return
	}

	claims[expClaim] = UTCNow().Add(duration).Unix()
	claims[parentClaim] = user.AccessKey

	tokenRevokeType := r.Form.Get(stsRevokeTokenType)
	if tokenRevokeType != "" {
		claims[tokenRevokeTypeClaim] = tokenRevokeType
	}

	// Validate that user.AccessKey's policies can be retrieved - it may not
	// be in case the user is disabled.

	if isTokenSelfRevoke && tokenRevokeType == "" && !fullRevoke {
		if cred.IsTemp() {
			tokenRevokeType, _ = cred.Claims[tokenRevokeTypeClaim].(string)
		}
		if tokenRevokeType == "" {
			writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrNoTokenRevokeType), r.URL)
			return
		}
	}

	err := globalIAMSys.RevokeTokens(ctx, user, tokenRevokeType)
	if err != nil {

// RevokeTokens - revokes all STS tokens, or those of specified type, for a user
// If `tokenRevokeType` is empty, all tokens are revoked.
func (sys *IAMSys) RevokeTokens(ctx context.Context, accessKey, tokenRevokeType string) error {
	if !sys.Initialized() {
		return errServerNotInitialized
	}

	return sys.store.RevokeTokens(ctx, accessKey, tokenRevokeType)
}

// DeleteUser - delete user (only for long-term users not STS users).

			continue
		}
		if tokenRevokeType != "" {
			claims, err := getClaimsFromTokenWithSecret(ui.Credentials.SessionToken, secret)
			if err != nil {
				continue // skip if token is invalid
			}
			// skip if token type is given and does not match
			if v, _ := claims.Lookup(tokenRevokeTypeClaim); v != tokenRevokeType {
				continue
			}
		}

		assumeRole := cr.STSAssumeRole{
			Client:      s.TestSuiteCommon.client,
			STSEndpoint: s.endPoint,
			Options: cr.STSAssumeRoleOptions{
				AccessKey:       accessKey,
				SecretKey:       secretKey,
				TokenRevokeType: tc.tokenType,
			},
		}

		value, err := assumeRole.Retrieve()
		if err != nil {
			c.Fatalf("err calling assumeRole: %v", err)
		}

		minioClient, err := minio.New(s.endpoint, &minio.Options{