e potente.
* Sicurezza e autenticazione, incluso il supporto per **OAuth2** con **token JWT** e autenticazione **HTTP Basic**.
* Tecniche più avanzate (ma ugualmente semplici) per dichiarare **modelli JSON altamente nidificati** (grazie a Pydantic).
* E altre funzionalità (grazie a Starlette) come:

### VMware

- SAML token delegation (required for Zones support in vSphere) is now supported ([#78876](https://github.com/kubernetes/kubernetes/pull/78876), [@dougm](https://github.com/dougm))
- vSphere SAML token auth is now supported when using Zones ([#75515](https://github.com/kubernetes/kubernetes/pull/75515), [@dougm](https://github.com/dougm))

### **Cluster Lifecycle**

*   You must either specify the `--discovery-token-ca-cert-hash` flag to `kubeadm join`, or opt out of the CA pinning feature using `--discovery-token-unsafe-skip-ca-verification`.
*   The default `auto-detect` behavior of the kubelet's `--cloud-provider` flag is removed.

enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the [TokenRequest](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/) API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this [guide](https://kubernetes.io/docs/concepts/configurati...

* `--service-account-lookup` now defaults to true, requiring the Secret API object containing the token to exist in order for a service account token to be valid. This enables service account tokens to be revoked by deleting the Secret object containing the token. ([#44071](https://github.com/kubernetes/kubernetes/pull/44071), [@liggitt](https://github.com/liggitt))

# パスワード（およびハッシュ化）によるOAuth2、JWTトークンによるBearer

これでセキュリティの流れが全てわかったので、<abbr title="JSON Web Tokens">JWT</abbr>トークンと安全なパスワードのハッシュ化を使用して、実際にアプリケーションを安全にしてみましょう。

このコードは、アプリケーションで実際に使用したり、パスワードハッシュをデータベースに保存するといった用途に利用できます。

本章では、前章の続きから始めて、コードをアップデートしていきます。

## JWT について

JWTとは「JSON Web Tokens」の略称です。

JSONオブジェクトをスペースのない長く密集した文字列で表現したトークンの仕様です。例えば次のようになります：

```

labels.purgeUserInfoDay=刪除以前的使用者日誌
labels.reading=讀音
labels.roleTypeIds=角色ID
labels.scriptData=腳本
labels.scriptResult=結果
labels.scriptType=執行方法
labels.segmentation=分段
labels.startTime=開始時間
labels.target=目標
labels.token=令牌
labels.synonymFile=同義詞檔案
labels.stopwordsFile=停用詞檔案
labels.stemmerOverrideFile=詞幹覆蓋檔案
labels.mappingFile=映射檔案
labels.protwordsFile=Protwords檔案
labels.kuromojiFile=Kuromoji檔案
labels.elevateWordFile=提升詞檔案

pkg go/token, const COLON = 58
pkg go/token, const COMMA = 52
pkg go/token, const COMMENT = 2
pkg go/token, const CONST = 64
pkg go/token, const CONTINUE = 65
pkg go/token, const DEC = 38
pkg go/token, const DEFAULT = 66
pkg go/token, const DEFER = 67
pkg go/token, const DEFINE = 47
pkg go/token, const ELLIPSIS = 48
pkg go/token, const ELSE = 68
pkg go/token, const EOF = 1
pkg go/token, const EQL = 39

- Upon receiving a LIST request with an expired continue token, the apiserver now returns a continue token together with the 410 "the from parameter is too old" error. If the client does not care about getting a list from a consistent snapshot, the client can use this token to continue listing from the next key, but the returned chunk will be from the latest snapshot. ([#67284](https://github.com/kubernetes/kubernetes/pull/67284),...

* client-go: shortens refresh period for token files to 1 minute to ensure auto-rotated projected service account tokens are read frequently enough. ([#72437](https://github.com/kubernetes/kubernetes/pull/72437), [@liggitt](https://github.com/liggitt))