jwt auth: token with union of policies from all roles matching jwt

[tenstad]

Is your feature request related to a problem? Please describe.
The builtin jwt auth plugin requires a role-name to be specified during authentication. When authenticated, access is only granted based on the policies of that single role. Even though the JWT satisfies multiple roles' bound claims. Thus, multiple logins with different role names are required when policies are split across multiple roles, resulting in multiple tokens which cannot be used interchangeably.

Describe the solution you'd like
Automatically determine which roles' bound claims a JWT matches. Then grants access to the union of all the matching roles' policies. Thus a single login is sufficient to get a token with combined access, with the JWT as the sole login parameter. Could be disabled by default in the builtin jwt auth plugin, and enabled through config.

Additional context
A custom plugin is able to achieve the desired behavoir: statnett/vault-plugin-auth-jwt-auto-roles.
However, it relies on the builtin jwt auth plugin (see working-details). It would be nice to get such a feture into the official jwt plugin. The feature could be activated by not specifying role during login, or be locked behind a default-false configuration option.