throw new SsoLoginException("could not validate nonce", e);
        }
    }

    /**
     * Obtains an access token using a refresh token.
     * @param refreshToken The refresh token to use for token acquisition.
     * @return The authentication result containing the access token.
     */
    public IAuthenticationResult getAccessToken(final String refreshToken) {

set & exists # Since PURGE is user input, check explicitly for `true` if [ $PURGE = true ]; then if checkBucketExists $BUCKET ; then echo "Purging bucket '$BUCKET'." set +e ; # don't exit if this fails ${MC} rm -r --force myminio/$BUCKET set -e ; # reset `e` as active else echo "Bucket '$BUCKET' does not exist, skipping purge." fi fi # Create the bucket if it does not exist if ! checkBucketExists $BUCKET ; then echo "Creating bucket '$BUCKET'" ${MC} mb myminio/$BUCKET else echo "Bucket '$BUCKET' already...

allow {
 input.action != "s3:PutObject"
 input.owner == false
}
EOF
```

Then load the policy via OPA's REST API.

```
curl -X PUT --data-binary @example.rego \
  localhost:8181/v1/policies/putobject
```

### 4. Setup MinIO with OPA

Set the `MINIO_POLICY_PLUGIN_URL` as the endpoint that MinIO should send authorization requests to. Then start the server.

```sh

  /**
   * Returns the escaped form of a given literal string.
   *
   * <p>If you are escaping input in arbitrary successive chunks, then it is not generally safe to
   * use this method. If an input string ends with an unmatched high surrogate character, then this
   * method will throw {@link IllegalArgumentException}. You should ensure your input is valid <a

  /**
   * Returns the escaped form of a given literal string.
   *
   * <p>If you are escaping input in arbitrary successive chunks, then it is not generally safe to
   * use this method. If an input string ends with an unmatched high surrogate character, then this
   * method will throw {@link IllegalArgumentException}. You should ensure your input is valid <a

We convert this iterable object into a proper `list` with `list(data.items())`.

Then with `random.choice()` we can get a **random value** from the list, so, we get a tuple with `(id, name)`. It will be something like `("imdb-tt0371724", "The Hitchhiker's Guide to the Galaxy")`.

Then we **assign those two values** of the tuple to the variables `id` and `name`.

<img src="/img/tutorial/security/image11.png">

## Token JWT con scopes

Ahora, modifica la *path operation* del token para devolver los scopes solicitados.

Todavía estamos usando el mismo `OAuth2PasswordRequestForm`. Incluye una propiedad `scopes` con una `list` de `str`, con cada scope que recibió en el request.

Y devolvemos los scopes como parte del token JWT.

/// danger | Peligro

//
//   notify:
//     endpoint: https://notify.endpoint # notification endpoint to receive job completion status
//     token: Bearer xxxxx # optional authentication token for the notification endpoint
//
//   retry:
//     attempts: 10 # number of retries for the job before giving up
//     delay: 500ms # least amount of delay between each retry

{* ../../docs_src/body_nested_models/tutorial002_py310.py hl[12] *}

## Set types { #set-types }

But then we think about it, and realize that tags shouldn't repeat, they would probably be unique strings.

And Python has a special data type for sets of unique items, the `set`.

Then we can declare `tags` as a set of strings:

{* ../../docs_src/body_nested_models/tutorial003_py310.py hl[12] *}

  private final boolean plusForSpace;

  /**
   * An array of flags where for any {@code char c} if {@code safeOctets[c]} is true then {@code c}
   * should remain unmodified in the output. If {@code c >= safeOctets.length} then it should be
   * escaped.
   */
  private final boolean[] safeOctets;

  /**