// Check if the access key is part of users credentials.
		u, ok := globalIAMSys.GetUser(req.Context(), claims.AccessKey)
		if !ok {
			return nil, nil, false, errInvalidAccessKeyID
		}
		ucred := u.Credentials
		// get embedded claims
		eclaims, s3Err := checkClaimsFromToken(req, ucred)
		if s3Err != ErrNone {
			return nil, nil, false, errAuthentication
		}

		for k, v := range eclaims {

	// and overwrite them with the claims from JWT.
	if ok && pCfg.ClaimUserinfo {
		if accessToken == "" {
			return errors.New("access_token is mandatory if user_info claim is enabled")
		}
		uclaims, err := pCfg.UserInfo(ctx, accessToken, r.transport)
		if err != nil {
			return err
		}
		for k, v := range uclaims {
			if _, ok := claims[k]; !ok { // only add to claims not update it.

			var err error

			// Figure out correct claims type
			switch claims := data.claims.(type) {
			case *MapClaims:
				if data.tokenString == "" {
					data.tokenString = mapClaimsToken(claims)
				}
				err = ParseWithClaims(data.tokenString, &MapClaims{}, data.keyfunc)
			case *StandardClaims:
				if data.tokenString == "" {
					data.tokenString = standardClaimsToken(claims)
				}

	// metadata map
	claims[expClaim] = UTCNow().Add(time.Duration(expiry) * time.Second).Unix()
	claims[subClaim] = parentUser
	claims[roleArnClaim] = roleArn.String()
	claims[parentClaim] = parentUser

	// Add all other claims from the plugin **without** replacing any
	// existing claims.
	for k, v := range res.Success.Claims {
		if _, ok := claims[k]; !ok {
			claims[k] = v
		}
	}

	// JWT specific values
	//
	// Add all string claims
	for k, v := range claims {
		vStr, ok := v.(string)
		if ok {
			// Trim any LDAP specific prefix
			args[strings.ToLower(strings.TrimPrefix(k, "ldap"))] = []string{vStr}
		}
	}

	// Add groups claim which could be a list. This will ensure that the claim
	// `jwt:groups` works.
	if grpsVal, ok := claims["groups"]; ok {

**We recommend setting `policy` as a custom claim for the JWT service provider follow [here](https://docs.wso2.com/display/IS550/Configuring+Claims+for+a+Service+Provider) and [here](https://docs.wso2.com/display/IS550/Handling+Custom+Claims+with+the+JWT+Bearer+Grant+Type) for relevant docs on how to configure claims for a service provider.**

### 5. Setup MinIO with OpenID configuration URL

Contributor. If that Commercial Contributor then makes performance
claims, or offers warranties related to Product X, those performance
claims and warranties are such Commercial Contributor's responsibility
alone. Under this section, the Commercial Contributor would have to
defend claims against the other Contributors related to those performance
claims and warranties, and if a court requires any other Contributor to

		{time.Duration(3) * time.Minute, "900", false},
	}

	for _, testCase := range testCases {
		testCase := testCase
		t.Run("", func(t *testing.T) {
			claims := map[string]interface{}{}
			claims["exp"] = testCase.exp
			err := updateClaimsExpiry(testCase.dsecs, claims)
			if err != nil && !testCase.expectedFailure {
				t.Errorf("Expected success, got failure %s", err)
			}
			if err == nil && testCase.expectedFailure {

decode the id_token to access the payload of the token that includes following JWT claims, `policy` claim is mandatory and should be present as part of your JWT claim. Without this claim the generated credentials will not have access to any resources on the server, using these credentials application would receive 'Access Denied' errors.

| Claim Name | Type                                              | Claim Value                                                                           ...

     b. any new file in Source Code Form that contains any Covered Software.

1.11. “Patent Claims” of a Contributor

      means any patent claim(s), including without limitation, method, process,
      and apparatus claims, in any patent Licensable by such Contributor that
      would be infringed, but for the grant of the License, by the making,