New connector: Google Cloud Identity-Aware Proxy (IAP) JWT authentication and group membership integration

[alessandro-verzicco]

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

Dex currently supports various OIDC connectors, including Google, but does not natively support Google Cloud Identity-Aware Proxy (IAP) JWT authentication. Google Cloud IAP issues JWT tokens that are signed by Google; these include user identity and can be used for application authentication and authorization. However, Dex does not provide a connector able to:

• Validate and verify IAP JWT signatures against Google's JWKS endpoint
• Retrieve user group memberships from the Google Workspace Directory API in the context of IAP-identified users

This makes it difficult to integrate Dex in setups where authentication flows rely on Google Cloud IAP. Existing connectors (OIDC, Google, generic JWT) are not sufficient to address this, and there is no established workaround.

Proposed Solution

I propose the addition of a new connector for Google Cloud Identity-Aware Proxy (IAP). Main features would include:

• The connector should accept JWT tokens as provided by Google Cloud IAP
• The connector must verify the signature of the JWT against Google's JWKS endpoint (https://www.googleapis.com/oauth2/v3/certs), honor claims such as email, sub, iss, and validate expiration
• After identity extraction, the connector will use Google Workspace Directory API to retrieve group memberships for the authenticated user, similar to what the Google connector does
• Mapping of JWT claims to Dex identity fields and group claims should be configurable

I have already implemented and tested such a connector in a real-world deployment, and I'm willing to submit a PR for review.

Alternatives Considered

• Adapting the generic OIDC connector: Not feasible, as IAP's JWT is not issued via an OIDC authorization flow
• Using the existing Google connector: Not feasible, as it only accepts tokens generated by Google's OAuth flows
• Existing issue Non-OIDC JWT Connector #2450 proposes a generic JWT connector but does not support Google Cloud's specific JWT requirements
• Existing issues google connector: support group claim on JWT #3448 and Support token exchange in Google connector #3768 address Google group claims and token exchange, but do not enable IAP JWT authentication
• Previous feature request Google IAM Groups extension #866 (Google IAM Groups extension) is related but not focused on IAP as a source of JWTs

Additional Information

• Related open issues:
  • Non-OIDC JWT Connector
  • google connector: support group claim on JWT
  • Support token exchange in Google connector
• IAP public documentation: https://cloud.google.com/iap/docs/signed-headers-how-it-works

I am happy to take feedback, incorporate suggestions from maintainers, and contribute both code and tests. Please advise on design or review workflow.