Google Connector: support Application Default Credential (ADC)

[chr-b]

Preflight Checklist

• [X] I agree to follow the Code of Conduct that this project adheres to.
• [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

The Google provider documentation for fetching groups requires the parameter serviceAccountFilePath.

When DEX is running on GCP, there is no need to export a GCP service account credential and make it available as serviceAccountFilePath. In fact, it is bad security practice to generate long-term credentials such as GCP service account user-managed keys.

Proposed Solution

If no serviceAccountFilePath is provided, obtain the Application Default Credential (ADC) from the environment.

See https://pkg.go.dev/cloud.google.com/go#hdr-Authentication_and_Authorization

Alternatives Considered

No response

Additional Information

To my understanding, the adminEmail is also no longer needed either. You can have the GCP service account access the GSuite directory API directly, without having to impersonate another user: https://support.google.com/a/answer/162106#zippy=%2Cset-up-domain-wide-delegation-for-a-client

[nabokihms]

Related https://github.com/dexidp/dex/pull/2530

[mariadb-ChristianBauer]

Yes, this can be closed as the feature was shipped with the v2.34.0 release.

[nabokihms]

I am closing the issue. Feel free to reopen it or open a new one if something is left to implement.