JWT auth succeeds with a group-alias bounded to the OIDC mount_accessor

[dev-e]

Vault version: 1.4.3
IdP: Keycloak 10.0.2

Minimal reproducible scenario:

# vault auth enable -path test-oidc oidc
# vault auth enable -path test-jwt jwt
# vault auth list
Path                    Type          Accessor                    Description
----                    ----          --------                    -----------
...
test-jwt/               jwt           auth_jwt_ea4facf6           n/a
test-oidc/              oidc          auth_oidc_4ac006ff          n/a
...

# vault write auth/test-oidc/config \
oidc_discovery_url="<IDP_SERVER_ENDPOINT>" \
    oidc_client_id="vault-test" \
    oidc_client_secret="<CLIENT_SECRET>" \
    default_role="auth-oidc"
Success! Data written to: auth/test-oidc/config

# vault write auth/test-jwt/config \
oidc_discovery_url="<IDP_SERVER_ENDPOINT>" \
    default_role="auth-jwt"
Success! Data written to: auth/test-jwt/config

# vault write auth/test-oidc/role/auth-oidc \
allowed_redirect_uris=<VAULT_SERVER_CALLBACK_URL> \
allowed_redirect_uris=http://localhost:8250/oidc/callback \
bound_audiences="vault-test" \
user_claim="name" \
policies="" \
verbose_oidc_logging=true \
groups_claim="/resource_access/vault-test/roles"

# vault write auth/test-jwt/role/auth-jwt \
bound_audiences="vault-test" \
user_claim="name" \
policies="" \
verbose_oidc_logging=true \
groups_claim="/resource_access/vault-test/roles" \
role_type=jwt

Note, a group is external and can have only one alias:

# vault write identity/group name="test" type="external" policies="<VAULT_POLICY>"                                      
Key     Value
---     -----
id      4a25c087-e6b9-e04c-2eee-99834495e55f
name    test

# vault write identity/group-alias name="test" \
mount_accessor=auth_jwt_ea4facf6 \
canonical_id="4a25c087-e6b9-e04c-2eee-99834495e55f"
Key             Value
---             -----
canonical_id    4a25c087-e6b9-e04c-2eee-99834495e55f
id              7450a1a1-eae0-d8bc-2e82-0a6d3e078e0b

# vault write auth/test-jwt/login jwt=<FRESH_JWT>
Key                  Value
---                  -----
token                <TOKEN>
token_accessor       <TOKEN_ACCESSOR>
token_duration       768h
token_renewable      true
token_policies       ["default"]
identity_policies    ["<VAULT_POLICY>"]
policies             ["default" "<VAULT_POLICY>"]    !! Everything is OK, we've got a policy from the group-alias
token_meta_role      auth-jwt

# vault login -method=oidc -path=test-oidc
Complete the login via your OIDC provider. Launching browser to:
...
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                <TOKEN>
token_accessor       <TOKEN_ACCESSOR>
token_duration       768h
token_renewable      true
token_policies       ["default"]
identity_policies    []
policies             ["default"]          !! Everything is OK, we have no group-alias bounded to the auth_oidc_4ac006ff accessor
token_meta_role      auth-oidc

Rewrite the same alias with another mount_accessor:

# vault write identity/group-alias name="test" \
mount_accessor=auth_oidc_4ac006ff \
canonical_id="4a25c087-e6b9-e04c-2eee-99834495e55f"
Key             Value
---             -----
canonical_id    4a25c087-e6b9-e04c-2eee-99834495e55f
id              7373e79e-0ae6-72a5-b7b5-1fd2823e46a0

Try to log in again:

# vault login -method=oidc -path=test-oidc
Complete the login via your OIDC provider. Launching browser to:
...
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                <TOKEN>
token_accessor       <TOKEN_ACCESSOR>
token_duration       768h
token_renewable      true
token_policies       ["default"]
identity_policies    ["<VAULT_POLICY>"]
policies             ["default" "<VAULT_POLICY>"]  !! Everything is OK, now we get the policy via the alias bounded to the OIDC accessor
token_meta_role      auth-oidc

# vault write auth/test-jwt/login jwt=<FRESH_JWT>
Key                  Value
---                  -----
token                <TOKEN>
token_accessor       <TOKEN_ACCESSOR>
token_duration       768h
token_renewable      true
token_policies       ["default"]
identity_policies    ["<VAULT_POLICY>"]
policies             ["default" "<VAULT_POLICY>"]    NB!! Here is your policy, it should not be here because you have no alias with the  auth_jwt_ea4facf6 accessor
token_meta_role      auth-jwt

Now let's roll back changes for the test group-alias:

# vault write identity/group-alias name="test" \
mount_accessor=auth_jwt_ea4facf6 \
canonical_id="4a25c087-e6b9-e04c-2eee-99834495e55f" 
Key             Value
---             -----
canonical_id    4a25c087-e6b9-e04c-2eee-99834495e55f
id              008502d0-ed74-de12-a505-9f16c22a78fd

And log in again with OIDC method:

vault login -method=oidc -path=test-oidc
Complete the login via your OIDC provider. Launching browser to:
...
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                <TOKEN>
token_accessor       <TOKEN_ACCESSOR>
token_duration       768h
token_renewable      true
token_policies       ["default"]
identity_policies    ["<VAULT_POLICY>"]
policies             ["default" "<VAULT_POLICY>"]      !! Your policy is still here!
token_meta_role      auth-oidc