Add support for GSuite SSO Groups membership

[klizhentas]

Description

Currently GSuite SSO is supported via standard OIDC SSO flow, but groups membership is not exposed via claims. Fix this by adding support.

No special resource type is required, here is how OIDC resource with extra claims
looks like:

kind: oidc
version: v2
metadata:
  name: gsuite
spec:
  redirect_url: https://localhost:3080/v1/webapi/oidc/callback
  client_id: exampleclientid11234.apps.googleusercontent.com
  client_secret: examplesecret
  issuer_url: https://accounts.google.com
  scope: ['https://www.googleapis.com/auth/admin.directory.group.readonly', 'openid', 'email']  
  claims_to_roles:
    - {claim: "groups", value: "[email protected]", roles: ["clusteradmin"]}

IMPORTANT: the groups will be fetched only if admins include special auth scope https://www.googleapis.com/auth/admin.directory.group.readonly in the scopes of the connector as shown in the example above.

Additional setup steps

• Set up OIDC client as described here

• Redirect URL Domain has to be verified in the list of verified domains in the project API page.

• Admin Directory API has to be turned on. Enable it by visiting https://console.developers.google.com/apis/api/admin.googleapis.com/overview then retry.

[kontsevoy]

@klizhentas the scope seems to be a constant, no? People will reasonably ask what else can be put there

[kontsevoy]

nevermind

[klizhentas]

converted this to doc ticket

[aberoham]

@klizhentas Do all Teleport users within the given Google organization need to have permissions on https://www.googleapis.com/auth/admin.directory.group.readonly? Or just the OAuth Client ID/service account?

[kontsevoy]

@klizhentas see above. I will need this for the docs too.

[benarent]

Closing issue as added in #2787