`AssumeRoleWithCustomToken` STS API extension. A user or application can now present a token to the `AssumeRoleWithCustomToken` API, and MinIO verifies this token by sending it to the Identity Management Plugin webhook. This plugin responds with some information and MinIO is able to generate temporary STS credentials to interact with object storage.

The authentication flow is similar to that of OpenID, however the token is "opaque" to MinIO - it is simply sent to the plugin for verification. CAVEAT:...

        byte[] token = createTestTicketBytes(new BigInteger(KerberosConstants.KERBEROS_VERSION), SERVER_REALM, SERVER_PRINCIPAL_NAME,
                ENCRYPTION_TYPE, ENCRYPTED_DATA, null);
        when(kerberosKey.getKeyType()).thenReturn(99); // Different key type

        PACDecodingException e = assertThrows(PACDecodingException.class, () -> new KerberosTicket(token, (byte) 0, keys));

    response = client.get("/get-credentials", headers={"authorization": "Bearer token"})
    assert response.status_code == 200, response.text
    assert response.json() == {"token": "token", "scopes": ["a", "b"]}


def test_parameterless_with_scopes():
    response = client.get(
        "/parameterless-with-scopes", headers={"authorization": "Bearer token"}
    )
    assert response.status_code == 200, response.text

    /**
     * Generate the access token.
     * @return The access token.
     */
    public String generateAccessToken() {
        return RandomStringUtils.random(ComponentUtil.getFessConfig().getApiAccessTokenLengthAsInteger(), 0, 0, true, true, null, random);
    }

    /**
     * Get the access token from the request.
     * @param request The request.
     * @return The access token.
     */

        setMechanismListMIC(mechanismListMIC);
    }

    /**
     * Constructs a NegTokenTarg by parsing the provided token bytes
     * @param token the SPNEGO token bytes to parse
     * @throws IOException if parsing fails
     */
    public NegTokenTarg(final byte[] token) throws IOException {
        parse(token);
    }

    /**
     * Gets the negotiation result code
     * @return the result code
     */

		t.Fatal(err)
	}

	creds := globalActiveCred
	token, err := getTokenString(creds.AccessKey, creds.SecretKey)
	if err != nil {
		t.Fatalf("unable get token %s", err)
	}
	testCases := []struct {
		req         *http.Request
		expectedErr error
	}{
		// Set valid authorization header.
		{
			req: &http.Request{
				Header: http.Header{
					"Authorization": []string{token},
				},
			},
			expectedErr: nil,
		},

        // Test constructor with whitespace in type
        String type = "  Bearer Token  ";
        String message = "Whitespace in token type";
        InvalidAccessTokenException exception = new InvalidAccessTokenException(type, message);

        assertEquals("  Bearer Token  ", exception.getType());
        assertEquals(message, exception.getMessage());
        assertNull(exception.getCause());

app = FastAPI()

oauth2_scheme = OAuth2AuthorizationCodeBearer(
    authorizationUrl="authorize",
    tokenUrl="token",
    description="OAuth2 Code Bearer",
    auto_error=True,
)


@app.get("/items/")
async def read_items(token: str | None = Security(oauth2_scheme)):
    return {"token": token}


client = TestClient(app)


def test_no_token():
    response = client.get("/items")

    }

    /**
     * Test parsing of {@link KerberosConstants#AUTH_DATA_PAC} with an invalid token.
     * Expects a {@link PACDecodingException} to be thrown.
     */
    @Test
    void testParseAuthDataPacWithInvalidToken() {
        // GIVEN an invalid token for AUTH_DATA_PAC
        byte[] invalidToken = "invalid-pac-token".getBytes();

        // WHEN parsing the auth data
        // THEN a PACDecodingException should be thrown

import org.codelibs.fess.app.web.api.admin.BaseSearchBody;

/**
 * Search request body for access token administration.
 * Extends BaseSearchBody with access token-specific search parameters.
 */
public class SearchBody extends BaseSearchBody {

    /** The access token ID to search for. */
    public String id;

    /**
     * Default constructor for SearchBody.
     */
    public SearchBody() {