if err != nil {
		return nil, err
	}

	claims[expClaim] = UTCNow().Add(expiryDur).Unix()
	claims[ldapUserN] = user
	claims[ldapUser] = lookupResult.NormDN

	cred, err := auth.GetNewCredentialsWithMetadata(claims, globalActiveCred.SecretKey)
	if err != nil {
		return nil, err
	}

	// Set the parent of the temporary access key, this is useful

ject"],"Resource":["arn:aws:s3:::*"]}]}} iam-assets/users.json {} iam-assets/groups.json {} iam-assets/svcaccts.json {"dillon-service-2":{"parent":"oCnAoSQFtdVQtKwrB73j","accessKey":"dillon-service-2","secretKey":"dillon-service-2","groups":null,"claims":{"accessKey":"dillon-service-2","at_hash":"LL4jvrkBRNQhOKiC83RL","aud":"minio-client-app","c_hash":"fjGB4ldChsaf9vSFdZ1P","email":"******@****.***","email_verified":true,"groups":["projecta","projectb"],"iat":1726558680,"iss":"http://127.0.0.1...

		_, ok := accessKey.Claims[subClaim]
		if !ok {
			continue // OpenID access keys must have a sub claim
		}
		if (!listSTSKeys && !accessKey.IsServiceAccount()) || (!listServiceAccounts && accessKey.IsServiceAccount()) {
			continue // skip if not the type we want
		}
		arn, ok := accessKey.Claims[roleArnClaim].(string)
		if !ok {
			if _, ok := accessKey.Claims[iamPolicyClaimNameOpenID()]; !ok {

Contributor. If that Commercial Contributor then makes performance
claims, or offers warranties related to Product X, those performance
claims and warranties are such Commercial Contributor's responsibility
alone. Under this section, the Commercial Contributor would have to
defend claims against the other Contributors related to those performance
claims and warranties, and if a court requires any other Contributor to

      "userid": [
        "minio"
      ],
      "username": [
        "minio"
      ],
      "versionid": [
        ""
      ]
    },
    "owner": true,
    "object": "",
    "claims": {},
    "denyOnly": false
  }
}
```

</details>

The response expected by MinIO, is a JSON body with a boolean:

```json
{
    "result": true
}
```

temporary credentials generated in the AssumeRoleWithWebIdentity call.

2. `id_token` claims: When the role policy is not configured, MinIO looks for a specific claim in the `id_token` (JWT) returned by the OpenID provider in the STS request. The default claim is `policy` and can be overridden by the `claim_name` configuration parameter or the `MINIO_IDENTITY_OPENID_CLAIM_NAME` environment variable. The claim value can be a string (comma-separated list) or an array of IAM access policy names defined...

		// In case of LDAP/OIDC we need to set `opts.claims` to ensure
		// it is associated with the LDAP/OIDC user properly.
		for k, v := range cred.Claims {
			if k == expClaim {
				continue
			}
			opts.claims[k] = v
		}
	} else if globalIAMSys.LDAPConfig.Enabled() {
		// In case of LDAP we need to resolve the targetUser to a DN and
		// query their groups:
		opts.claims[ldapUserN] = targetUser // simple username

		}

		// Finally, if there is no parent policy, check if a policy claim is
		// present in the session token.
		if len(policies) == 0 {
			// If there is no parent policy mapping, we fall back to
			// using policy claim from JWT.
			policySet, ok := args.GetPolicies(iamPolicyClaimNameOpenID())
			if !ok {
				// When claims are set, it should have a policy claim field.
				return false
			}

	Claims             map[string]interface{} `json:"claims"`
}

var tokens map[string]Resp = map[string]Resp{
	"aaa": {
		User:               "Alice",
		MaxValiditySeconds: 3600,
		Claims: map[string]interface{}{
			"groups": []string{"data-science"},
		},
	},
	"bbb": {
		User:               "Bart",
		MaxValiditySeconds: 3600,
		Claims: map[string]interface{}{

]}]}} iam-assets/users.json {} iam-assets/groups.json {} iam-assets/svcaccts.json {"bobfisher-svcacct-1":{"parent":"uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io","accessKey":"bobfisher-svcacct-1","secretKey":"bobfisher-svcacct-1","groups":null,"claims":{"accessKey":"bobfisher-svcacct-1","ldapActualUser":"uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io","ldapUser":"uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io","ldapUsername":"bobfisher","parent":"uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io"...