else
  # The volume mapping flag below shares the user's gcloud credentials, if any,
  # with the container, in case the user has credentials stored there.
  # This would allow Bazel to authenticate for RBE.
  # Note: TF's CI does not have any credentials stored there.
  TFCI_DOCKER_ARGS="$TFCI_DOCKER_ARGS -v $HOME/.config/gcloud:/root/.config/gcloud"

{!> ../../docs_src/security/tutorial003.py!}
```

////

/// info

Der zusätzliche Header `WWW-Authenticate` mit dem Wert `Bearer`, den wir hier zurückgeben, ist ebenfalls Teil der Spezifikation.

Jeder HTTP-(Fehler-)Statuscode 401 „UNAUTHORIZED“ soll auch einen `WWW-Authenticate`-Header zurückgeben.

Im Fall von Bearer-Tokens (in unserem Fall) sollte der Wert dieses Headers `Bearer` lauten.

		fmt.Println("AccessKeyID:", v.AccessKeyID)
		fmt.Println("SecretAccessKey:", v.SecretAccessKey)
		fmt.Println("SessionToken:", v.SessionToken)
		return
	}

	// Use generated credentials to authenticate with MinIO server
	stsEndpointURL, err := url.Parse(stsEndpoint)
	if err != nil {
		log.Fatalf("Error parsing sts endpoint: %v", err)
	}
	copts := &minio.Options{
		Creds:  li,

            if self.auto_error:
                raise HTTPException(
                    status_code=HTTP_401_UNAUTHORIZED,
                    detail="Not authenticated",
                    headers={"WWW-Authenticate": "Bearer"},
                )
            else:
                return None
        return param


class OAuth2AuthorizationCodeBearer(OAuth2):
    """

ISTIO_ZTUNNEL_BASE_URL="${ISTIO_ZTUNNEL_BASE_URL:-https://storage.googleapis.com/istio-build/ztunnel}"

# If we are not using the default, assume its private and we need to authenticate
if [[ "${ISTIO_ZTUNNEL_BASE_URL}" != "https://storage.googleapis.com/istio-build/ztunnel" ]]; then
  AUTH_HEADER="Authorization: Bearer $(gcloud auth print-access-token)"
  export AUTH_HEADER
fi

因此，在端点中，只有当用户存在、通过身份验证、且状态为激活时，才能获得该用户：

```Python hl_lines="58-67  69-72  90"
{!../../docs_src/security/tutorial003.py!}
```

/// info | "说明"

此处返回值为 `Bearer` 的响应头 `WWW-Authenticate` 也是规范的一部分。

任何 401**UNAUTHORIZED**HTTP（错误）状态码都应返回 `WWW-Authenticate` 响应头。

本例中，因为使用的是 Bearer Token，该响应头的值应为 `Bearer`。

实际上，忽略这个附加响应头，也不会有什么问题。

之所以在此提供这个附加响应头，是为了符合规范的要求。

说不定什么时候，就有工具用得上它，而且，开发者或用户也可能用得上。

这就是遵循标准的好处……

  // +optional
  repeated string audiences = 2;
}

// TokenReviewStatus is the result of the token authentication request.
message TokenReviewStatus {
  // Authenticated indicates that the token was associated with a known user.
  // +optional
  optional bool authenticated = 1;

  // User is the UserInfo associated with the provided token.
  // +optional
  optional UserInfo user = 2;

        }
        String authHeader;
        if (response == HTTP_UNAUTHORIZED) {
            authHeader = "WWW-Authenticate";
            authProperty = "Authorization";
        } else {
            authHeader = "Proxy-Authenticate";
            authProperty = "Proxy-Authorization";
        }
        String authorization = null;

          <description>
            The username used to authenticate.
          </description>
          <type>String</type>
        </field>
        <field>
          <name>password</name>
          <version>1.0.0+</version>
          <description>
            The password used in conjunction with the username to authenticate.
          </description>
          <type>String</type>
        </field>

	if err != nil {
		log.Fatalln(err)
	}

	err = madmClnt.ServiceRestart(context.Background())
	if err != nil {
		log.Fatalln(err)
	}

	// Use generated credentials to authenticate with MinIO server
	minioClient, err := minio.New(stsEndpointURL.Host, opts)
	if err != nil {
		log.Fatalf("Error initializing client: %v", err)
	}

	// Use minIO Client object normally like the regular client.