{{- else }}
              value: {{ .Values.oidc.clientSecret }}
            {{- end }}
            - name: MINIO_IDENTITY_OPENID_CLAIM_NAME
              value: {{ .Values.oidc.claimName }}
            - name: MINIO_IDENTITY_OPENID_CLAIM_PREFIX
              value: {{ .Values.oidc.claimPrefix }}
            - name: MINIO_IDENTITY_OPENID_SCOPES
              value: {{ .Values.oidc.scopes }}

		}

		// Finally, if there is no parent policy, check if a policy claim is
		// present in the session token.
		if len(policies) == 0 {
			// If there is no parent policy mapping, we fall back to
			// using policy claim from JWT.
			policySet, ok := args.GetPolicies(iamPolicyClaimNameOpenID())
			if !ok {
				// When claims are set, it should have a policy claim field.
				return false
			}

Contributor must: a) promptly notify the Commercial Contributor in
writing of such claim, and b) allow the Commercial Contributor to control,
and cooperate with the Commercial Contributor in, the defense and any
related settlement negotiations. The Indemnified Contributor may
participate in any such claim at its own expense.

For example, a Contributor might include the Program in a commercial

// the i-th server in this will be applied the i-th policy in `rolePolicies`. If
// a rolePolicies entry is an empty string, that server will be configured as
// policy-claim based openid server. NOTE that a valid configuration can have a
// policy claim based provider only if it is the only OpenID provider.
func (s *TestSuiteIAM) SetUpOpenIDs(c *check, testApps []OpenIDClientAppParams, rolePolicies []string) error {

}} valueFrom: secretKeyRef: name: {{ .Values.oidc.existingClientSecret }} key: {{ .Values.oidc.existingClientSecret }} {{- else }} value: {{ .Values.oidc.clientSecret }} {{- end }} - name: MINIO_IDENTITY_OPENID_CLAIM_NAME value: {{ .Values.oidc.claimName }} - name: MINIO_IDENTITY_OPENID_CLAIM_PREFIX value: {{ .Values.oidc.claimPrefix }} - name: MINIO_IDENTITY_OPENID_SCOPES value: {{ .Values.oidc.scopes }} - name: MINIO_IDENTITY_OPENID_COMMENT value: {{ .Values.oidc.comment }} - name: MINIO_IDENTIT...

## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
##
persistence:
  enabled: true
  annotations: {}

  ## A manually managed Persistent Volume and Claim
  ## Requires persistence.enabled: true
  ## If defined, PVC must be created manually before volume will be bound
  existingClaim: ""

  ## minio data Persistent Volume Storage Class

                      description: This field specifies a list of operations to copy
                        the claim to HTTP headers on a successfully verified token.
                      items:
                        properties:
                          claim:
                            description: The name of the claim to be copied from.
                            type: string
                          header:

// or service credentials, mapped to all distinct roleARNs associated with the
// parent user. The dummy role ARN is associated with parent users from
// policy-claim based OpenID providers.
func (store *IAMStoreSys) GetAllParentUsers() map[string]ParentUserInfo {
	cache := store.rlock()
	defer store.runlock()

	res := map[string]ParentUserInfo{}

},"identity_openid":{"_":[{"key":"enable","value":""},{"key":"display_name","value":""},{"key":"config_url","value":""},{"key":"client_id","value":""},{"key":"client_secret","value":""},{"key":"claim_name","value":"policy"},{"key":"claim_userinfo","value":""},{"key":"role_policy","value":""},{"key":"claim_prefix","value":""},{"key":"redirect_uri","value":""},{"key":"redirect_uri_dynamic","value":"off"},{"key":"scopes","value":""},{"key":"vendor","value":""},{"key":"keycloak_realm","value":""},{"...

		return fmt.Errorf("STS credential could not be verified: %w", err)
	}

	mapClaims := claims.Map()
	expiry, err := auth.ExpToInt64(mapClaims["exp"])
	if err != nil {
		return fmt.Errorf("Expiry claim was not found: %v: %w", mapClaims, err)
	}

	cred := auth.Credentials{
		AccessKey:    stsCred.AccessKey,
		SecretKey:    stsCred.SecretKey,
		Expiration:   time.Unix(expiry, 0).UTC(),