token := getSessionToken(r)
	if token != "" && cred.AccessKey == "" {
		// x-amz-security-token is not allowed for anonymous access.
		return nil, ErrNoAccessKey
	}

	if token == "" && cred.IsTemp() && !cred.IsServiceAccount() {
		// Temporary credentials should always have x-amz-security-token
		return nil, ErrInvalidToken
	}

	if token != "" && !cred.IsTemp() {

 * <li>TOKEN_NAME - The name of the token parameter.</li>
 * <li>TOKEN_METHOD - The HTTP method to use for the token request (GET or POST).</li>
 * <li>TOKEN_PARAMETERS - The parameters to include in the token request.</li>
 * <li>LOGIN_METHOD - The HTTP method to use for the login request (GET or POST).</li>
 * <li>LOGIN_URL - The URL to send the login request to.</li>

package provider

import (
	"encoding/json"
	"errors"
	"fmt"
	"net/http"
	"net/url"
	"path"
	"strings"
	"sync"
)

// Token - parses the output from IDP id_token.
type Token struct {
	AccessToken string `json:"access_token"`
	Expiry      int    `json:"expires_in"`
}

// KeycloakProvider implements Provider interface for KeyCloak Identity Provider.

        return UserInDB(**user_dict)


def fake_decode_token(token):
    # This doesn't provide any security at all
    # Check the next version
    user = get_user(fake_users_db, token)
    return user


async def get_current_user(token: Annotated[str, Depends(oauth2_scheme)]):
    user = fake_decode_token(token)
    if not user:
        raise HTTPException(

    return encoded_jwt


async def get_current_user(token: Annotated[str, Depends(oauth2_scheme)]):
    credentials_exception = HTTPException(
        status_code=status.HTTP_401_UNAUTHORIZED,
        detail="Could not validate credentials",
        headers={"WWW-Authenticate": "Bearer"},
    )
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
        username = payload.get("sub")

    /**
     * Initializes the security context with the given token.
     * @param token the input token bytes
     * @param off offset into the token array
     * @param len length of token data
     * @return result token
     * @throws SmbException if an SMB protocol error occurs
     * @throws CIFSException if a general CIFS error occurs
     */
    byte[] initSecContext(byte[] token, int off, int len) throws CIFSException;

    /**

):
    if current_user.disabled:
        raise HTTPException(status_code=400, detail="Inactive user")
    return current_user


@app.post("/token")
async def login_for_access_token(
    form_data: OAuth2PasswordRequestForm = Depends(),
) -> Token:
    user = authenticate_user(fake_users_db, form_data.username, form_data.password)
    if not user:

For example, to declare a header of `X-Token` that can appear more than once, you can write:

{* ../../docs_src/header_params/tutorial003_an_py310.py hl[9] *}

If you communicate with that *path operation* sending two HTTP headers like:

```
X-Token: foo
X-Token: bar
```

The response would be like:

```JSON
{
    "X-Token values": [
        "bar",
        "foo"
    ]
}
```

<img src="/img/tutorial/security/image11.png">

## 內含 scopes 的 JWT token { #jwt-token-with-scopes }

現在，修改 token 的路徑操作以回傳所請求的 scopes。

我們仍然使用相同的 `OAuth2PasswordRequestForm`。它包含屬性 `scopes`，其為 `list` 的 `str`，列出請求中收到的每個 scope。

並且我們將這些 scopes 作為 JWT token 的一部分回傳。

/// danger

為了簡化，這裡我們只是直接把接收到的 scopes 加進 token。

但在你的應用中，為了安全性，你應確保只加入該使用者實際可擁有或你預先定義的 scopes。

///

        @Override
        public byte[] initSecContext(byte[] token, int off, int len) throws CIFSException {
            if (token == null) {
                if (len == 0) {
                    return new byte[0];
                }
                throw new CIFSException("token is null but len > 0");
            }
            if (off < 0 || len < 0 || off > token.length || off + len > token.length) {