* This automatic discovery is what is defined in the OpenID Connect specification.


!!! tip
    Integrating other authentication/authorization providers like Google, Facebook, Twitter, GitHub, etc. is also possible and relatively easy.

    The most complex problem is building an authentication/authorization provider like those, but **FastAPI** gives you the tools to do it easily, while doing the heavy lifting for you.

## **FastAPI** utilities

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
  labels:
    app: istiod
    release: {{ .Release.Name }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
subjects:

ROLE; public abstract void get(String, java.io.File) throws TransferFailedExcept, ResourceDoesNotExist, authorization.AuthorizationExcepti; public abstract boolean getIfNewer(String, java.io.File, long) throws TransferFailedExcept, ResourceDoesNotExist, authorization.AuthorizationExcepti; public abstract void put(java.io.File, String) throws TransferFailedExcept, ResourceDoesNotExist, authorization.AuthorizationExcepti; public abstract void putDirectory(java.io.File, String) throws TransferFailedExcept,...

@needs_py310
def test_token(client: TestClient):
    access_token = get_access_token(scope="me", client=client)
    response = client.get(
        "/users/me", headers={"Authorization": f"Bearer {access_token}"}
    )
    assert response.status_code == 200, response.text
    assert response.json() == {
        "username": "johndoe",
        "full_name": "John Doe",

    response = client.get("/users/me", headers={"Authorization": "Bearer nonexistent"})
    assert response.status_code == 401, response.text
    assert response.json() == {"detail": "Could not validate credentials"}
    assert response.headers["WWW-Authenticate"] == 'Bearer scope="me"'


def test_incorrect_token_type():
    response = client.get(
        "/users/me", headers={"Authorization": "Notexistent testtoken"}
    )

, org.apache.maven.wagon.ResourceDoesNotExist, org.apache.maven.wagon.authorization.AuthorizationExcepti; public java.util.List getFileList(String) throws org.apache.maven.wagon.TransferFailedExcept, org.apache.maven.wagon.ResourceDoesNotExist, org.apache.maven.wagon.authorization.AuthorizationExcepti; public boolean resourceExists(String) throws org.apache.maven.wagon.TransferFailedExcept, org.apache.maven.wagon.authorization.AuthorizationExcepti; static void <clinit>(); } org/apache/maven/wago...

		return checkKeyValid(r, accessKey)
	}

	// below is V2 Signed Auth header format, splitting on `space` (after the `AWS` string).
	// Authorization = "AWS" + " " + AWSAccessKeyId + ":" + Signature
	authFields := strings.Split(r.Header.Get(xhttp.Authorization), " ")
	if len(authFields) != 2 {
		return auth.Credentials{}, false, ErrMissingFields
	}

of ztunnel is to be a minimal L4 proxy, and as such, its xDS configuration is purposefully limited. In particular, ztunnel only supports 2 (custom) xDS resources: [`Workload`](../../pkg/workloadapi/workload.proto) and [`Authorization`](../../pkg/workloadapi/security/authorization.proto). As such, ztunnel does not receive `PeerAuthentication`s directly; when istiod detects a `PeerAuthentication` resource that targets an Ambient captured workload, it computes the effective policy for that workload...

          @Throws(IOException::class)
          override fun authenticate(
            route: Route?,
            response: Response,
          ): Request? {
            if (response.request.header("Authorization") != null) {
              return null // Give up, we've already attempted to authenticate.
            }

            println("Authenticating for response: $response")

@app.route('/oauth2/callback')
def callback():
    error = request.args.get('error', '')
    if error:
        return "Error: " + error

    authorization_code = request.args.get('code')

    data = {'grant_type': 'authorization_code',
            'code': authorization_code, 'redirect_uri': callback_uri}
    id_token_response = requests.post(
        token_url, data=data, verify=False,