var err error

			// Figure out correct claims type
			switch claims := data.claims.(type) {
			case *MapClaims:
				if data.tokenString == "" {
					data.tokenString = mapClaimsToken(claims)
				}
				err = ParseWithClaims(data.tokenString, &MapClaims{}, data.keyfunc)
			case *StandardClaims:
				if data.tokenString == "" {
					data.tokenString = standardClaimsToken(claims)
				}

	IsAmbient() bool
	IsInjected() bool
}

// Claim an existing namespace in all clusters, or create a new one if doesn't exist.
func Claim(ctx resource.Context, cfg Config) (i Instance, err error) {
	cfg.overwriteRevisionIfEmpty(ctx.Settings().Revisions.Default())
	return claimKube(ctx, cfg)
}

// ClaimOrFail calls Claim and fails test if it returns error

  - Save

- Go to Clients
  - Click on `account`
  - Mappers
  - Create
    - `Name` with any text
    - `Mapper Type` is `User Attribute`
    - `User Attribute` is `policy`
    - `Token Claim Name` is `policy`
    - `Claim JSON Type` is `string`
  - Save

client_id     (string)    unique public identifier for apps e.g. "292085223830.apps.googleusercontent.com"
claim_name    (string)    JWT canned policy claim name, defaults to "policy"
claim_prefix  (string)    JWT claim namespace prefix e.g. "customer1/"
scopes        (csv)       Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"

			t.Fatalf("%s: failed to parse token: %v", tc.name, err)
		}

		claims := map[string]any{}
		err = json.Unmarshal(token, &claims)
		if err != nil {
			t.Fatalf("%s: failed to parse payload: %v", tc.name, err)
		}

		for k, v := range tc.wantClaims {
			got, ok := claims[k]
			if ok {
				if !reflect.DeepEqual(got, v) {
					t.Errorf("%s: claim %q got value %v but want %v", tc.name, k, got, v)
				}
			} else {

			expectedAnnotations: []container.Annotation{{Name: "cdi.k8s.io/test-driver-name_test-claim-uid", Value: "vendor.com/class=device1"}},
		},
	}

	as := assert.New(t)
	for _, tc := range testCases {
		t.Run(tc.description, func(t *testing.T) {
			annotations, err := GenerateAnnotations("test-claim-uid", "test-driver-name", tc.deviceIDs)
			as.ErrorIs(err, tc.expecteError)

	// JWT specific values
	//
	// Add all string claims
	for k, v := range claims {
		vStr, ok := v.(string)
		if ok {
			// Trim any LDAP specific prefix
			args[strings.ToLower(strings.TrimPrefix(k, "ldap"))] = []string{vStr}
		}
	}

	// Add groups claim which could be a list. This will ensure that the claim
	// `jwt:groups` works.
	if grpsVal, ok := claims["groups"]; ok {

  "token_type": "Bearer",
  "expires_in": 3600
}
```

### 4. JWT Claims

The id_token received is a signed JSON Web Token (JWT). Use a JWT decoder to decode the id_token to access the payload of the token that includes following JWT claims:

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

# no request authentication applied on the gateway.
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: foo
spec:
  hosts:
    - "foo.com"
  gateways:
    - foo-gateway
  http:
    - match:
        - uri:
            prefix: /
          headers:
            "@request.auth.claims.foo":
              exact: foo