pk.RLock()
	defer pk.RUnlock()
	return pk.pkMap[kid]
}

// PopulatePublicKey - populates a new publickey from the JWKS URL.
func (r *Config) PopulatePublicKey(arn arn.ARN) error {
	pCfg := r.arnProviderCfgsMap[arn]
	if pCfg.JWKS.URL == nil || pCfg.JWKS.URL.String() == "" {
		return nil
	}

	// Add client secret for the client ID for HMAC based signature.

}

// HasExistingObjectReplication returns true if any of the rule returns 'ExistingObjects' replication.
func (c Config) HasExistingObjectReplication(arn string) (hasARN, isEnabled bool) {
	for _, rule := range c.Rules {
		if rule.Destination.ARN == arn || c.RoleArn == arn {
			if !hasARN {
				hasARN = true
			}
			if rule.ExistingObjectReplication.Status == Enabled {
				return true, true
			}
		}
	}

			continue // skip if not the type we want
		}
		arn, ok := accessKey.Claims[roleArnClaim].(string)
		if !ok {
			if _, ok := accessKey.Claims[iamPolicyClaimNameOpenID()]; !ok {
				continue // skip if no roleArn and no policy claim
			}
			// claim-based provider is in the roleArnMap under dummy ARN
			arn = dummyRoleARN
		}
		matchingCfgName, ok := roleArnMap[arn]
		if !ok {

		tid         TargetID
		region      string
		expectedARN ARN
	}{
		{tid, "", ARN{TargetID: tid, region: ""}},
		{tid, "us-east-1", ARN{TargetID: tid, region: "us-east-1"}},
	}

	for i, testCase := range testCases {
		arn := testCase.tid.ToARN(testCase.region)

		if arn != testCase.expectedARN {
			t.Fatalf("test %v: ARN: expected: %v, got: %v", i+1, testCase.expectedARN, arn)
		}
	}
}

		tid         TargetID
		region      string
		expectedARN ARN
	}{
		{tid, "", ARN{TargetID: tid, region: ""}},
		{tid, "us-east-1", ARN{TargetID: tid, region: "us-east-1"}},
	}

	for i, testCase := range testCases {
		arn := testCase.tid.ToARN(testCase.region)

		if arn != testCase.expectedARN {
			t.Fatalf("test %v: ARN: expected: %v, got: %v", i+1, testCase.expectedARN, arn)
		}
	}
}

	ID   string
	Name string
}

// String - returns string representation.
func (tid TargetID) String() string {
	return tid.ID + ":" + tid.Name
}

// ToARN - converts to ARN.
func (tid TargetID) ToARN(region string) ARN {
	return ARN{TargetID: tid, region: region}
}

// MarshalJSON - encodes to JSON data.
func (tid TargetID) MarshalJSON() ([]byte, error) {
	return json.Marshal(tid.String())
}

	RedirectURIDynamic bool
	DiscoveryDoc       DiscoveryDoc
	ClientID           string
	ClientSecret       string
	RolePolicy         string
	UserReadableClaim  string
	UserIDClaim        string

	roleArn  arn.ARN
	provider provider.Provider
}

func newProviderCfgFromConfig(getCfgVal func(cfgName string) string) providerCfg {
	return providerCfg{
		DisplayName:        getCfgVal(DisplayName),

		config         *Config
		region         string
		expectedResult []ARN
	}{
		{config1, "eu-west-1", []ARN{{TargetID{"1", "webhook"}, "eu-west-1"}}},
		{config1, "", []ARN{{TargetID{"1", "webhook"}, ""}}},
		{config2, "us-east-1", []ARN{{TargetID{"1", "webhook"}, "us-east-1"}}},
		{config2, "", []ARN{{TargetID{"1", "webhook"}, ""}}},
		{config3, "us-east-1", []ARN{{TargetID{"1", "webhook"}, "us-east-1"}, {TargetID{"2", "amqp"}, "us-east-1"}}},

			rs.set(ri.Arn, ri.Size, 0, status, ri.OpType, ri.endpoint, ri.secure, ri.Err)
		}
	case replication.Completed:
		if ri.OpType.IsDataReplication() {
			rs.set(ri.Arn, ri.Size, ri.Duration, status, ri.OpType, ri.endpoint, ri.secure, ri.Err)
		}
	case replication.Failed:
		if ri.OpType.IsDataReplication() && prevStatus == replication.Pending {

			for i, queue := range config.QueueList {
				// Remove ARN not found queues, because we previously allowed
				// adding unexpected entries into the config.
				//
				// With newer config disallowing changing / turning off
				// notification targets without removing ARN in notification
				// configuration we won't see this problem anymore.
				if reflect.DeepEqual(queue.ARN, arnErr.ARN) && i < len(config.QueueList) {