Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

As of now Dex only supports Google Workload Identity Federation through Application Default Credentials for servers running in GCP. Otherwise a Service Account key is needed, which is not a good security practice.

If you try to use it for services running in another Cloud (e.g. AWS), you get the following error:

failed to initialize server: server: Failed to open connector google: failed to open connector: failed to create connector google: could not create directory service: unable to parse client secret file to config: google: read JWT from JSON credentials: 'type' field is "external_account" (expected "service_account")

Steps:

1. Create the workload identity federation credential file using:

   gcgcloud iam workload-identity-pools create-cred-config \
       <identity-provider-path> \
       --service-account="<sa>" \
       --aws \
       --output-file=gcp-credentials.json
   

2. Mount this file in Dex container
3. Set GOOGLE_APPLICATION_CREDENTIALS to point to the mounted file.

Proposed Solution

https://pkg.go.dev/golang.org/x/oauth2/google already supports Workload Identity Federation for non-Google Cloud platforms.

At first glance looks like Dex is assuming only Service Account keys should be provided to ADC by using the google.JWTConfigFromJSON.

The Credentials.TokenSource return by FindDefaultCredentials could be used for authentication.

Alternatives Considered

No response

Additional Information

I'm new to Dex but I'm willing to support it maintainers want to have it.