Token renewal fail for userpass auth when using identity/groups

[primeroz]

Describe the bug
When using the "userpass" authentication backend with Identity and Groups it seems that the token renewal breaks when the Equivalence of policy is checked with the following error

failed to renew entry: policies have changed, not renewing
I am sure i did not apply any change to any policy or any Group/Entity policy membership. See below

This works fine when the user is not part of any Group and has policies applied directly to the userpass identity when it gets created

This can be reproduced with the script linked below , the process i am following does

1. Create a USer
2. Create an Identity Entity
3. Create an Identity Entity Alias
4. Create a Group with associated policy
5. Login as user
6. Try to renew token

So i don't think i am actually causing any change in policy that would explain the error.

Digging a bit deeper , the issue is raised here: https://github.com/hashicorp/vault/blob/master/builtin/credential/userpass/path_login.go#L122 from the function policyutil.EquivalentPolicies

I added a bit of debug to it

diff --git a/helper/policyutil/policyutil.go b/helper/policyutil/policyutil.go
index f6d9f6687..6700bafcc 100644
--- a/helper/policyutil/policyutil.go
+++ b/helper/policyutil/policyutil.go
@@ -1,6 +1,8 @@
 package policyutil
 
 import (
+       "fmt"
+       "os"
        "sort"
        "strings"
 
@@ -115,11 +117,13 @@ func EquivalentPolicies(a, b []string) bool {
 
        // Finally, compare
        if len(sortedA) != len(sortedB) {
+               fmt.Fprintf(os.Stderr, "Policy Equivalence Failed: length of sortedA %d different from sortedB %d", len(sortedA), len(sortedB))
                return false
        }
 
        for i := range sortedA {
                if sortedA[i] != sortedB[i] {
+                       fmt.Fprintf(os.Stderr, "Policy Equivalence Failed: Element difference in sortedA (%s) and sortedB (%s)", sortedA[i], sortedB[i])
                        return false
                }
        }

And the problem printed to stderr is that the lenght of the user.Policies passed from path_login.go is actually 0

Policy Equivalence Failed: length of sortedA 0 different from sortedB 1

It would seem that user.Policies does not include the IdentiyPolicies while the req.Auth.Policies does ?

To Reproduce
Steps to reproduce the behavior:

1. Run Vault dev servervault server -dev
2. Grab Unseal and Root token
3. Grab Test script from https://paste.debian.net/hidden/e6e0f189/ and populate Unseal and Root token variables
4. Run the script
5. See error at the last step, renewal of self token

Expected behavior
Token Renew successfully

Environment:

• Vault Server Version (retrieve with vault status): 0.10.3 and master
• Vault CLI Version (retrieve with vault version): 0.10.3 and master
• Server Operating System/Architecture: Container Linux by CoreOS stable (1745.5.0)

Vault server configuration file(s):
https://paste.debian.net/hidden/e6e0f189/

Additional context
I tried the same workflow using an approle instead of the userpass backend and it works as expected .. even though i could not find any use of policyutil.EquivalentPolicies in the approle token renewal function , is this check performed differently in the approle vs the userpass ?