var parentUserActualDNList []string
	// Map of LDAP user (internal representation) to list of active credential objects
	parentUserToCredsMap := make(map[string][]auth.Credentials)
	// DN to ldap username mapping for each LDAP user
	actualDNToLDAPUsernameMap := make(map[string]string)
	// External (actual) LDAP DN to internal normalized representation
	actualDNToParentUserMap := make(map[string]string)

- When configuring a JWT authenticator:
  
  If `username.expression` used 'claims.email', then 'claims.email_verified' must have been used in `username.expression` or `extra[*].valueExpression` or `claimValidationRules[*].expression`. An example claim validation rule expression that matches the validation automatically applied when `username.claim` is set to 'email' is 'claims.?email_verified.orValue(true) == true'.

	ldapActualUser = "ldapActualUser" // this is a key name for the actual DN value
	ldapUserN      = "ldapUsername"   // this is a key name for the short/login username
	// Claim key-prefix for LDAP attributes
	ldapAttribPrefix = "ldapAttrib_"

	// Role Claim key
	roleArnClaim = "roleArn"

	// STS revoke type claim key
	tokenRevokeTypeClaim = "tokenRevokeType"

    }

    private static final Logger logger = LogManager.getLogger(AbstractCrawlerService.class);

    private static final String ID_SEPARATOR = ".";

    private static final Charset UTF_8 = Charset.forName("UTF-8");

    /**
     * Field name for ID.
     */
    protected static final String ID = "id";

    /**
     * Field name for session ID.
     */

  * kube-apiserver learned the '--anonymous-auth' flag, which defaults to true. When enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of 'system:anonymous' and a group of 'system:unauthenticated'.
  * Authenticated users are decorated with a 'system:authenticated' group.
  * **IMPORTANT**: See Action Required for important actions related to this change.

Use `Response.challenges()` to get the schemes and realms of any authentication challenges. When fulfilling a `Basic` challenge, use `Credentials.basic(username, password)` to encode the request header.

=== ":material-language-kotlin: Kotlin"
    ```kotlin
      private val client = OkHttpClient.Builder()
          .authenticator(object : Authenticator {

type iamCache struct {
	updatedAt time.Time

	// map of policy names to policy definitions
	iamPolicyDocsMap map[string]PolicyDoc

	// map of regular username to credentials
	iamUsersMap map[string]UserIdentity
	// map of regular username to policy names
	iamUserPolicyMap *xsync.MapOf[string, MappedPolicy]

	// STS accounts are loaded on demand and not via the periodic IAM reload.

* The OpenID Connect authenticator can now use a custom prefix, or omit the default prefix, for username and groups claims through the --oidc-username-prefix and --oidc-groups-prefix flags. For example, the authenticator can map a user with the username "jane" to "google:jane" by supplying the "google:" username prefix. ([#50875](https://github.com/kubernetes/kubernetes/pull/50875), [@ericchiang](https://github.com/ericchiang))

	public fun toString ()Ljava/lang/String;
	public final fun topPrivateDomain ()Ljava/lang/String;
	public final fun uri ()Ljava/net/URI;
	public final fun url ()Ljava/net/URL;
	public final fun username ()Ljava/lang/String;
}

public final class okhttp3/HttpUrl$Builder {
	public fun <init> ()V
	public final fun addEncodedPathSegment (Ljava/lang/String;)Lokhttp3/HttpUrl$Builder;

ueue_dir","value":""}]},"notify_elasticsearch":{"_":[{"key":"enable","value":"off"},{"key":"url","value":""},{"key":"format","value":"namespace"},{"key":"index","value":""},{"key":"queue_dir","value":""},{"key":"queue_limit","value":"0"},{"key":"username","value":""},{"key":"password","value":""}]},"notify_kafka":{"_":[{"key":"enable","value":"off"},{"key":"topic","value":""},{"key":"brokers","value":""},{"key":"sasl_username","value":""},{"key":"sasl_password","value":""},{"key":"sasl_mechanism...