writeErrorResponseJSON(ctx, w, APIErr, r.URL)
			return
		}

		// In case of LDAP/OIDC we need to set `opts.claims` to ensure
		// it is associated with the LDAP/OIDC user properly.
		for k, v := range cred.Claims {
			if k == expClaim {
				continue
			}
			opts.claims[k] = v
		}
	} else {
		// We still need to ensure that the target user is a valid LDAP user.
		//

			return nil, nil, false, errNoAuthToken
		}
		return nil, nil, false, err
	}
	claims := xjwt.NewMapClaims()
	if err := xjwt.ParseWithClaims(token, claims, func(claims *xjwt.MapClaims) ([]byte, error) {
		if claims.AccessKey != globalActiveCred.AccessKey {
			u, ok := globalIAMSys.GetUser(req.Context(), claims.AccessKey)
			if !ok {
				// Credentials will be invalid but for disabled

			if err != nil {
				return nil, err
			}
			claims := make(map[string]any)
			claims[expClaim] = UTCNow().Add(expiryDur).Unix()

			claims[ldapUser] = lookupResult.NormDN
			claims[ldapActualUser] = lookupResult.ActualDN
			claims[ldapUserN] = ctx.Sess.LoginUser()

			// Add LDAP attributes that were looked up into the claims.
			for attribKey, attribValue := range lookupResult.Attributes {

	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		tc, ok := r.Context().Value(mcontext.ContextTraceKey).(*mcontext.TraceCtxt)

		claims, groups, owner, authErr := metricsRequestAuthenticate(r)
		if authErr != nil || (claims != nil && !claims.VerifyIssuer("prometheus", true)) {
			if ok {
				tc.FuncName = "handler.MetricsAuth"
				tc.ResponseRecorder.LogErrBody = true
			}

				return cred, false, ErrAccessKeyDisabled
			}
			return cred, false, ErrInvalidAccessKeyID
		}
		cred = u.Credentials
	}

	claims, s3Err := checkClaimsFromToken(r, cred)
	if s3Err != ErrNone {
		return cred, false, s3Err
	}
	cred.Claims = claims

	owner := cred.AccessKey == globalActiveCred.AccessKey || (cred.ParentUser == globalActiveCred.AccessKey && cred.AccessKey != siteReplicatorSvcAcc)

	Claims             map[string]interface{} `json:"claims"`
}

var tokens map[string]Resp = map[string]Resp{
	"aaa": {
		User:               "Alice",
		MaxValiditySeconds: 3600,
		Claims: map[string]interface{}{
			"groups": []string{"data-science"},
		},
	},
	"bbb": {
		User:               "Bart",
		MaxValiditySeconds: 3600,
		Claims: map[string]interface{}{

     */
    int CLIENT_UPN_TYPE = 0xC;
    /**
     * Buffer type for client claims information.
     */
    int CLIENT_CLAIMS_TYPE = 0xD;
    /**
     * Buffer type for device information.
     */
    int DEVICE_INFO_TYPE = 0xE;
    /**
     * Buffer type for device claims information.
     */
    int DEVICE_CLAIMS_TYPE = 0xF;

    /**
     * Flag for extra SIDs in logon information.

		// In case of LDAP/OIDC we need to set `opts.claims` to ensure
		// it is associated with the LDAP/OIDC user properly.
		for k, v := range cred.Claims {
			if k == expClaim {
				continue
			}
			opts.claims[k] = v
		}
	} else if globalIAMSys.LDAPConfig.Enabled() {
		// In case of LDAP we need to resolve the targetUser to a DN and
		// query their groups:
		opts.claims[ldapUserN] = targetUser // simple username

]}]}} iam-assets/users.json {} iam-assets/groups.json {} iam-assets/svcaccts.json {"bobfisher-svcacct-1":{"parent":"uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io","accessKey":"bobfisher-svcacct-1","secretKey":"bobfisher-svcacct-1","groups":null,"claims":{"accessKey":"bobfisher-svcacct-1","ldapActualUser":"uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io","ldapUser":"uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io","ldapUsername":"bobfisher","parent":"uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io"...

| maxValiditySeconds | integer (>= 900 seconds and < 365 days) | Maximum allowed expiry duration for the credentials    |
| claims             | key-value pairs                         | Claims to be associated with the requested credentials |

The keys "exp", "parent" and "sub" in the `claims` object are reserved and if present are ignored by MinIO.