Restrict only one group to auth using Google oauth2

Have enabled google oauth2 on vault
it works correctly and all organization members can login to vault
Try’ing map/allow login to vault only one Google group named “admin” (with 5 members in it)
Have such a role

[root@santite vault]# vault read auth/oidc/role/admingsuite_role
Key                        Value
---                        -----
allowed_redirect_uris      [https://vault.ab.example.org/ui/vault/auth/oidc/oidc/callback http://localhost:8250/oidc/callback]
bound_audiences            <nil>
bound_claims               map[group:[admin]]
bound_claims_type          string
bound_subject              n/a
claim_mappings             <nil>
clock_skew_leeway          0
expiration_leeway          0
groups_claim               group
max_age                    0
not_before_leeway          0
oidc_scopes                [email]
role_type                  oidc
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [null]
token_ttl                  72h
token_type                 default
user_claim                 email
user_claim_json_pointer    false
verbose_oidc_logging       true

also created admin group in vault using such a method

vault write identity/group name="admin" type="external" \
        policies="editor" \
        metadata=responsibility="Manager Group"

export GROUP_ID="<from_last_output>"

vault auth list -format=json  \
        | jq -r '."oidc/".accessor' > accessor.txt

vault write identity/group-alias name="admin" \
        mount_accessor=$(cat accessor.txt) \
        canonical_id="$GROUP_ID"

get an error when try’ing to auth with my org account that belongs to org Google admin group

error validating claims: claim "group" does not match any associated bound claim values

what am I doing wrong ?

To be OpenID-compliant, you must include the openid profile scope values in your authentication request.

Source: OpenID Connect  |  Authentication  |  Google for Developers

So, at a minimum you would need to provide profile besides email which is already in the oidc_scopes

There may be other issues with the claims as well so I’d recommend using a client like GitHub - cloudentity/oauth2c: User-friendly OAuth2 CLI to check if you’re getting them right before configuring Vault.

Also check out the Vault auth plugin’s documentation

Thanks @macmiranda for Your help
I have finished oauth using such a config:

[root@santite vault]# vault read auth/oidc/role/admingsuite_role
Key                        Value
---                        -----
allowed_redirect_uris      [https://vault.ab.tld.org/ui/vault/auth/oidc/oidc/callback http://localhost:8250/oidc/callback]
bound_audiences            <nil>
bound_claims               map[groups:elkadmin@tld.org]
bound_claims_type          string
bound_subject              n/a
claim_mappings             <nil>
clock_skew_leeway          0
expiration_leeway          0
groups_claim               groups
max_age                    0
not_before_leeway          0
oidc_scopes                [openid profile]
role_type                  oidc
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [editor]
token_ttl                  72h
token_type                 default
user_claim                 sub
user_claim_json_pointer    false
verbose_oidc_logging       true

problem is that only sub I can use when mapping groups.
Get an ID instead of email

That’s alright. It’s the internal Vault OIDC user object id.

If it’s still not working, I’d strongly recommend you check your claims with GitHub - cloudentity/oauth2c: User-friendly OAuth2 CLI

You can probably check that with Vault CLI too, but don’t know how.