Workload Identity Federation - Support for AD FS, External Application Credentials

[st0w]

We are using WIF for authentication of on-prem Windows workloads authenticating through AD. This requires the support of external application credentials, to make use of the Google-provided Workload Authenticator for Windows (wwauth.exe) external application in combination with Integrated Windows Authentication (IWA). Support for this aspect of WIF appears to be missing in google-auth-library-php, and as a result, we cannot leverage WIF with our PHP applications.

Google documentation: https://cloud.google.com/iam/docs/workload-identity-federation-with-active-directory

The crux of the issue is that rather than looking at a JSON file for credentials, the JSON credential config refers to an external application (wwauth.exe) which handles the chained token exchange to obtain short-lived GCP creds.

This functionality is supported in SDKs for C++, Go, Java, Node.js, Python, Terraform, and bq (https://cloud.google.com/iam/docs/workload-identity-federation-with-active-directory#use-credential-configuration), but as best I can tell through experimentation and reviewing the source code, not in google-auth-library-php.

Is this on the roadmap and is there an estimate when this might be available?