OIDC bound_claims not working if nested JSON

I am authenticating users to vault using the OIDC method…so far that works. Now I want to limit login permissions to certain groups and I tried using bound_claims for that. Problem is that it only works if bound_claims is a flat string, but not if bound_claims is itself JSON. The returned JSON object looks something like this:

"access": {
  "vault": {
    "roles": ["somerole"]

The OIDC role config allows me to set this as a bound_claim which made me think it should work. But on login Vault does not match on the JSON, it always treats the value as a string or a list, even if vault read auth/oidc/role/somerole parses the JSON correctly as maps.

Do I have to customize my IDP so it does not return JSON in the claim or is there a way to make Vault parse the data?



Not sure if you still need this, but for others who might be looking for same answer:

If you check out source code of Vault you will find that bound_calims supports JSONPointer, so you need to set up your claims something like following:

"bound_claims": {
  "/access/vault/roles": "somerole"