### Authenticate

Click the "Authorize" button.

Use the credentials:

User: `johndoe`

Password: `secret`

<img src="/img/tutorial/security/image04.png">

After authenticating in the system, you will see it like:

<img src="/img/tutorial/security/image05.png">

### Get your own user data

### Authentifizieren

Klicken Sie auf den Button „Authorize“.

Verwenden Sie die Anmeldedaten:

Benutzer: `johndoe`

Passwort: `secret`.

<img src="/img/tutorial/security/image04.png">

Nach der Authentifizierung im System sehen Sie Folgendes:

<img src="/img/tutorial/security/image05.png">

### Die eigenen Benutzerdaten ansehen

Additionally, we create a `secret_name` for the hero, but so far, we are returning it everywhere, that's not very **secret**... 😅

We'll fix these things by adding a few **extra models**. Here's where SQLModel will shine. ✨

### Create Multiple Models

In **SQLModel**, any model class that has `table=True` is a **table model**.

| [**AssumeRole**](https://github.com/minio/minio/blob/master/docs/sts/assume-role.md)   | Let MinIO users request temporary credentials using user access and secret keys.                                                              |

### Understanding JWT Claims

> NOTE: JWT claims are only meant for WebIdentity and ClientGrants.

No, MinIO does not depend on any third-party KMS provider. You have three options here:

- Run MinIO without a KMS. In this case all IAM data will be stored in plain-text.
- Run MinIO with a single secret key. MinIO supports a static cryptographic key
  that can act as minimal KMS. With this method all IAM data will be stored
  encrypted. The encryption key has to be passed as environment variable.

	"errors"
	"io"
	"path"

	"github.com/minio/minio/internal/fips"
	"github.com/minio/minio/internal/hash/sha256"
	"github.com/minio/minio/internal/logger"
	"github.com/minio/sio"
)

// ObjectKey is a 256 bit secret key used to encrypt the object.
// It must never be stored in plaintext.
type ObjectKey [32]byte

// GenerateKey generates a unique ObjectKey from a 256 bit external key

option go_package = "k8s.io/api/authentication/v1";

// BoundObjectReference is a reference to an object that a token is bound to.
message BoundObjectReference {
  // Kind of the referent. Valid kinds are 'Pod' and 'Secret'.
  // +optional
  optional string kind = 1;

  // API version of the referent.
  // +optional
  optional string apiVersion = 2;

  // Name of the referent.
  // +optional
  optional string name = 3;

func (r *Config) PopulatePublicKey(arn arn.ARN) error {
	pCfg := r.arnProviderCfgsMap[arn]
	if pCfg.JWKS.URL == nil || pCfg.JWKS.URL.String() == "" {
		return nil
	}

	// Add client secret for the client ID for HMAC based signature.
	r.pubKeys.add(pCfg.ClientID, []byte(pCfg.ClientSecret))

	client := &http.Client{
		Transport: r.transport,
	}

	resp, err := client.Get(pCfg.JWKS.URL.String())

### Configure Keycloak Realm

- Go to Clients
  - Click on account
    - Settings
    - Change `Access Type` to `confidential`.
    - Save
  - Click on credentials tab
    - Copy the `Secret` to clipboard.
    - This value is needed for `MINIO_IDENTITY_OPENID_CLIENT_SECRET` for MinIO.

- Go to Users
  - Click on the user

```
 mc admin tier add azure source AZURETIER --endpoint https://blob.core.windows.net --access-key AZURE_ACCOUNT_NAME --secret-key AZURE_ACCOUNT_KEY  --bucket azurebucket --prefix testprefix1/
```

> The admin user running this command needs the "admin:SetTier" and "admin:ListTier" permissions if not running as root.