Add support for Domain-Wide Delegation using ImpersonatedCredential

[AlonShitrit]

I have an application that authenticates as service account S1, I'd like to retrieve some information regarding Google Workspace using domain-wide delegation.

In order to do so, I have another service account S2 to which domain-wide authority can be delegated.

I'd like to have S1 impersonate S2 (already have the "Service Account Token Creator role" on S1) and use it to retrieve info.
Currently, ImpersonatedCredential does not support domain-wide delegation hence I can't use S1 to retrieve the information.

Unfortunately In my scenario, I can't use S2 directly, I've tried looking for a way around it but couldn't come up with anything...

Adding such support would solve my case and might help others who might need to use such an approach.

[amanda-tarafa]

This seems to be more of a feature request for the Auth/IAM teams than for the client library side.

This is the endpoint we use on the client library to generate the impersonated access token and as you can see it doesn't accet a user for domain-wide delegation.

While this feature is not supported in the backend, there's little we can do client side.

Still, I will confirm with the Auth team and check whether there might be a workaround and get back to you.

[AlonShitrit]

Thanks a lot for the prompt response. I'll stay tuned

[nimoskov]

@amanda-tarafa We found a way to do it.
Basically we added ImpersonatedCredential the ability to sign JWT through this endpoint and based on the code in ServiceAccountCredential.cs we were able to get an access token by creating a signed payload where the issuer is the impersonated service account

If there's a way you can support this in the client library we will really appreciate it
Thanks :)

[amanda-tarafa]

That is very similar (or the same) to the workaround described by the Auth team. Basically, you follow the steps in Preparing to make an authorized API call -> HTTP/Rest making sure to add the user email you want to do domain-wide delegation for as the subject (sub) and signing the payload with the IAM API serviceAccounts.signJwt enpoint.

We don't have it in the roadmap to add this feature anytime soon, as we have other more pressing features that have no workaround that we need to work on. But I'll move this issue to the backlog so that we keep track of it. Sorry for this not being the response you want to hear right now.