运行服务器并打开文档：[http://127.0.0.1:8000/docs](http://127.0.0.1:8000/docs)。

你会看到这样的用户界面：

<img src="/img/tutorial/security/image07.png">

像之前一样进行授权。

使用以下凭证：

用户名: `johndoe`
密码: `secret`

/// check | 检查

注意，代码中的任何地方都没有明文密码 “`secret`”，我们只有它的哈希版本。

///

<img src="/img/tutorial/security/image08.png">

调用 `/users/me/` 端点，你将得到如下响应：

```JSON
{
  "username": "johndoe",

```
 mc admin tier add azure source AZURETIER --endpoint https://blob.core.windows.net --access-key AZURE_ACCOUNT_NAME --secret-key AZURE_ACCOUNT_KEY  --bucket azurebucket --prefix testprefix1/
```

> The admin user running this command needs the "admin:SetTier" and "admin:ListTier" permissions if not running as root.

        }
        return value;
    }

    /**
     * Gets the Entra ID client secret from configuration.
     * Uses new entraid.client.secret key with fallback to legacy aad.client.secret.
     * @return The client secret.
     */
    protected String getClientSecret() {
        String value = ComponentUtil.getFessConfig().getSystemProperty(ENTRAID_CLIENT_SECRET);

Using these tools, you can make the security system compatible with any database and with any user or data model.

The only detail missing is that it is not actually "secure" yet.

		}

		// Retrieve the credential's claims.
		secret, err := getTokenSigningKey()
		if err != nil {
			c.Fatalf("Error getting token signing key: %v", err)
		}
		claims, err := getClaimsFromTokenWithSecret(value.SessionToken, secret)
		if err != nil {
			c.Fatalf("Error getting claims from token: %v", err)
		}

		// Validate claims.

	exit_1
fi

./mc admin user svcacct add minio2 foobar --access-key testsvc --secret-key testsvc123
if [ $? -ne 0 ]; then
	echo "adding svc account failed, exiting.."
	exit_1
fi

./mc admin user svcacct add minio2 minio --access-key testsvc2 --secret-key testsvc123
if [ $? -ne 0 ]; then
	echo "adding root svc account testsvc2 failed, exiting.."
	exit_1
fi

sleep 10

| [**AssumeRole**](https://github.com/minio/minio/blob/master/docs/sts/assume-role.md)   | Let MinIO users request temporary credentials using user access and secret keys.                                                              |

### Understanding JWT Claims

> NOTE: JWT claims are only meant for WebIdentity and ClientGrants.

- Run MinIO with a single secret key. MinIO supports a static cryptographic key
  that can act as minimal KMS. With this method all IAM data will be stored
  encrypted. The encryption key has to be passed as environment variable.
- Run MinIO with KES (minio/kes) in combination with any supported KMS as
  secure key store. For example, you can run MinIO + KES + Hashicorp Vault.

## 實際操作看看 { #see-it-in-action }

開啟互動式文件：[http://127.0.0.1:8000/docs](http://127.0.0.1:8000/docs)。

### 驗證身分 { #authenticate }

點選「Authorize」按鈕。

使用下列帳密：

User: `johndoe`

Password: `secret`

<img src="/img/tutorial/security/image04.png">

在系統中完成驗證後，你會看到如下畫面：

<img src="/img/tutorial/security/image05.png">

### 取得自己的使用者資料 { #get-your-own-user-data }

現在使用 `GET` 方法呼叫路徑 `/users/me`。

### Configure Keycloak Realm

- Go to Clients
  - Click on account
    - Settings
    - Change `Access Type` to `confidential`.
    - Save
  - Click on credentials tab
    - Copy the `Secret` to clipboard.
    - This value is needed for `MINIO_IDENTITY_OPENID_CLIENT_SECRET` for MinIO.

- Go to Users
  - Click on the user