Implement OIDC Group support for Google Workspace (was GSuite) issuer/provider

[SLoeuillet]

Why

As Google is a bad organisation, they did provide the minimal to comply with OpenID (email, username, family, name) But it lacks something that most other providers gives : groups in which the user is registered.

That would mean that using OIDC with Google Workspace would allow everyone on the domain to have VPN access.

Google could give the group, but not as a standard claim, but by calling some Google Cloud APIs. Either calling Admin.Directory API, with a service account which has full delegation on the doman or by calling Cloud.Identity API, which is newer, and gives back the list of groups.

Description

In case of Google Workspace is used, and allowed_groups filtering is used in the headscale configuration, dynamically add the required priorietary scope that kindly ask for groups. Then, once OIDC response comes, get the JWT auth token and query groups by using CloudIdentity API

[SLoeuillet]

This has been implemented in PR #1858

[SLoeuillet]

Note that there are 2 ways to get groups : direct groups & transient groups. I did choose the direct groups.

Another thing : Google Cloud Go bindings are immature, that's why I went calling the API instead of using those