <scope>:<level>[,<scope>:<level>,...]. "+
			"Possible values for <level>: none, error, warn, info, debug")
	logCmd.PersistentFlags().StringVar(&stackTraceLevel, "stack-trace-level", stackTraceLevel,
		"Comma-separated list of stack trace level for scopes in the format of <scope>:<stack-trace-level>[,<scope>:<stack-trace-level>,...]. "+

		}

		if scopeList := getCfgVal(Scopes); scopeList != "" {
			var scopes []string
			for _, scope := range strings.Split(scopeList, ",") {
				scope = strings.TrimSpace(scope)
				if scope == "" {
					return c, config.Errorf("empty scope value is not allowed '%s', please refer to our documentation", scopeList)
				}
				scopes = append(scopes, scope)
			}

	err := iptConfigurator.CreateInpodRules(scopes.CNIAgent, probeSNATipv4, probeSNATipv6, false)
	if err != nil {
		t.Fatal(err)
	}
	compareToGolden(t, false, tt.name, ext.ExecutedAll)

	*ext = dep.DependenciesStub{}
	// run another time to make sure we are idempotent
	err = iptConfigurator.CreateInpodRules(scopes.CNIAgent, probeSNATipv4, probeSNATipv6, false)
	if err != nil {
		t.Fatal(err)

	assert.NoError(t, iptConfigurator.CreateInpodRules(scopes.CNIAgent, probeSNATipv4, probeSNATipv6, false))

	t.Log("starting cleanup")
	// Cleanup, should work
	assert.NoError(t, iptConfigurator.DeleteInpodRules())
	validateIptablesClean(t)

	t.Log("second run")
	// Add again, should still work
	assert.NoError(t, iptConfigurator.CreateInpodRules(scopes.CNIAgent, probeSNATipv4, probeSNATipv6, false))
}