org.checkerframework.dataflow.cfg.node
org.checkerframework.dataflow.cfg.playground
org.checkerframework.dataflow.constantpropagation
org.checkerframework.dataflow.qual
org.checkerframework.dataflow.util
org.checkerframework.framework.flow
org.checkerframework.framework.qual
org.checkerframework.framework.source
org.checkerframework.framework.test
org.checkerframework.framework.test.diagnostics
org.checkerframework.framework.type

Am häufigsten ist der „Implicit“-Flow.

Am sichersten ist der „Code“-Flow, die Implementierung ist jedoch komplexer, da mehr Schritte erforderlich sind. Da er komplexer ist, schlagen viele Anbieter letztendlich den „Implicit“-Flow vor.

/// note | "Hinweis"

The following diagram illustrates the flow of unauthenticated traffic with a `PERMISSIVE` policy:

```mermaid
graph TD;
src[src pod]-->|plaintext port|ztunnel{"ztunnel (L4 policy applied here)"}
ztunnel{ztunnel}-->|TLS|wp{waypoint}
wp-->|mTLS|ztunnel

  # Options for controlling the logger.
  logger:
    level: "debug"
    format: "text" # can also be "json"

# Default values shown below
oauth2:
  # use ["code", "token", "id_token"] to enable implicit flow for web-only clients
  responseTypes: [ "code", "token", "id_token" ] # also allowed are "token" and "id_token"
  # By default, Dex will ask for approval to share data with application

# Simple OAuth2 with Password and Bearer

Now let's build from the previous chapter and add the missing parts to have a complete security flow.

## Get the `username` and `password`

We are going to use **FastAPI** security utilities to get the `username` and `password`.

OAuth2 specifies that when using the "password flow" (that we are using) the client/user must send a `username` and `password` fields as form data.

## `username` und `password` entgegennehmen

Wir werden **FastAPIs** Sicherheits-Werkzeuge verwenden, um den `username` und das `password` entgegenzunehmen.

OAuth2 spezifiziert, dass der Client/Benutzer bei Verwendung des „Password Flow“ (den wir verwenden) die Felder `username` und `password` als Formulardaten senden muss.

This is done by an HTTP server running on `/var/run/istio-cni/pluginevent.sock`.

An alternative flow is when a pod is enrolled into ambient mode after it starts up.
In this case, the CNI Agent is watching for Pod events from the API server directly and performing the same setup.
Note this is done while the Pod is running, unlike the CNI plugin flow which occurs before the Pod starts.

  /** Settings we communicate to the peer. */
  val okHttpSettings =
    Settings().apply {
      // Flow control was designed more for servers, or proxies than edge clients. If we are a client,
      // set the flow control window to 16MiB.  This avoids thrashing window updates every 64KiB, yet
      // small enough to avoid blowing up the heap.
      if (builder.client) {

			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         RedirectURI,
			Description: `[DEPRECATED use env 'MINIO_BROWSER_REDIRECT_URL'] Configure custom redirect_uri for OpenID login flow callback` + defaultHelpPostfix(RedirectURI),
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         config.Comment,
			Description: config.DefaultComment,
			Optional:    true,

org.checkerframework.dataflow.cfg.node
org.checkerframework.dataflow.cfg.playground
org.checkerframework.dataflow.constantpropagation
org.checkerframework.dataflow.qual
org.checkerframework.dataflow.util
org.checkerframework.framework.flow
org.checkerframework.framework.qual
org.checkerframework.framework.source
org.checkerframework.framework.test
org.checkerframework.framework.test.diagnostics
org.checkerframework.framework.type