def create_access_token(data: dict, expires_delta: Union[timedelta, None] = None):
    to_encode = data.copy()
    if expires_delta:
        expire = datetime.now(timezone.utc) + expires_delta
    else:
        expire = datetime.now(timezone.utc) + timedelta(minutes=15)
    to_encode.update({"exp": expire})
    encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
    return encoded_jwt


async def get_current_user(

		field, bts, err = msgp.ReadMapKeyZC(bts)
		if err != nil {
			err = msgp.WrapError(err)
			return
		}
		switch msgp.UnsafeString(field) {
		case "Expire":
			z.Expire, bts, err = msgp.ReadBoolBytes(bts)
			if err != nil {
				err = msgp.WrapError(err, "Expire")
				return
			}
		default:
			bts, err = msgp.Skip(bts)
			if err != nil {
				err = msgp.WrapError(err)
				return
			}
		}
	}

#### KeyCloak

```
export MINIO_ROOT_USER=minio
export MINIO_ROOT_PASSWORD=minio123
export MINIO_IDENTITY_OPENID_CONFIG_URL=http://localhost:8080/auth/realms/demo/.well-known/openid-configuration
export MINIO_IDENTITY_OPENID_CLIENT_ID="843351d4-1080-11ea-aa20-271ecba3924a"
minio server /mnt/data
```

#### Casdoor

```
export MINIO_ROOT_USER=minio
export MINIO_ROOT_PASSWORD=minio123

		ACB_WSTRUST                = 0x00000080, /* 1 = Workstation trust account */
		ACB_SVRTRUST               = 0x00000100, /* 1 = Server trust account */
		ACB_PWNOEXP                = 0x00000200, /* 1 = User password does not expire */
		ACB_AUTOLOCK               = 0x00000400, /* 1 = Account auto locked */
		ACB_ENC_TXT_PWD_ALLOWED    = 0x00000800, /* 1 = Encryped text password is allowed */

    }


    /**
     * @param ref
     * @param reqPath
     * @param expire
     * @param consumed
     * @return referral data
     */
    public static DfsReferralDataImpl fromReferral ( Referral ref, String reqPath, long expire, int consumed ) {
        DfsReferralDataImpl dr = new DfsReferralDataImpl();
        String[] arr = new String[4];

Example:

```sh
export MINIO_DOMAIN=mydomain.com
minio server /data
```

For advanced use cases `MINIO_DOMAIN` environment variable supports multiple-domains with comma separated values.

```sh
export MINIO_DOMAIN=sub1.mydomain.com,sub2.mydomain.com
minio server /data
```

## Explore Further

	if err != nil {
		return err
	}
	if numDays <= 0 {
		return errLifecycleInvalidDays
	}
	*eDays = ExpirationDays(numDays)
	return nil
}

// MarshalXML encodes number of days to expire if it is non-zero and
// encodes empty string otherwise
func (eDays ExpirationDays) MarshalXML(e *xml.Encoder, startElement xml.StartElement) error {
	if eDays == 0 {
		return nil
	}

		ACB_WSTRUST                = 0x00000080, /* 1 = Workstation trust account */
		ACB_SVRTRUST               = 0x00000100, /* 1 = Server trust account */
		ACB_PWNOEXP                = 0x00000200, /* 1 = User password does not expire */
		ACB_AUTOLOCK               = 0x00000400, /* 1 = Account auto locked */
		ACB_ENC_TXT_PWD_ALLOWED    = 0x00000800, /* 1 = Encryped text password is allowed */

}
```

These credentials can now be used to perform MinIO API operations, these credentials automatically expire in 1hr. To understand more about credential expiry duration and client grants STS API read further [here](https://github.com/minio/minio/blob/master/docs/sts/client-grants.md).

## Explore Further

- [MinIO STS Quickstart Guide](https://min.io/docs/minio/linux/developers/security-token-service.html)

* For HTTPS, **the server** needs to **have "certificates"** generated by a **third party**.
    * Those certificates are actually **acquired** from the third party, not "generated".
* Certificates have a **lifetime**.
    * They **expire**.
    * And then they need to be **renewed**, **acquired again** from the third party.
* The encryption of the connection happens at the **TCP level**.
    * That's one layer **below HTTP**.