"name": "core-api",
    "path": "subprojects/core-api",
    "unitTests": true,
    "functionalTests": true,
    "crossVersionTests": false
  },
  {
    "name": "core-flow-services-api",
    "path": "platforms/core-configuration/core-flow-services-api",
    "unitTests": false,
    "functionalTests": true,
    "crossVersionTests": false
  },
  {
    "name": "core-kotlin-extensions",

    * HTTP Digest, etc.
* `oauth2`: all the OAuth2 ways to handle security (called "flows").
    * Several of these flows are appropriate for building an OAuth 2.0 authentication provider (like Google, Facebook, X (Twitter), GitHub, etc):
        * `implicit`
        * `clientCredentials`
        * `authorizationCode`
    * But there is one specific "flow" that can be perfectly used for handling authentication in the same application directly:

        String logoutUrl = "https://sso.example.com/logout";
        authenticator.setLogoutUrl(logoutUrl);

        // Execute authentication flow
        LoginCredential loginResult = authenticator.getLoginCredential();
        assertNotNull(loginResult);

        TestLoginCredentialResolver resolver = new TestLoginCredentialResolver();

Subclass [EventListener](https://square.github.io/okhttp/5.x/okhttp/okhttp3/-event-listener/) and override methods for the events you are interested in. In a successful HTTP call with no redirects or retries the sequence of events is described by this flow.

![Events Diagram](../assets/images/******@****.***)

        verify(response).flushBuffer();
    }

    /**
     * Test doGet with NTLM authentication for directory listing
     * This test verifies the authentication flow without actual network operations
     */
    @Test
    void testDoGet_DirectoryListing() throws Exception {
        // Create a test-specific NetworkExplorer that mocks file operations

    //                                                                      ==============

    /**
     * Main SSO authentication endpoint.
     *
     * This method handles the primary SSO authentication flow. It checks if a user
     * is already logged in, attempts SSO authentication, and handles various
     * authentication scenarios including success, failure, and challenge responses.
     *

 *  Fix: Don't lose HTTP/2 flow control bytes when incoming data races with a stream close. If this
    happened enough then eventually the connection would stall.

 *  Fix: Acknowledge and apply inbound HTTP/2 settings atomically. Previously we had a race where we
    could use new flow control capacity before acknowledging it, causing strict HTTP/2 servers to
    fail the call.

當我們登入自己的應用（可能也有自己的前端）時，這是合適的。

因為我們可以信任它接收 `username` 與 `password`，因為我們掌控它。

但如果你要打造一個讓他人連接的 OAuth2 應用（也就是你要建立一個相當於 Facebook、Google、GitHub 等的身分驗證提供者），你應該使用其他流程之一。

最常見的是 Implicit Flow（隱式流程）。

最安全的是 Authorization Code Flow（授權碼流程），但它需要更多步驟、實作也更複雜。因為較複雜，許多提供者最後會建議使用隱式流程。

/// note

很常見的是，每個身分驗證提供者會用不同的方式命名他們的流程，讓它成為品牌的一部分。

但最終，他們實作的都是相同的 OAuth2 標準。

///

        assertDoesNotThrow(() -> spiedConnection.getInputStream());
    }

    /**
     * Test a successful NTLM authentication handshake.
     * This is a simplified test that verifies the basic flow without full NTLM protocol simulation.
     * @throws IOException
     * @throws SecurityException
     */
    @Test
    void testSuccessfulHandshake() throws IOException, SecurityException {

当我们登录自己的应用（很可能还有我们自己的前端）时，这是合适的。

因为我们可以信任它来接收 `username` 和 `password`，毕竟我们掌控它。

但如果你在构建一个 OAuth2 应用，让其它应用来连接（也就是说，你在构建等同于 Facebook、Google、GitHub 等的身份验证提供商），你应该使用其它的流。

最常见的是隐式流（implicit flow）。

最安全的是代码流（authorization code flow），但实现更复杂，需要更多步骤。也因为更复杂，很多提供商最终会建议使用隐式流。

/// note | 注意

每个身份验证提供商常常会用不同的方式给它们的流命名，以融入自己的品牌。

但归根结底，它们实现的都是同一个 OAuth2 标准。

///