final String jwtClaim = new String(decodeBase64(jwt[1]), Constants.UTF_8_CHARSET);
            final String jwtSigniture = new String(decodeBase64(jwt[2]), Constants.UTF_8_CHARSET);

            if (logger.isDebugEnabled()) {
                logger.debug("jwtHeader: {}", jwtHeader);
                logger.debug("jwtClaim: {}", jwtClaim);
                logger.debug("jwtSigniture: {}", jwtSigniture);

        final Map<String, Object> attributes = new HashMap<>();
        String jwtClaim =
                "{\"email\":\"******@****.***\",\"sub\":\"1234567890\",\"name\":\"John Doe\",\"groups\":[\"group1\",\"group2\"]}";

        // Execute
        authenticator.parseJwtClaim(jwtClaim, attributes);

        // Verify
        assertEquals("1234567890", attributes.get("sub"));

			// parentUser by extracting JWT claims
			var (
				jwtClaims *jwt.MapClaims
				err       error
			)

			if cred.SessionToken == "" {
				continue
			}

			if cred.IsServiceAccount() {
				jwtClaims, err = auth.ExtractClaims(cred.SessionToken, cred.SecretKey)
				if err != nil {
					jwtClaims, err = auth.ExtractClaims(cred.SessionToken, globalActiveCred.SecretKey)
				}

		deleteKeyEtcd(ctx, ies.client, getMappedPolicyPath(user, userType, false))
		return nil
	}
	if u.Credentials.AccessKey == "" {
		u.Credentials.AccessKey = user
	}
	if u.Credentials.SessionToken != "" {
		jwtClaims, err := extractJWTClaims(u)
		if err != nil {
			if u.Credentials.IsTemp() {
				// We should delete such that the client can re-request
				// for the expiring credentials.

}

// Fetch claims in the security token returned by the client.
func getClaimsFromToken(token string) (map[string]any, error) {
	jwtClaims, err := getClaimsFromTokenWithSecret(token, globalActiveCred.SecretKey)
	if err != nil {
		return nil, err
	}
	return jwtClaims.Map(), nil
}

// Fetch claims in the security token returned by the client and validate the token.

		return u, errNoSuchUser
	}

	if u.Credentials.AccessKey == "" {
		u.Credentials.AccessKey = user
	}

	if u.Credentials.SessionToken != "" {
		jwtClaims, err := extractJWTClaims(u)
		if err != nil {
			if u.Credentials.IsTemp() {
				// We should delete such that the client can re-request
				// for the expiring credentials.

}

func (c *iamCache) updateUserWithClaims(key string, u UserIdentity) error {
	if u.Credentials.SessionToken != "" {
		jwtClaims, err := extractJWTClaims(u)
		if err != nil {
			return err
		}
		u.Credentials.Claims = jwtClaims.Map()
	}
	if u.Credentials.IsTemp() && !u.Credentials.IsServiceAccount() {
		c.iamSTSAccountsMap[key] = u
	} else {
		c.iamUsersMap[key] = u
	}

            if (claimsSet == null) {
                throw new SsoLoginException("could not validate nonce");
            }

            final String nonce = (String) claimsSet.getClaim("nonce");
            if (logger.isDebugEnabled()) {
                logger.debug("nonce: {}", nonce);
            }
            if (StringUtils.isEmpty(nonce) || !nonce.equals(stateData.getNonce())) {