Google connector doesn't support Workspace group auth without domain-wide delegation

[aaaaahaaaaa]

Preflight Checklist

• [X] I agree to follow the Code of Conduct that this project adheres to.
• [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

Google supports authenticating with the Groups API using a service account without domain-wide delegation. AFAICT from testing, DEX's connector doesn't support that method.

Tested with the following approach:

1. Configure service account A with access to the Group API without DWDoA using the documentation above.
2. Grant service account B with iam.serviceAccountTokenCreator role over service account A.
3. Point serviceAccountFilePath to credentials of SA B.
4. Set domainToAdminEmail with email of SA A.

The following error is returned:

oauth2: cannot fetch token: 401 Unauthorized Response [...] Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested

Proposed Solution

Connector should allow the same level of configuration for example as Vault's OIDC provider.

Additional Information

Additionally, the flow should also works if serviceAccountFilePath points directly to credentials of the SA A, even without impersonation.

[ssmall]

This is currently an adoption blocker for my organization to use ArgoCD; we cannot enable domain-wide delegation because it is considered "too risky". Implementing this feature request would be great for us!

[loljawn]

Second this, I would want to avoid domain-wide delegation as it's impersonating a privileged account and it could be challenging to audit. Would prefer to use service account with tightly scoped permissions.

Terrform documentation re: Google Workspace provides an alternative that could work: https://registry.terraform.io/providers/hashicorp/googleworkspace/latest/docs#authentication