/** Shows a browser URL to authorize this app to act as this user. */
  public void requestOauthSession(String scopes, String team) throws Exception {
    if (sessionFactory == null) {
      sessionFactory = new OAuthSessionFactory(slackApi);
      sessionFactory.start();
    }

    HttpUrl authorizeUrl = sessionFactory.newAuthorizeUrl(scopes, team, session -> {
      initOauthSession(session);
      System.out.printf("session granted: %s\n", session);

    
    public int getScore() {
        // Score interface for selection (higher is better)
        int score = linkSpeed;  // Base score is link speed
        
        if (rssCapable) score += 1000;   // Prefer RSS-capable
        if (rdmaCapable) score += 2000;  // Prefer RDMA-capable
        if (!ipv6) score += 100;         // Slight preference for IPv4
        
        return score;
    }
    

    "SignerType": 1
  }
}
```

> NOTE: You can use the `-cscopes` parameter to restrict the requested scopes, for example to `"openid,policy_role_attribute"`, being `policy_role_attribute` a client_scope / client_mapper that maps a role attribute called policy to a `policy` claim returned by Keycloak.

        List<String> scopes = new ArrayList<>(2);
        if (scopeToCollect != null && !scopeToCollect.isEmpty()) {
            scopes.add(scopeToCollect);
        }
        if (scopeToResolve != null && !scopeToResolve.isEmpty()) {
            scopes.add(scopeToResolve);
        }

        if (scopes.isEmpty()) {
            return null;
        } else {

        if (errorRate > 0.1)
            score -= 50;
        else if (errorRate > 0.01)
            score -= 20;

        // Adjust based on interface capabilities
        score += localInterface.getScore() / 100;
        score += remoteInterface.getScore() / 100;

        // Prefer primary channel slightly
        if (isPrimary)
            score += 10;

    path: str | None = None
    scope: Literal["function", "request"] | None = None

    @cached_property
    def oauth_scopes(self) -> list[str]:
        scopes = self.parent_oauth_scopes.copy() if self.parent_oauth_scopes else []
        # This doesn't use a set to preserve order, just in case
        for scope in self.own_oauth_scopes or []:
            if scope not in scopes:
                scopes.append(scope)

		"response_mode": {"form_post"},
		"client_id":     {c.ClientID},
	}
	if c.RedirectURL != "" {
		v.Set("redirect_uri", c.RedirectURL)
	}
	if len(c.Scopes) > 0 {
		v.Set("scope", strings.Join(c.Scopes, " "))
	}
	v.Set("state", state)
	v.Set("nonce", state)
	if strings.Contains(c.Endpoint.AuthURL, "?") {
		buf.WriteByte('&')
	} else {
		buf.WriteByte('?')
	}
	buf.WriteString(v.Encode())

    authorizationUrl="api/oauth/authorize",
    tokenUrl="/api/oauth/token",
    scopes={"read": "Read access", "write": "Write access"},
)


async def get_token(token: Annotated[str, Depends(oauth2_scheme)]) -> str:
    return token


app = FastAPI(dependencies=[Depends(get_token)])


@app.get("/admin", dependencies=[Security(get_token, scopes=["read", "write"])])
async def read_admin():
    return {"message": "Admin Access"}

    }

    /**
     * Creates a new PathScope instance with the specified ID, project scope, and dependency scopes.
     *
     * @param id the identifier for the path scope
     * @param projectScope the project scope associated with this path scope
     * @param dependencyScopes the dependency scopes associated with this path scope
     * @return a new PathScope instance
     */

claim_name    (string)    JWT canned policy claim name, defaults to "policy"
claim_prefix  (string)    JWT claim namespace prefix e.g. "customer1/"
scopes        (csv)       Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"
comment       (sentence)  optionally add a comment to this setting
```

and ENV based options

```