Not removed from external groups when removed from IDP groups


We use HashiCorp Vault with OIDC authentication method paired with our ID provider. The JWT returned by the provider contains a group claim like “groups: [A, B, C]”.

We use the “groups_claims: groups” on a default OIDC role to map our provider groups to Vault external group aliases.

The authentication is working fine and the connected users get policies associated with the proper external groups.

Unfortunately, it seems that when removing a user from one of the ID provider groups (e.g., removing user “Foo” from group A so his groups are only B and C), the dissociation is not performed on HashiCorp Vault. Even after log out and log in again, the user still gets associated the policies linked with external groups [A, B, C].

I was expecting the user do not get in external group A, as he has been dissociated on the ID provider.

Can anyone confirm that a dissociation on ID provider should be fed through to Vault automatically (after a log out/log in at least)? Is there any cache or expiration before it is done in the Vault ? Does the dissociation need to be handled manually in Vault somehow?

Thanks for the help