flag.StringVar(&idpEndpoint, "idp-ep", "http://localhost:8080/auth/realms/minio/protocol/openid-connect/token", "IDP token endpoint")
	flag.StringVar(&clientID, "cid", "", "Client ID")
	flag.StringVar(&clientSecret, "csec", "", "Client secret")
}

func getTokenExpiry() (*credentials.ClientGrantsToken, error) {
	data := url.Values{}
	data.Set("grant_type", "client_credentials")

            return
          }

          // https://timothybasanov.com/2016/05/26/java-pre-master-secret.html
          // https://security.stackexchange.com/questions/35639/decrypting-tls-in-wireshark-when-using-dhe-rsa-ciphersuites
          // https://stackoverflow.com/questions/36240279/how-do-i-extract-the-pre-master-secret-using-an-openssl-based-client

          // TLSv1.2 Events
          // Produced ClientHello handshake message

import javax.security.auth.Destroyable;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * Secure key management for SMB encryption.
 * Provides centralized management of encryption keys with secure storage and cleanup.
 *
 * Features:
 * - Secure key storage with optional KeyStore integration
 * - Automatic key cleanup on close
 * - Thread-safe key management
 * - Key derivation utilities

    /**
     * Creates a new S3StorageClient instance.
     *
     * @param endpoint the S3 endpoint URL (null for AWS default)
     * @param accessKey the AWS access key
     * @param secretKey the AWS secret key
     * @param bucket the bucket name
     * @param region the AWS region
     */
    public S3StorageClient(final String endpoint, final String accessKey, final String secretKey, final String bucket,

   </ResponseMetadata>
</AssumeRoleWithCertificateResponse>
```

## Authentication Flow

A client can request temp. S3 credentials via the STS API. It can authenticate via a client certificate and obtain a access/secret key pair as well as a session token. These credentials are associated to an S3 policy at the MinIO server.

		return nil, errors.New("both access and secret keys are required")
	}

	if conf.Bucket == "" {
		return nil, errors.New("no bucket name was provided")
	}

	u, err := url.Parse(conf.Endpoint)
	if err != nil {
		return nil, err
	}

	creds := credentials.NewStaticV4(conf.AccessKey, conf.SecretKey, "")
	opts := &minio.Options{
		Creds:           creds,
		Secure:          u.Scheme == "https",

labels.ldap_memberof_attribute=memberOf Attribute
labels.notification_login=Login Page
labels.notification_search_top=Search Top Page
labels.storage_endpoint=Endpoint
labels.storage_access_key=Access Key
labels.storage_secret_key=Secret Key
labels.storage_bucket=Bucket
labels.storage_type=Type
labels.storage_type_auto=Auto
labels.storage_type_s3=S3
labels.storage_type_gcs=GCS
labels.storage_region=Region
labels.storage_project_id=Project ID

  - Navigate to service provider section, expand Inbound Authentication Configurations and expand OAuth/OpenID Connect Configuration.
    - Copy the OAuth Client Key as the value for `<CLIENT_ID>`.
    - Copy the OAuth Client Secret as the value for `<CLIENT_SECRET>`.
  - By default, `<IS_HOST>` is localhost. However, if using a public IP, the respective IP address or domain needs to be specified.

	}

	if target == "" {
		target = Default
	}

	if redactSecrets {
		// If the configuration parameter is a secret, make sure to redact it when
		// we return.
		helpKV, _ := HelpSubSysMap[subSys].Lookup(cfgParam)
		if helpKV.Secret {
			defer func() {
				value = ""
				isRedacted = true
			}()
		}
	}

	envVar := getEnvVarName(subSys, target, cfgParam)

credentials without including MinIO default credentials. Instead, the identity of the caller is validated by using a JWT access token from the identity provider. The temporary security credentials returned by this API consists of an access key, a secret key, and a security token. Applications can use these temporary security credentials to sign calls to MinIO API operations.

By default, the temporary security credentials created by AssumeRoleWithClientGrants last for one hour. However, use...