JWT Auth provider: bound_audiences checked while login even if bound_claims are set

[souravs17031999]

Describe the bug
While logging-in to Vault with JWT provider, I am not able to use bound_claims without providing bound_audiences as well but according to docs it says otherwise
For "jwt" roles, at least one of bound_audiences, bound_subject, bound_claims or token_bound_cidrs is required.

To Reproduce
Steps to reproduce the behavior:

1. Configure JWT backend with keycloak as JWT provider.

POST {{VAULT_ADDR}}/v1/sys/auth/jwt
X-Vault-Token: {{ROOT_TOKEN}}
{
    "type": "jwt"
}

POST {{VAULT_ADDR}}/v1/auth/jwt/config
X-Vault-Token: {{ROOT_TOKEN}}
{
    "jwt_supported_algs": "RS256",
    "jwt_validation_pubkeys": "",
    "jwks_url": "{{KEYCLOAK_URL}}/realms/master/protocol/openid-connect/certs"
}

2. Configure JWT role with above point in consideration.

curl --location 'http://127.0.0.1:8200/v1/auth/jwt/role/custom-role' \
--header 'Content-Type: application/json' \
--data '{
    "bound_claims": {
        "azp": "service-account-vault"
    },
    "user_claim": "azp",
    "token_policies": ["custom-policy"],
    "role_type": "jwt",
    "token_ttl": "10m",
    "token_no_default_policy": true,
    "token_type": "service"
}'

3. Now, get access token from Keycloak and login to vault using this JWT token.

curl --location 'http://localhost:8480/auth/realms/VAULT/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=service-account-vault' \
--data-urlencode 'client_secret=<secret>' \
--data-urlencode 'scope=openid'

curl --location 'http://127.0.0.1:8200/v1/auth/certmgmt/login' \
--header 'Content-Type: application/json' \
--data '{
    "jwt": "<jwt>",
    "role": "custom-role"
}'

4. Now, I get following error:

{
    "errors": [
        "audience claim found in JWT but no audiences bound to the role"
    ]
}

Expected behavior
I should be able to login and get vault service token after validating exp, iss etc.. along with bound_claims and not worry about bound_audiences since I haven't set that explicitly in my role configuration.

Environment:

• Vault Server Version (retrieve with vault status): 1.11.2
• Vault CLI Version (retrieve with vault version): Vault v1.11.2 (3a8aa12), built 2022-07-29T09:48:47Z
• Server Operating System/Architecture: Ubuntu 20.02 (WSL2 distro)

Vault server configuration file(s):

ui            = true
cluster_addr  = "https://127.0.0.1:8201"
api_addr      = "https://127.0.0.1:8200"
disable_mlock = true

storage "postgresql" {
  connection_url = "postgres://user123:secret123!@localhost:5432/postgres?sslmode=disable"
}

listener "tcp" {
  address       = "127.0.0.1:8200"
  tls_disable = 1
}

log_level = "debug"
log_requests_level = "debug"

Additional context

[loicgreffier]

I just got the same issue on v1.16.3: #27343

It was working fine on v1.16.2

[fairclothjm]

Update: We have reverted the behavior change for auth jwt roles. This will be reflected in Vault 1.16.5 and 1.15.11.

However, 1.17 and later will maintain the requirement that the bound_audiences parameter of “jwt” roles is required if the aud claim is set on the JWT. If the aud claim on the JWT is empty, then the bound_audiences is not required on the role.

https://developer.hashicorp.com/vault/api-docs/auth/jwt#bound_audiences