The id_token received is a signed JSON Web Token (JWT). Use a JWT decoder to decode the id_token to access the payload of the token that includes following JWT claims, `policy` claim is mandatory and should be present as part of your JWT claim. Without this claim the generated credentials will not have access to any resources on the server, using these credentials application would receive 'Access Denied' errors.

        sessionBuilder.setArtifactTypeRegistry(new TypeRegistryAdapter(typeRegistry)); // dynamic
        sessionBuilder.setCache(request.getRepositoryCache());

        // configProps map is kept "pristine", is written ONLY, the mandatory resolver config
        Map<String, Object> configProps = new LinkedHashMap<>();
        configProps.put(ConfigurationProperties.USER_AGENT, getUserAgent());

 * A {@code DependencyCoordinates} extends {@code ArtifactCoordinates} with additional information about how
 * the artifact will be used: type, scope and obligation (whether the dependency is optional or mandatory).
 * The version and the obligation may not be defined precisely.</p>
 *
 * <p>{@link org.apache.maven.api.Dependency} instances represent artifacts in the repository
 * that are dependencies of the project.

//     Agents to directly backup to object storage.
//
// An object storage system can implement one, multiple, or all functions.
//
//   - Optional (mandatory if <IAMSTS> is true): Set Endpoints for IAM and STS processing.
//
//   - Optional: Set server preferences for Backup & Replication parallel sessions, batch size of deletes, and block sizes (before

a bucket `bucket1` created on current MinIO instance will be accessible as `bucket1.domain.com`, and the DNS entry for
`bucket1.domain.com` will point to IP address set in `MINIO_PUBLIC_IPS`.

- This field is mandatory for standalone and erasure code MinIO server deployments, to enable federated mode.
- This field is optional for distributed deployments. If you don't set this field in a federated setup, we use the IP addresses of

      - "https://server4-pool1:9000/mnt/disk{1...4}/"
    set-drive-count: 4 # Advanced option, must be used under guidance from MinIO team.
```

### Things to know

- Fields such as `version` and `pools` are mandatory, however all other fields are optional.
- Each pool expects a minimum of 2 nodes per pool, and unique non-repeating hosts for each argument.

}

func (r Rule) validateNoncurrentExpiration() error {
	return r.NoncurrentVersionExpiration.Validate()
}

func (r Rule) validatePrefixAndFilter() error {
	// In the now deprecated PutBucketLifecycle API, Rule had a mandatory Prefix element and there existed no Filter field.
	// See https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLifecycle.html

    void testConstructorWithUnrecognizedField() throws IOException, GeneralSecurityException {
        // Test with an unrecognized field in the ticket
        // Note: In the actual implementation, field 99 would come after mandatory fields,
        // so decryption happens first. We test with a mocked successful decryption.
        byte[] token = createTestTicketBytes(new BigInteger(KerberosConstants.KERBEROS_VERSION), SERVER_REALM, SERVER_PRINCIPAL_NAME,

This change is not backward compatible for all setups. In particular, the native
Hashicorp Vault integration - which has been deprecated already - won't be
supported anymore. KES is now mandatory if a third-party KMS should be used.

Further, since the configuration data is encrypted with the KMS, the KMS
configuration itself can no longer be stored in the MinIO config file and

	// If claim user info is enabled, get claims from userInfo
	// and overwrite them with the claims from JWT.
	if ok && pCfg.ClaimUserinfo {
		if accessToken == "" {
			return errors.New("access_token is mandatory if user_info claim is enabled")
		}
		uclaims, err := pCfg.UserInfo(ctx, accessToken, r.transport)
		if err != nil {
			return err
		}
		for k, v := range uclaims {