// and overwrite them with the claims from JWT.
	if ok && pCfg.ClaimUserinfo {
		if accessToken == "" {
			return errors.New("access_token is mandatory if user_info claim is enabled")
		}
		uclaims, err := pCfg.UserInfo(ctx, accessToken, r.transport)
		if err != nil {
			return err
		}
		for k, v := range uclaims {
			if _, ok := claims[k]; !ok { // only add to claims not update it.

func authenticateNode(accessKey, secretKey, audience string) (string, error) {
	claims := xjwt.NewStandardClaims()
	claims.SetExpiry(UTCNow().Add(defaultInterNodeJWTExpiry))
	claims.SetAccessKey(accessKey)
	claims.SetAudience(audience)

	jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, claims)
	return jwt.SignedString([]byte(secretKey))
}

// Check if the request is authenticated.

	if err != nil {
		return nil, err
	}
	dec := json.NewDecoder(bytes.NewBuffer(claimBytes))

	claims := make(map[string]any)
	if err := dec.Decode(&claims); err != nil {
		return nil, fmt.Errorf("failed to decode the JWT claims")
	}
	return claims, nil
}

func DecodeJwtPart(seg string) ([]byte, error) {
	if l := len(seg) % 4; l > 0 {
		seg += strings.Repeat("=", 4-l)
	}

	// JWT specific values
	//
	// Add all string claims
	for k, v := range claims {
		vStr, ok := v.(string)
		if ok {
			// Trim any LDAP specific prefix
			args[strings.ToLower(strings.TrimPrefix(k, "ldap"))] = []string{vStr}
		}
	}

	// Add groups claim which could be a list. This will ensure that the claim
	// `jwt:groups` works.
	if grpsVal, ok := claims["groups"]; ok {

		{time.Duration(3) * time.Minute, "900", false},
	}

	for _, testCase := range testCases {
		testCase := testCase
		t.Run("", func(t *testing.T) {
			claims := map[string]interface{}{}
			claims["exp"] = testCase.exp
			err := updateClaimsExpiry(testCase.dsecs, claims)
			if err != nil && !testCase.expectedFailure {
				t.Errorf("Expected success, got failure %s", err)
			}
			if err == nil && testCase.expectedFailure {

		"65xiNg"

	// oneAudString includes one `aud` claim "abc" of type string.
	oneAudString = "header.eyJhdWQiOiJhYmMiLCJleHAiOjQ3MzI5OTQ4MDEsImlhdCI6MTU3OTM5NDgwMSwiaXNzIjoidGVzdC1pc3N1ZXItMUBpc3Rpby5pbyIsInN1YiI6InN1Yi0xIn0.signature" // nolint: lll

	// twoAudList includes two `aud` claims ["abc", "xyz"] of type []string.

			if err != nil {
				t.Error(err)
				return
			}

			req := &drapbv1alpha3.NodePrepareResourcesRequest{
				Claims: []*drapbv1alpha3.Claim{
					{
						Namespace:      "dummy-namespace",
						Uid:            "dummy-uid",
						Name:           "dummy-claim",
						ResourceHandle: "dummy-resource",
					},
				},
			}
			client.NodePrepareResources(context.TODO(), req)

				&ClaimMappingExpression{
					Expression: "claims.foo",
				},
			},
			wantErr: `compilation failed: ERROR: <input>:1:1: undeclared reference to 'claims' (in container '')`,
		},
		{
			name: "ExtraMappingCondition with wrong env",
			expressionAccessors: []ExpressionAccessor{
				&ExtraMappingExpression{
					Expression: "claims.foo",
				},
			},

    when:
    - key: request.auth.claims[nested][key1]
      values: ["valueB"]
  - to:
    - operation:
        paths: ["/nested-non-exist"]
        methods: ["GET"]
    when:
    - key: request.auth.claims[nested][non-exist]
      values: ["valueC"]
  - to:
    - operation:
        paths: ["/nested-key2"]
        methods: ["GET"]
    when:
    - key: request.auth.claims[nested][key2]
      values: ["valueC"]

	Claims             map[string]interface{} `json:"claims"`
}

var tokens map[string]Resp = map[string]Resp{
	"aaa": {
		User:               "Alice",
		MaxValiditySeconds: 3600,
		Claims: map[string]interface{}{
			"groups": []string{"data-science"},
		},
	},
	"bbb": {
		User:               "Bart",
		MaxValiditySeconds: 3600,
		Claims: map[string]interface{}{