## Introduction

MinIO provides a custom STS API that allows authentication with client X.509 / TLS certificates.

A major advantage of certificate-based authentication compared to other STS authentication methods, like OpenID Connect or LDAP/AD, is that client authentication works without any additional/external component that must be constantly available. Therefore, certificate-based authentication may provide better availability / lower operational complexity.

                buf.append(port);
            }
            buf.append('/');
        }
        return buf.toString();
    }

    /**
     * Returns the NTLM password authentication.
     * @return The NTLM password authentication.
     */
    public NtlmPasswordAuthentication getAuthentication() {
        return new NtlmPasswordAuthentication(domain == null ? "" : domain, username, password);
    }

    /**

    * target authentication realm is a share (presumably for share-level
    * authentication).
    */
    int NTLMSSP_TARGET_TYPE_SHARE = 0x00040000;

    /**
    * Indicates that the NTLM2 signing and sealing scheme should be used
    * for protecting authenticated communications.  This refers to a
    * particular session security scheme, and is not related to the use
    * of NTLMv2 authentication.
    */

        repositorySystem.injectAuthentication(Arrays.asList(repository), Arrays.asList(server));
        Authentication authentication = repository.getAuthentication();
        assertNotNull(authentication);
        assertEquals("jason", authentication.getUsername());
        assertEquals("abc123", authentication.getPassword());
    }

- **Pre-Authentication Integrity**: SMB 3.1.1 PAI for preventing downgrade attacks
- **Automatic Detection**: Encryption automatically enabled when servers require it
- **Secure Key Management**: Proper key derivation and nonce generation

### Core Features
- **Per-context configuration**: No global state, each context encapsulates configuration
- **Authentication**: NTLM, Kerberos, SPNEGO unified subsystem

hmac-sha1-96
```

### Certificate-based authentication

`--sftp=trusted-user-ca-key=...` specifies a file containing public key of certificate authority that is trusted
to sign user certificates for authentication.

Implementation is identical with "TrustedUserCAKeys" setting in OpenSSH server with exception that only one CA
key can be defined.

    }

    /**
     * Returns the authentication target.
     *
     * @return A <code>String</code> containing the authentication target.
     */
    public String getTarget() {
        return this.target;
    }

    /**
     * Sets the authentication target.
     *
     * @param target
     *            The authentication target.
     */

    * A cookie.
* `http`: standard HTTP authentication systems, including:
    * `bearer`: a header `Authorization` with a value of `Bearer ` plus a token. This is inherited from OAuth2.
    * HTTP Basic authentication.
    * HTTP Digest, etc.
* `oauth2`: all the OAuth2 ways to handle security (called "flows").
    * Several of these flows are appropriate for building an OAuth 2.0 authentication provider (like Google, Facebook, X (Twitter), GitHub, etc):

    /** The security context lifetime */
    private int contextLifetime = GSSContext.DEFAULT_LIFETIME;
    /** Flag indicating if fallback authentication is allowed */
    private boolean canFallback = false;
    /** Flag to force fallback authentication */
    private boolean forceFallback;

    static {
        PREFERRED_MECHS.add(new ASN1ObjectIdentifier("1.2.840.113554.1.2.2"));

     * This is used in the negotation of local authentication.
     */
    int NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED = 0x00001000;

    /**
     * Indicates whether the OEM-formatted workstation name is supplied
     * in the Type-1 message. This is used in the negotiation of local
     * authentication.
     */
    int NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED = 0x00002000;

    /**