// Check if the access key is part of users credentials.
		u, ok := globalIAMSys.GetUser(req.Context(), claims.AccessKey)
		if !ok {
			return nil, nil, false, errInvalidAccessKeyID
		}
		ucred := u.Credentials
		// get embedded claims
		eclaims, s3Err := checkClaimsFromToken(req, ucred)
		if s3Err != ErrNone {
			return nil, nil, false, errAuthentication
		}

		maps.Copy(claims.MapClaims, eclaims)

**We recommend setting `policy` as a custom claim for the JWT service provider follow [here](https://docs.wso2.com/display/IS550/Configuring+Claims+for+a+Service+Provider) and [here](https://docs.wso2.com/display/IS550/Handling+Custom+Claims+with+the+JWT+Bearer+Grant+Type) for relevant docs on how to configure claims for a service provider.**

### 5. Setup MinIO with OpenID configuration URL

	// JWT specific values
	//
	// Add all string claims
	for k, v := range claims {
		vStr, ok := v.(string)
		if ok {
			// Trim any LDAP specific prefix
			args[strings.ToLower(strings.TrimPrefix(k, "ldap"))] = []string{vStr}
		}
	}

	// Add groups claim which could be a list. This will ensure that the claim
	// `jwt:groups` works.
	if grpsVal, ok := claims["groups"]; ok {
		if grpsIs, ok := grpsVal.([]any); ok {

		_, ok := accessKey.Claims[subClaim]
		if !ok {
			continue // OpenID access keys must have a sub claim
		}
		if (!listSTSKeys && !accessKey.IsServiceAccount()) || (!listServiceAccounts && accessKey.IsServiceAccount()) {
			continue // skip if not the type we want
		}
		arn, ok := accessKey.Claims[roleArnClaim].(string)
		if !ok {
			if _, ok := accessKey.Claims[iamPolicyClaimNameOpenID()]; !ok {

decode the id_token to access the payload of the token that includes following JWT claims, `policy` claim is mandatory and should be present as part of your JWT claim. Without this claim the generated credentials will not have access to any resources on the server, using these credentials application would receive 'Access Denied' errors.

| Claim Name | Type                                              | Claim Value                                                                           ...

transfer and otherwise run, modify and propagate the contents of this
implementation of Go, where such license applies only to those patent
claims, both currently owned or controlled by Google and acquired in
the future, licensable by Google that are necessarily infringed by this
implementation of Go.  This grant does not include claims that would be
infringed only as a consequence of further modification of this

func guessUserProvider(credentials auth.Credentials) string {
	if !credentials.IsServiceAccount() && !credentials.IsTemp() {
		return madmin.BuiltinProvider // regular users are always internal
	}

	claims := credentials.Claims
	if _, ok := claims[ldapUser]; ok {
		return madmin.LDAPProvider // ldap users
	}

	if _, ok := claims[subClaim]; ok {

import, and otherwise transfer the Work, where such license applies only to 
those patent claims licensable by such Contributor that are necessarily 
infringed by their Contribution(s) alone or by combination of their 
Contribution(s) with the Work to which such Contribution(s) was submitted. 
If You institute patent litigation against any entity (including a 
cross-claim or counterclaim in a lawsuit) alleging that the Work or a 

				return cred, false, ErrAccessKeyDisabled
			}
			return cred, false, ErrInvalidAccessKeyID
		}
		cred = u.Credentials
	}

	claims, s3Err := checkClaimsFromToken(r, cred)
	if s3Err != ErrNone {
		return cred, false, s3Err
	}
	cred.Claims = claims

	owner := cred.AccessKey == globalActiveCred.AccessKey || (cred.ParentUser == globalActiveCred.AccessKey && cred.AccessKey != siteReplicatorSvcAcc)

ject"],"Resource":["arn:aws:s3:::*"]}]}} iam-assets/users.json {} iam-assets/groups.json {} iam-assets/svcaccts.json {"dillon-service-2":{"parent":"oCnAoSQFtdVQtKwrB73j","accessKey":"dillon-service-2","secretKey":"dillon-service-2","groups":null,"claims":{"accessKey":"dillon-service-2","at_hash":"LL4jvrkBRNQhOKiC83RL","aud":"minio-client-app","c_hash":"fjGB4ldChsaf9vSFdZ1P","email":"******@****.***","email_verified":true,"groups":["projecta","projectb"],"iat":1726558680,"iss":"http://127.0.0.1...