Roles are not automatically assigned based on bound_claims for Google OIDC auth

[hmalinov]

Describe the bug
For Vault and Google OIDC provider, the bound_claims are not taken into account when setting roles based on the users email.

To Reproduce
Vault configuration is as follows:

vault write auth/oidc/config \
    oidc_discovery_url="https://accounts.google.com" \
    oidc_client_id=$OIDC_CLIENT_ID \
    oidc_client_secret=$OIDC_CLIENT_SECRET \
    default_role="oidc-role"

vault write auth/oidc/role/oidc-role \
    allowed_redirect_uris=$VAULT_CALLBACK \
    allowed_redirect_uris="http://localhost:8250/oidc/callback" \
    bound_audiences=$OIDC_CLIENT_ID \
    user_claim="email" \
    oidc_scopes="openid email profile" \
    verbose_oidc_logging="true" \
    token_policies="super_root_access" \
    ttl=8h

vault write auth/oidc/role/hma -<<EOF
{
  "allowed_redirect_uris": [$VAULT_CALLBACK, "http://localhost:8250/oidc/callback"],
  "bound_audiences": "$OIDC_CLIENT_ID",
  "user_claim": "email",
  "bound_claims": { "email": "[email protected]" },
  "verbose_oidc_logging": "true",
  "policies": "user_access",
  "oidc_scopes": ["openid", "email", "profile"]
}
EOF

The login works fine both on CLI and UI, however the default role is always applied.

token_renewable      true
token_policies       ["default" "super_root_access"]
identity_policies    []
policies             ["default" "super_root_access"]
token_meta_role      oidc-role

With vault token lookup I can see the email is passed correctly as well:

ault token lookup
Key                 Value
---                 -----
accessor            ....
creation_time       1740675746
creation_ttl        8h
display_name        [email protected]
explicit_max_ttl    0s
id                  hvs......
meta                map[role:oidc-role]
num_uses            0
orphan              true
path                auth/oidc/oidc/callback
policies            [default super_root_access]
renewable           true
ttl                 7h46m48s
type                service

Interesting part is that if a role is passed during the login , it works just fine.

 vault login -method=oidc role=hma

Key                  Value
---                  -----
token                hvs.......
token_accessor       .....
token_duration       768h
token_renewable      true
token_policies       ["default" "user_access"]
identity_policies    []
policies             ["default" "user_access"]
token_meta_email     [email protected]
token_meta_role      hma

Expected behavior
I would expect that based on the email, a role is assigned to the user automatically.

Environment:

• Vault Server Version (retrieve with vault status): 1.18.4
• Vault CLI Version (retrieve with vault version): v1.17.2
• Server Operating System/Architecture: Google Cloud Run with GCS bucked as a backend.

Vault server configuration file(s):

default_max_request_duration = "90s"
disable_clustering           = true
disable_mlock                = true
ui                           = true

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = "true"
}

seal "gcpckms" {
  key_ring   = "vault-server-unseal2"
  crypto_key = "vaultseal"
  region     = "global"
}

storage "gcs" {
  ha_enabled = "false"
}

log_level = "Debug"

Additional context
There is an additional OIDC auth methods configured for Gitlab CI/CD and LDAP as well.