AzureAD/OIDC to support more than AD 200 groups

[wrighbr]

Is your feature request related to a problem? Please describe.
There is a limitation within AAD and OIDC when a user is in more then 200 groups within Azure AD the groups claim will not be sent instead the below is sent

"_claim_names": {
    "groups": "src1"
  },
  "_claim_sources": {
    "src1": {
      "endpoint": "https://graph.windows.net/{TENANT_ID}/users/{USER-GUID}/getMemberObjects"
    }
  }

https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-groupclaims/ see under Groups overage claim

Describe the solution you'd like
To have the _claim_sources supported by vault

[kalafut]

Interesting... so that’s why (per mailing list thread) one user was getting this unexpected _claim_sources.

[wrighbr]

Correct. This actually also includes nested jobs as well. So a user can be in part of 30 groups but the nested groups can add up to more than 200 groups.

[brondum]

Exact same problem here when using Azure AD.

[sjobyt]

Have the same problem. Need to get with the Azure AD admins to stop using nested groups... Would be great if Vault support integration for this.

More info distributed claims are supported by the openid standard not only specific to Azure AD.
https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims

Foremast has this implemented with Go:
https://github.com/intuit/foremast/blob/master/foremast-barrelman/vendor/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go