How to create email and group scopes for vault oidc identity provider with ldap upstream?


I have configured DEX idp with LDAP connector and it works fine with my clients (oauth2-proxy, harbor, netbird).

I’ve deployed vault and trying to use it as oidc idp instead DEX.
My clients use “groups” and “email” claims - that’s why I must create the “groups” and “email” scopes.

I’ve created 3 scopes and specified them in my created provider (via terraform):

resource "vault_identity_oidc_scope" "alias" {
  depends_on  = [vault_identity_oidc_key.vault]
  name        = "alias"
  template    = "{\"alias\":{{identity.entity.aliases.$}}}"
  description = "Vault OIDC Alias Scope"

resource "vault_identity_oidc_scope" "email" {
  depends_on  = [vault_identity_oidc_key.vault]
  name        = "email"
  template    = "{\"email\":{{}}}"
  description = "Vault OIDC Email Scope"

resource "vault_identity_oidc_scope" "groups" {
  depends_on  = [vault_identity_oidc_key.vault]
  name        = "groups"
  template    = "{\"groups\":{{identity.entity.groups.names}}}"
  description = "Vault OIDC Groups Scope"

resource "vault_identity_oidc_provider" "vault" {
  depends_on = [
  name          = "vault"
  https_enabled = true
  issuer_host   = ""
  allowed_client_ids = [
  scopes_supported = [,,,

But when I parse id_token (jwt) I see that:
“alias”: “”,
“email”: “”,
“groups”: null

If I specify kv email=<emailaddress> in /access/identity/entities/<id>/metadata then
email presents in id_token and, for example, auth with oauth2_proxy works fine.

So, my question is how to get LDAP email and groups attributes from the autocreated (after first login) entity and create the “email” and “groups” scope from these attributes?

Hope for any suggestions.