I am using vault with Azure-AD-OIDC (login with email)
I am using below commands -
vault auth enable oidc
vault write auth/oidc/config \
oidc_client_id="6da27bcb-c9cb-424e-a959-*****" \
oidc_client_secret="Jh68Q~L7.tpaZfCT0WiTCIFNzV9Q*********" \
default_role="azure-ad-role" \
oidc_discovery_url="https://login.microsoftonline.com/e3e735ae-c338-4e2a-8634-********/v2.0"
vault write auth/oidc/role/azure-ad-role \
user_claim="sub" \
allowed_redirect_uris="https://vault.cci.com/ui/vault/auth/oidc/oidc/callback" \
groups_claim="groups" \
oidc_scopes="https://graph.microsoft.com/.default profile" \
policies=default
vault write identity/group-alias \
name="ecae7026-d666-450a-9dc7-8e3*******" \
mount_accessor="auth_oidc_7747eec8" \
canonical_id="0e3ee6f7-fe99-30b7-84bf-60*******"
Here in last command “ecae7026-d666-450a-9dc7-8e3*******”" this is my Object-group-ID
And 0e3ee6f7-fe99-30b7-84bf-60******* is the vault-group-ID
Everything is working fine and I am able to login into vault with OIDC (email)
As I am member of ecae7026-d666-450a-9dc7-8e3******* group
Same as me one more person is member of ecae7026-d666-450a-9dc7-8e3******* group
But he is not able to login and getting error -
failed to fetch groups: "groups" claim not found in token
While checking I noticed that I am member of 90 groups but he is member of 300 groups
Is there any other parameter or configuration that we have to provide in above commands ?