- Promoted the `ServiceAccountTokenPodNodeInfo` feature to GA, which adds the node name and uid as claims into service account tokens mounted into running pods, and embeds that information as `authentication.kubernetes.io/node-name` and `authentication.kubernetes.io/node-uid` user extra info when the token is used

- Structured Authentication Configuration now supports configuring multiple JWT authenticators. The maximum allowed JWT authenticators in the authentication configuration is 64. ([#123431](https://github.com/kubernetes/kubernetes/pull/123431), [@aramase](https://github.com/aramase))

### API Change

- '`kube-apiserver`: adds `--authentication-config` flag for reading `AuthenticationConfiguration`
  files. `--authentication-config` flag is mutually exclusive with the existing `--oidc-*`
  flags.' ([#119142](https://github.com/kubernetes/kubernetes/pull/119142), [@aramase](https://github.com/aramase))

        verify(mockDelegate).getTransactionBufferSize();
        verify(mockDelegate).getBufferCacheSize();
        verify(mockDelegate).getNotifyBufferSize();
    }

    @Test
    @DisplayName("Authentication configuration should delegate correctly")
    void testAuthenticationConfigurationDelegation() {
        // Given
        when(mockDelegate.getLanManCompatibility()).thenReturn(3);

    /**
     * Creates a default CIFSContext for multi-channel operations.
     * In a production implementation, this should be replaced with proper context sharing
     * from the main session to ensure consistent authentication and configuration.
     */
    private jcifs.CIFSContext createDefaultContext() throws CIFSException {
        try {
            // Use the configuration from the MultiChannelManager

relatively simple way.

You can learn more in the **Advanced User Guide** about how to use OAuth2 "scopes", for a more fine-grained permission system, following these same standards. OAuth2 with scopes is the mechanism used by many big authentication providers, like Facebook, Google, GitHub, Microsoft, X (Twitter), etc. to authorize third party applications to interact with their APIs on behalf of their users....

                log.trace("doConnect: " + addr);
            }
            t.treeConnect(null, null);
            return t.acquire();
        } catch (final SmbAuthException sae) {
            log.debug("Authentication failed", sae);
            return retryAuthentication(loc, share, trans, t, referral, sae);
        }
    }

		t.Fatalf("unable create credential, %s", err)
	}

	globalActiveCred = creds

	globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second)

	// List of test cases for validating http request authentication.
	testCases := []struct {
		req     *http.Request
		s3Error APIErrorCode
	}{
		// When request is unsigned, access denied is returned.

//   notify:
//     endpoint: "https://notify.endpoint" # notification endpoint to receive job status events
//     token: "Bearer xxxxx" # optional authentication token for the notification endpoint

//   retry:
//     attempts: 10 # number of retries for the job before giving up
//     delay: "500ms" # least amount of delay between each retry

	if c.TraceOutput != nil && resp.StatusCode != http.StatusOK {
		c.dumpHTTP(req, resp)
	}

	if resp.StatusCode != http.StatusOK {
		// If server returns 412 pre-condition failed, it would
		// mean that authentication succeeded, but another
		// side-channel check has failed, we shall take
		// the client offline in such situations.
		// generally all implementations should simply return