Type:    "openid",
				Name:    cfg,
				Enabled: false,
			})
		} else {
			var roleARN string
			if pcfg.RolePolicy != "" {
				roleARN = pcfg.roleArn.String()
			}
			res = append(res, madmin.IDPListItem{
				Type:    "openid",
				Name:    cfg,
				Enabled: r.Enabled,
				RoleARN: roleARN,
			})
		}
	}

	return res, nil
}

// Enabled returns if configURL is enabled.

			// If there *is* a claim-based provider configured, then
			// treat an unrecognized roleArn the same as no roleArn
			// at all.  This is to support clients like the AWS SDKs
			// or CLI that will not allow an AssumeRoleWithWebIdentity
			// call without a RoleARN parameter - for these cases the
			// user can supply a dummy ARN, which Minio will ignore.
			roleArn = openid.DummyRoleARN
			isRolePolicyProvider = false
		}
	}

// of claims.
func (o *AuthNPlugin) Authenticate(roleArn arn.ARN, token string) (AuthNResponse, error) {
	if o == nil {
		return AuthNResponse{}, nil
	}

	if roleArn != o.args.RoleARN {
		return AuthNResponse{}, fmt.Errorf("Invalid role ARN value: %s", roleArn.String())
	}

	u := url.URL(*o.args.URL)
	q := u.Query()
	q.Set("token", token)

	}
}

func getOpenIDCfgNameFromClaims(claims map[string]any) (string, bool) {
	roleArn := claims[roleArnClaim]

	s := globalServerConfig.Clone()
	configs, err := globalIAMSys.OpenIDConfig.GetConfigList(s)
	if err != nil {
		return "", false
	}
	for _, cfg := range configs {
		if cfg.RoleARN == roleArn {
			return cfg.Name, true
		}
	}
	return "", false
}

func (sys *IAMSys) GetRolePolicy(arnStr string) (arn.ARN, string, error) {
	roleArn, err := arn.Parse(arnStr)
	if err != nil {
		return arn.ARN{}, "", fmt.Errorf("RoleARN parse err: %v", err)
	}
	rolePolicy, ok := sys.rolesMap[roleArn]
	if !ok {
		return arn.ARN{}, "", fmt.Errorf("RoleARN %s is not defined.", arnStr)
	}
	return roleArn, rolePolicy, nil
}

	RedirectURIDynamic bool
	DiscoveryDoc       DiscoveryDoc
	ClientID           string
	ClientSecret       string
	RolePolicy         string
	UserReadableClaim  string
	UserIDClaim        string

	roleArn  arn.ARN
	provider provider.Provider
}

func newProviderCfgFromConfig(getCfgVal func(cfgName string) string) providerCfg {
	return providerCfg{
		DisplayName:        getCfgVal(DisplayName),

		return
	}
	for _, config := range configs {
		if !allConfigs && cfgName != config.Name {
			continue
		}
		arn := dummyRoleARN
		if config.RoleARN != "" {
			arn = config.RoleARN
		}
		roleArnMap[arn] = config.Name
		newResp := make(map[string]madmin.OpenIDUserAccessKeys)
		cfgToUsersMap[config.Name] = newResp
	}
	if len(roleArnMap) == 0 {

	userDefined := cloneMSS(oi.UserDefined)
	if rcfg.Config != nil && rcfg.Config.RoleArn != "" {
		// For backward compatibility of objects pending/failed replication.
		// Save replication related statuses in the new internal representation for
		// compatible behavior.
		if !oi.ReplicationStatus.Empty() {
			oi.ReplicationStatusInternal = fmt.Sprintf("%s=%s;", rcfg.Config.RoleArn, oi.ReplicationStatus)
		}
		if !oi.VersionPurgeStatus.Empty() {

		Client:      s.TestSuiteCommon.client,
		STSEndpoint: s.endPoint,
		GetWebIDTokenExpiry: func() (*cr.WebIdentityToken, error) {
			return &cr.WebIdentityToken{
				Token: token,
			}, nil
		},
		RoleARN: roleARN,
	}

	value, err := webID.Retrieve()
	if err != nil {
		c.Fatalf("Expected to generate STS creds, got err: %#v", err)
	}
	// fmt.Printf("value: %#v\n", value)

		if err == nil && rcfg != nil {
			for _, tgtArn := range rcfg.FilterTargetArns(replication.ObjectOpts{OpType: replication.AllReplicationType}) {
				if err == nil && (tgtArn == arnStr || rcfg.RoleArn == arnStr) {
					sys.RLock()
					_, ok := sys.arnRemotesMap[arnStr]
					sys.RUnlock()
					if ok {
						return BucketRemoteRemoveDisallowed{Bucket: bucket}
					}
				}
			}
		}
	}