OIDC: Setting value token_policy does not set policy in token

[jan-schumacher]

Actual behaviour: vault write auth/oidc/role/dev bound_audiences="supersecret" allowed_redirect_uris="http://localhost:8250/oidc/callback" user_claim="sub" token_policies="provisioneer" ttl="24h" sets token_policies [provisioneer] in role but not policies which leads to missing token_policies in the granted token.

But executing vault write auth/oidc/role/dev bound_audiences="supersecret" allowed_redirect_uris="http://localhost:8250/oidc/callback" user_claim="sub" policies="provisioneer" ttl="24h" sets both policies and token_policies to provisioneer.

Expected behaviour:
At login with oidc the value token_policies is taken into account.

[kalafut]

This is another effect of the previous issue. There were a set of new token_ fields added recently that didn't make it into the OIDC path. The fix in #67 will handle this case too.

[zx8]

@kalafut Mind taking a look at hashicorp/terraform-provider-vault#502 and advising as to whether that issue is related to this in any way?

[kalafut]

@zx8 I'll be taking a look at that issue and have skimmed it briefly. It may be related in that a whole bunch of backends were changed for the token fields update so there may be a bug in Vault or the TF provider. But there isn't really much shared code between the auth backends, and this OIDC/token bug was very much localized to the JWT backend.

[lawliet89]

@kalafut I did a test and it seems like there might be a bug with Vault itself.

[kalafut]

@lawliet89 Thanks for the repro.