// If there *is* a claim-based provider configured, then
			// treat an unrecognized roleArn the same as no roleArn
			// at all.  This is to support clients like the AWS SDKs
			// or CLI that will not allow an AssumeRoleWithWebIdentity
			// call without a RoleARN parameter - for these cases the
			// user can supply a dummy ARN, which Minio will ignore.
			roleArn = openid.DummyRoleARN
			isRolePolicyProvider = false
		}
	}

// of claims.
func (o *AuthNPlugin) Authenticate(roleArn arn.ARN, token string) (AuthNResponse, error) {
	if o == nil {
		return AuthNResponse{}, nil
	}

	if roleArn != o.args.RoleARN {
		return AuthNResponse{}, fmt.Errorf("Invalid role ARN value: %s", roleArn.String())
	}

	u := url.URL(*o.args.URL)
	q := u.Query()
	q.Set("token", token)

	}
}

func getOpenIDCfgNameFromClaims(claims map[string]any) (string, bool) {
	roleArn := claims[roleArnClaim]

	s := globalServerConfig.Clone()
	configs, err := globalIAMSys.OpenIDConfig.GetConfigList(s)
	if err != nil {
		return "", false
	}
	for _, cfg := range configs {
		if cfg.RoleARN == roleArn {
			return cfg.Name, true
		}
	}
	return "", false
}

func (sys *IAMSys) GetRolePolicy(arnStr string) (arn.ARN, string, error) {
	roleArn, err := arn.Parse(arnStr)
	if err != nil {
		return arn.ARN{}, "", fmt.Errorf("RoleARN parse err: %v", err)
	}
	rolePolicy, ok := sys.rolesMap[roleArn]
	if !ok {
		return arn.ARN{}, "", fmt.Errorf("RoleARN %s is not defined.", arnStr)
	}
	return roleArn, rolePolicy, nil
}

h":"fjGB4ldChsaf9vSFdZ1P","email":"******@****.***","email_verified":true,"groups":["projecta","projectb"],"iat":1726558680,"iss":"http://127.0.0.1:5556/dex","name":"Dillon Harper","parent":"oCnAoSQFtdVQtKwrB73j","preferred_username":"dillon","roleArn":"arn:minio:iam:::role/nOybJqMNzNmroqEKq5D0","sa-policy":"inherited-policy","sub":"Cit1aWQ9ZGlsbG9uLG91"},"sessionPolicy":null,"status":"on","name":"","description":"","expiration":"1970-01-01T00:00:00Z"},"dillon-svcacct-1":{"parent":"oCnAoSQFtdV...

defined in the server. In this situation, the server prints a role ARN at startup that must be specified as a `RoleArn` API request parameter in the STS AssumeRoleWithWebIdentity API call. When using Role Policies, multiple OpenID providers and/or client applications (with unique client IDs) may be configured with independent role policies. Each configuration is assigned a unique RoleARN by the MinIO server and this is used to select the policies to apply to temporary credentials generated in the...

	RedirectURIDynamic bool
	DiscoveryDoc       DiscoveryDoc
	ClientID           string
	ClientSecret       string
	RolePolicy         string
	UserReadableClaim  string
	UserIDClaim        string

	roleArn  arn.ARN
	provider provider.Provider
}

func newProviderCfgFromConfig(getCfgVal func(cfgName string) string) providerCfg {
	return providerCfg{
		DisplayName:        getCfgVal(DisplayName),

		return
	}
	for _, config := range configs {
		if !allConfigs && cfgName != config.Name {
			continue
		}
		arn := dummyRoleARN
		if config.RoleARN != "" {
			arn = config.RoleARN
		}
		roleArnMap[arn] = config.Name
		newResp := make(map[string]madmin.OpenIDUserAccessKeys)
		cfgToUsersMap[config.Name] = newResp
	}
	if len(roleArnMap) == 0 {

		}
		s3WebIdentityIAM := credentials.IAM{
			Client: &http.Client{
				Transport: NewHTTPTransport(),
			},
			EKSIdentity: struct {
				TokenFile       string
				RoleARN         string
				RoleSessionName string
			}{
				conf.AWSRoleWebIdentityTokenFile,
				conf.AWSRoleARN,
				sessionName,
			},
		}
		creds = credentials.New(&s3WebIdentityIAM)

		Client:      s.TestSuiteCommon.client,
		STSEndpoint: s.endPoint,
		GetWebIDTokenExpiry: func() (*cr.WebIdentityToken, error) {
			return &cr.WebIdentityToken{
				Token: token,
			}, nil
		},
		RoleARN: roleARN,
	}

	value, err := webID.Retrieve()
	if err != nil {
		c.Fatalf("Expected to generate STS creds, got err: %#v", err)
	}
	// fmt.Printf("value: %#v\n", value)