byte[] token = createTestTicketBytes(new BigInteger(KerberosConstants.KERBEROS_VERSION), SERVER_REALM, SERVER_PRINCIPAL_NAME,
                ENCRYPTION_TYPE, ENCRYPTED_DATA, null);
        when(kerberosKey.getKeyType()).thenReturn(99); // Different key type

        PACDecodingException e = assertThrows(PACDecodingException.class, () -> new KerberosTicket(token, (byte) 0, keys));

 * <li>TOKEN_NAME - The name of the token parameter.</li>
 * <li>TOKEN_METHOD - The HTTP method to use for the token request (GET or POST).</li>
 * <li>TOKEN_PARAMETERS - The parameters to include in the token request.</li>
 * <li>LOGIN_METHOD - The HTTP method to use for the login request (GET or POST).</li>
 * <li>LOGIN_URL - The URL to send the login request to.</li>

    return encoded_jwt


async def get_current_user(token: str = Depends(oauth2_scheme)):
    credentials_exception = HTTPException(
        status_code=status.HTTP_401_UNAUTHORIZED,
        detail="Could not validate credentials",
        headers={"WWW-Authenticate": "Bearer"},
    )
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
        username = payload.get("sub")

///

## Return the token { #return-the-token }

The response of the `token` endpoint must be a JSON object.

It should have a `token_type`. In our case, as we are using "Bearer" tokens, the token type should be "`bearer`".

And it should have an `access_token`, with a string containing our access token.

///

## Devolver el token { #return-the-token }

El response del endpoint `token` debe ser un objeto JSON.

Debe tener un `token_type`. En nuestro caso, como estamos usando tokens "Bearer", el tipo de token debe ser "`bearer`".

Y debe tener un `access_token`, con un string que contenga nuestro token de acceso.

		case "Endpoint":
			z.Endpoint, err = dc.ReadString()
			if err != nil {
				err = msgp.WrapError(err, "Endpoint")
				return
			}
		case "Token":
			z.Token, err = dc.ReadString()
			if err != nil {
				err = msgp.WrapError(err, "Token")
				return
			}
		default:
			err = dc.Skip()
			if err != nil {
				err = msgp.WrapError(err)
				return
			}
		}
	}
	return
}

<img src="/img/tutorial/security/image11.png">

## 內含 scopes 的 JWT token { #jwt-token-with-scopes }

現在，修改 token 的路徑操作以回傳所請求的 scopes。

我們仍然使用相同的 `OAuth2PasswordRequestForm`。它包含屬性 `scopes`，其為 `list` 的 `str`，列出請求中收到的每個 scope。

並且我們將這些 scopes 作為 JWT token 的一部分回傳。

/// danger

為了簡化，這裡我們只是直接把接收到的 scopes 加進 token。

但在你的應用中，為了安全性，你應確保只加入該使用者實際可擁有或你預先定義的 scopes。

///

	defer r.closeRespFn(resp.Body)
	if resp.StatusCode != http.StatusOK {
		return errors.New(resp.Status)
	}

	return r.pubKeys.parseAndAdd(resp.Body)
}

// ErrTokenExpired - error token expired
var (
	ErrTokenExpired = errors.New("token expired")
)

func updateClaimsExpiry(dsecs string, claims map[string]any) error {
	expStr := claims["exp"]
	if expStr == "" {
		return ErrTokenExpired
	}

    private static SpnegoToken getToken(final byte[] token, final int off, final int len) throws SpnegoException {
        byte[] b = new byte[len];
        if (off == 0 && token.length == len) {
            b = token;
        } else {
            System.arraycopy(token, off, b, 0, len);
        }
        return getToken(b);
    }

    private static SpnegoToken getToken(final byte[] token) throws SpnegoException {

permissions:
  issues: write

concurrency:
  group: lock

jobs:
  action:
    runs-on: ubuntu-latest
    steps:
      - uses: dessant/lock-threads@v3
        with:
          github-token: ${{ github.token }}
          issue-inactive-days: '365'
          exclude-any-issue-labels: 'do-not-close'
          issue-lock-reason: 'resolved'