```Python hl_lines="55-64  67-70  88"
{!> ../../docs_src/security/tutorial003_py310.py!}
```

////

/// 정보

여기서 반환하는 값이 `Bearer`인 추가 헤더 `WWW-Authenticate`도 사양의 일부입니다.

모든 HTTP(오류) 상태 코드 401 "UNAUTHORIZED"는 `WWW-Authenticate` 헤더도 반환해야 합니다.

베어러 토큰의 경우(지금의 경우) 해당 헤더의 값은 `Bearer`여야 합니다.

실제로 추가 헤더를 건너뛸 수 있으며 여전히 작동합니다.

그러나 여기에서는 사양을 준수하도록 제공됩니다.

	}

	cert, ok := clientKey.(*ssh.Certificate)
	if !ok {
		return errSftpPublicKeyWithoutCert
	}

	// ssh.CheckCert called by ssh.Authenticate accepts certificates
	// with empty principles list so we block those in here.
	if len(cert.ValidPrincipals) == 0 {
		return errSftpCertWithoutPrincipals
	}

     */
    private fun isEndToEnd(fieldName: String): Boolean {
      return !"Connection".equals(fieldName, ignoreCase = true) &&
        !"Keep-Alive".equals(fieldName, ignoreCase = true) &&
        !"Proxy-Authenticate".equals(fieldName, ignoreCase = true) &&
        !"Proxy-Authorization".equals(fieldName, ignoreCase = true) &&
        !"TE".equals(fieldName, ignoreCase = true) &&
        !"Trailers".equals(fieldName, ignoreCase = true) &&

{!> ../../docs_src/security/tutorial003.py!}
```

////

/// info | Informação

O cabeçalho adicional `WWW-Authenticate` com valor `Bearer` que estamos retornando aqui também faz parte da especificação.

Qualquer código de status HTTP (erro) 401 "UNAUTHORIZED" também deve retornar um cabeçalho `WWW-Authenticate`.

No caso de tokens ao portador (nosso caso), o valor desse cabeçalho deve ser `Bearer`.

if [[ "$TFCI_MACOS_TWINE_INSTALL_ENABLE" == 1 ]]; then
  pip install twine==3.6.0
fi

# Scheduled nightly and release builds upload build artifacts (Pip packages,
# Libtensorflow archives) to GCS buckets. TFCI Mac VMs need to authenticate as
# a service account that has the right permissions to be able to do so.
set +x
if [[ -n "${GOOGLE_APPLICATION_CREDENTIALS:-}" ]]; then
  # Python 3.12 removed the module `imp` which is needed by gcloud CLI so we set

In this exception, we include the scopes required (if any) as a string separated by spaces (using `scope_str`). We put that string containing the scopes in the `WWW-Authenticate` header (this is part of the spec).

{* ../../docs_src/security/tutorial005_an_py310.py hl[106,108:116] *}

## Verify the `username` and data shape

We verify that we get a `username`, and extract the scopes.

  /** The HTTP {@code P3P} header field name. Limited browser support. */
  public static final String P3P = "P3P";
  /** The HTTP {@code Proxy-Authenticate} header field name. */
  public static final String PROXY_AUTHENTICATE = "Proxy-Authenticate";
  /** The HTTP {@code Refresh} header field name. Non-standard header supported by most browsers. */
  public static final String REFRESH = "Refresh";
  /**

 * They don't specify whether a specific proxy server should be used or how to authenticate with that proxy server.

They're also concrete: each URL identifies a specific path (like `/square/okhttp`) and query (like `?q=sharks&lang=en`). Each webserver hosts many URLs.

authentication, you don't need to use `mc` to generate prometheus config. You can skip reading further and move to 3.2 section.

The Prometheus endpoint in MinIO requires authentication by default. Prometheus supports a bearer token approach to authenticate prometheus scrape requests, override the default Prometheus config with the one generated using mc. To generate a Prometheus config for an alias, use [mc](https://min.io/docs/minio/linux/reference/minio-mc.html#quickstart) as follows `mc admin...

      Header("if-unmodified-since", ""),
      Header("last-modified", ""),
      Header("link", ""),
      Header("location", ""),
      Header("max-forwards", ""),
      Header("proxy-authenticate", ""),
      Header("proxy-authorization", ""),
      Header("range", ""),
      Header("referer", ""),
      Header("refresh", ""),
      Header("retry-after", ""),
      Header("server", ""),