- The redirection URI (callback handler) receives the OAuth2 callback, verifies the state parameter, and obtains a Token.
- Using the id_token the callback handler further talks to Google OAuth2 Token URL to obtain an JWT id_token.
- Once obtained the JWT id_token is further sent to STS endpoint i.e MinIO to retrieve temporary credentials.
- Temporary credentials are displayed on the browser upon successful retrieval.

## Using MinIO Console

	github.com/fraugster/parquet-go v0.12.0
	github.com/go-ldap/ldap/v3 v3.4.11
	github.com/go-openapi/loads v0.22.0
	github.com/go-sql-driver/mysql v1.9.2
	github.com/gobwas/ws v1.4.0
	github.com/golang-jwt/jwt/v4 v4.5.2
	github.com/gomodule/redigo v1.9.2
	github.com/google/uuid v1.6.0
	github.com/inconshreveable/mousetrap v1.1.0
	github.com/json-iterator/go v1.1.12
	github.com/klauspost/compress v1.18.0

是否包含像 `:` 這樣的字元，或是否是一個 URL，都沒差。

那些細節取決於實作。

對 OAuth2 而言，它們就是字串。

///

## 全局概觀 { #global-view }

先快速看看相對於主教學「使用密碼（與雜湊）、Bearer 與 JWT token 的 OAuth2」的差異（[OAuth2 with Password (and hashing), Bearer with JWT tokens](../../tutorial/security/oauth2-jwt.md)）。現在加入了 OAuth2 scopes：

{* ../../docs_src/security/tutorial005_an_py310.py hl[5,9,13,47,65,106,108:116,122:126,130:136,141,157] *}

接著我們一步一步檢視這些變更。

<img src="/img/tutorial/security/image11.png">

## JWT token with scopes { #jwt-token-with-scopes }

Now, modify the token *path operation* to return the scopes requested.

We are still using the same `OAuth2PasswordRequestForm`. It includes a property `scopes` with a `list` of `str`, with each scope it received in the request.

And we return the scopes as part of the JWT token.

/// danger

	customTokenIdentity = "AssumeRoleWithCustomToken"
	assumeRole          = "AssumeRole"

	stsRequestBodyLimit = 10 * (1 << 20) // 10 MiB

	// JWT claim keys
	expClaim = "exp"
	subClaim = "sub"
	audClaim = "aud"
	issClaim = "iss"

	// JWT claim to check the parent user
	parentClaim = "parent"

	// LDAP claim keys
	ldapUser       = "ldapUser"       // this is a key name for a normalized DN value

        assertNull(exception.getCause());
    }

    @Test
    public void test_constructor_withEmptyMessage() {
        // Test constructor with empty message string
        String type = "JWT";
        String message = "";
        InvalidAccessTokenException exception = new InvalidAccessTokenException(type, message);

        assertEquals(type, exception.getType());
        assertEquals("", exception.getMessage());

你可以选择要授予访问权限的作用域：`me` 和 `items`。

这与使用 Facebook、Google、GitHub 等登录时授予权限的机制相同：

<img src="/img/tutorial/security/image11.png">

## 带作用域的 JWT 令牌 { #jwt-token-with-scopes }

现在，修改令牌的*路径操作*以返回请求的作用域。

我们仍然使用 `OAuth2PasswordRequestForm`。它包含 `scopes` 属性，其值是 `list[str]`，包含请求中接收到的每个作用域。

我们把这些作用域作为 JWT 令牌的一部分返回。

/// danger | 危险

为简单起见，此处我们只是把接收到的作用域直接添加到了令牌中。

但在你的应用里，为了安全起见，你应该只添加该用户实际能够拥有的作用域，或你预先定义的作用域。

///

			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         ClaimName,
			Description: `JWT canned policy claim name` + defaultHelpPostfix(ClaimName),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         Scopes,

func (c *OperatorDNS) addAuthHeader(r *http.Request) error {
	if c.username == "" || c.password == "" {
		return nil
	}

	claims := &jwt.StandardClaims{
		ExpiresAt: int64(15 * time.Minute),
		Issuer:    c.username,
		Subject:   config.EnvDNSWebhook,
	}

	token := jwt.NewWithClaims(jwt.SigningMethodHS512, claims)
	ss, err := token.SignedString([]byte(c.password))
	if err != nil {
		return err
	}

	  "Resource": ["arn:aws:s3:::mybucket/${aws:username}/*"]
	}
  ]
}
```

If the user is authenticating using an STS credential which was authorized from OpenID connect we allow all `jwt:*` variables specified in the JWT specification, custom `jwt:*` or extensions are not supported. List of policy variables for OpenID based STS.

- `jwt:sub`
- `jwt:iss`
- `jwt:aud`
- `jwt:jti`
- `jwt:upn`
- `jwt:name`
- `jwt:groups`