TestByteSource okSource = new TestByteSource(bytes);
      assertThrows(IOException.class, () -> okSource.copyTo(new TestByteSink(option)));
      // ensure stream was closed IF it was opened (depends on implementation whether or not it's
      // opened at all if sink.newOutputStream() throws).
      assertTrue(
          "stream not closed when copying to sink with option: " + option,

    ]),
    row.new('Network')
    + row.withPanels([
      panels.timeSeries.connections('Connections', queries.connections, 'Connections opened and closed per instance'),
      panels.timeSeries.bytesRate('Bytes Transmitted', queries.bytes, 'Bytes sent and received per instance'),
      panels.timeSeries.dns('DNS Request', queries.dns, 'DNS queries received per instance'),

// See the License for the specific language governing permissions and
// limitations under the License.

//go:build !fips
// +build !fips

package openid

import (
	"crypto"

	"github.com/golang-jwt/jwt/v4"

	// Needed for SHA3 to work - See: https://golang.org/src/crypto/crypto.go?s=1034:1288

name: Test Redistribute

on:
  push:
    branches:
      - master
  pull_request:
    types:
      - opened
      - synchronize

jobs:
  test-redistribute:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        package:
          - fastapi
          - fastapi-slim
    steps:
      - name: Dump GitHub context
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}

      TestCharSource okSource = new TestCharSource(STRING);
      assertThrows(IOException.class, () -> okSource.copyTo(new TestCharSink(option)));
      // ensure reader was closed IF it was opened (depends on implementation whether or not it's
      // opened at all if sink.newWriter() throws).
      assertTrue(
          "stream not closed when copying to sink with option: " + option,

# The base path of dex and the external name of the OpenID Connect service.
# This is the canonical URL that all clients MUST use to refer to dex. If a
# path is provided, dex's HTTP service will listen at a non-root URL.
issuer: http://127.0.0.1:5556/dex

# The storage configuration determines where dex stores its state. Supported
# options include SQL flavors and Kubernetes third party resources.
#

OPA is a lightweight general-purpose policy engine that can be co-located with MinIO server, in this document we talk about how to use OPA HTTP API to authorize requests. It can be used with any type of credentials (STS based like OpenID or LDAP, regular IAM users or service accounts).

OPA is enabled through MinIO's Access Management Plugin feature.

## Get started

### 1. Start OPA in a container

```sh
podman run -it \
    --name opa \

export MINIO_IDENTITY_OPENID_CONFIG_URL="http://localhost:5556/dex/.well-known/openid-configuration"
export MINIO_IDENTITY_OPENID_CLIENT_ID="minio-client-app"
export MINIO_IDENTITY_OPENID_CLIENT_SECRET="minio-client-app-secret"
export MINIO_IDENTITY_OPENID_CLAIM_NAME="groups"
export MINIO_IDENTITY_OPENID_SCOPES="openid,groups"

export MINIO_IDENTITY_OPENID_REDIRECT_URI="http://127.0.0.1:10000/oauth_callback"

// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.

package openid

import (
	"crypto"
	"crypto/ecdsa"
	"crypto/ed25519"
	"crypto/elliptic"
	"crypto/rsa"
	"encoding/base64"
	"errors"
	"fmt"
	"math/big"
)

// JWKS - https://tools.ietf.org/html/rfc7517

import com.nimbusds.jwt.JWTParser;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationResponseParser;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;

import jakarta.annotation.PostConstruct;