Task 3 JWT Claims Structure
============================

Expected JWT structure for admin@test.com after authentication:

{
  "exp": <timestamp>,
  "iat": <timestamp>,
  "auth_time": <timestamp>,
  "jti": "<uuid>",
  "iss": "http://localhost:8080/realms/workclub",
  "aud": "workclub-app",
  "sub": "<user-uuid>",
  "typ": "Bearer",
  "azp": "workclub-app",
  "session_state": "<uuid>",
  "acr": "1",
  "scope": "openid profile email",
  "sid": "<uuid>",
  "email_verified": true,
  "clubs": {
    "club-1-uuid": "admin",
    "club-2-uuid": "member"
  },
  "name": "Admin User",
  "given_name": "Admin",
  "family_name": "User",
  "email": "admin@test.com"
}

CRITICAL VERIFICATION POINTS:

1. 'clubs' claim MUST be present
2. 'clubs' claim MUST be JSON object (not string)
3. Claim structure: {"<tenant-id>": "<role>"}
4. For admin@test.com:
   - Should have 2 entries (club-1-uuid and club-2-uuid)
   - club-1-uuid value should be "admin"
   - club-2-uuid value should be "member"

To verify after Docker startup:
  ./infra/keycloak/test-auth.sh
  cat .sisyphus/evidence/task-3-jwt-claims.txt