# Claim envelope a Keycloak (heavy mode) deployment emits for an
# authenticated human user with MFA. Demonstrates the full set of
# variations flex-auth must normalize: roles in realm_access AND
# resource_access, scope as space-separated string, multiple audiences,
# enriched assurance via amr=otp.
#
# Reference: docs/iam-profile-consumption.md §"Tolerated Variations".

iss: https://sso.netkingdom.example/realms/netkingdom
sub: f1c4f64e-2c0c-4cda-8c9f-9f3f8f3a2b0e
aud:
  - flex-auth
  - markitect-tool
exp: 4102444800
iat: 1767225600
auth_time: 1767225590
azp: markitect-cli
preferred_username: ada
email: ada@netkingdom.example
email_verified: true
name: Ada Lovelace
given_name: Ada
family_name: Lovelace
scope: openid profile email hub:read hub:write hub:capability
realm_access:
  roles:
    - default-roles-netkingdom
    - operator
resource_access:
  flex-auth:
    roles:
      - reader
  markitect-tool:
    roles:
      - editor
groups:
  - /platform/architecture
  - /markitect/readers
amr:
  - pwd
  - otp
acr: "2"
sid: 4c0a3a8a-3a47-4f2f-8e89-9e5f9b0a0a0a