Google Cloud integration: support WLIF custom audience
🔥 Problem
In the Google Cloud Workload Identity Federation, identity providers can be configured to accept a specific audience on the tokens they receive.
By default, the accepted audience is the full resource name of the identity provider (with or without the https
prefix).
However, users can set a list of custom audiences. Meaning that the identity provider can be configured to accept specific custom strings.
We don't currently support identity provider custom audiences.
🚒 Solution
Have an additional field in the WLIF integration. This field should be a string and is optional.
When set, the tokens presented to the Secure Token Service (for the token exchange) must have their aud
claim set to that value.