// the roleARNs to check if the user still exists. If they don't
		// we can safely remove credentials for this parent user
		// associated with any of the provider configurations.
		//
		// If there is no roleARN mapped to the user, the user may be
		// coming from a policy claim based openid provider.
		roleArns := puInfo.roleArns.ToSlice()
		var roleArn string
		if len(roleArns) == 0 {

			subClaimValue = v
		}

		roleArn := openid.DummyRoleARN.String()
		s, ok := claims.Lookup(roleArnClaim)
		if ok {
			roleArn = s
		}
		v, ok := res[cred.ParentUser]
		if ok {
			res[cred.ParentUser] = ParentUserInfo{
				subClaimValue: subClaimValue,
				roleArns:      v.roleArns.Union(set.CreateStringSet(roleArn)),
			}
		} else {

			legacyArn = true
		}
		if c.RoleArn == "" && !r.Destination.TargetArn() {
			return errDestinationArnMissing
		}
	}
	// disallow combining old replication configuration which used RoleArn as target ARN with multiple
	// destination replication
	if c.RoleArn != "" && len(targetMap) > 1 {
		return errRoleArnPresentForMultipleTargets
	}
	// validate RoleArn if destination used legacy ARN format.

				Type:    "openid",
				Name:    cfg,
				Enabled: false,
			})
		} else {
			var roleARN string
			if pcfg.RolePolicy != "" {
				roleARN = pcfg.roleArn.String()
			}
			res = append(res, madmin.IDPListItem{
				Type:    "openid",
				Name:    cfg,
				Enabled: r.Enabled,
				RoleARN: roleARN,
			})
		}
	}

	return res, nil
}

// Enabled returns if configURL is enabled.

	flag.StringVar(&token, "t", "", "Token to use with AssumeRoleWithCustomToken STS API (required)")
	flag.StringVar(&roleArn, "r", "", "RoleARN to use with the request (required)")
	flag.BoolVar(&displayCreds, "d", false, "Only show generated credentials")
	flag.DurationVar(&expiryDuration, "e", 0, "Request a duration of validity for the generated credential")

	if err != nil {
		log.Fatalf("Failed to generate OIDC token: %v", err)
	}

	roleARN := os.Getenv("ROLE_ARN")
	webID := cr.STSWebIdentity{
		Client:      &http.Client{},
		STSEndpoint: endpoint,
		GetWebIDTokenExpiry: func() (*cr.WebIdentityToken, error) {
			return &cr.WebIdentityToken{
				Token: oidcToken,
			}, nil
		},
		RoleARN: roleARN,
	}

	value, err := webID.Retrieve()
	if err != nil {

			// If there *is* a claim-based provider configured, then
			// treat an unrecognized roleArn the same as no roleArn
			// at all.  This is to support clients like the AWS SDKs
			// or CLI that will not allow an AssumeRoleWithWebIdentity
			// call without a RoleARN parameter - for these cases the
			// user can supply a dummy ARN, which Minio will ignore.
			roleArn = openid.DummyRoleARN
			isRolePolicyProvider = false
		}
	}

// of claims.
func (o *AuthNPlugin) Authenticate(roleArn arn.ARN, token string) (AuthNResponse, error) {
	if o == nil {
		return AuthNResponse{}, nil
	}

	if roleArn != o.args.RoleARN {
		return AuthNResponse{}, fmt.Errorf("Invalid role ARN value: %s", roleArn.String())
	}

	u := url.URL(*o.args.URL)
	q := u.Query()
	q.Set("token", token)

	}
}

func getOpenIDCfgNameFromClaims(claims map[string]any) (string, bool) {
	roleArn := claims[roleArnClaim]

	s := globalServerConfig.Clone()
	configs, err := globalIAMSys.OpenIDConfig.GetConfigList(s)
	if err != nil {
		return "", false
	}
	for _, cfg := range configs {
		if cfg.RoleARN == roleArn {
			return cfg.Name, true
		}
	}
	return "", false
}

| Version         | String  | Yes      | Value must be `2011-06-15`                                           |
| Token           | String  | Yes      | Token to be authenticated by identity plugin                         |
| RoleArn         | String  | Yes      | Must match the Role ARN generated for the identity plugin            |
| DurationSeconds | Integer | No       | Duration of validity of generated credentials. Must be at least 900. |