connector: add gcloud-iap connector for Google Cloud IAP

[alessandro-verzicco]

Summary

Adds a new gcloud-iap connector that validates Google Cloud Identity-Aware Proxy (IAP) JWTs and optionally resolves Google Workspace group membership.

What it does

• Cryptographic JWT verification — validates the ES256 X-Goog-IAP-JWT-Assertion header against Google's public JWKS, checking issuer, audience, and expiry.
• Identity extraction — maps the verified JWT claims (sub, email) to a Dex identity.
• Optional group resolution — fetches Google Workspace group membership via the Admin Directory API using workload identity (Application Default Credentials). No domain-wide delegation required — only the Groups Reader admin role.
• Glob-based group filtering — supports patterns like *@example.com, platform-*@example.com, or exact matches. Case-insensitive. Multiple patterns are OR-ed.
• Transitive group membership — optionally resolves nested groups recursively.
• Single-domain and multi-domain — supports both domain and customerID scoping.

Files changed

• connector/gcloudiap/gcloudiap.go — connector implementation
• connector/gcloudiap/gcloudiap_test.go — unit tests
• server/server.go — register gcloud-iap type in ConnectorsConfig
• docs/connectors/gcloud-iap.md — documentation

How to test

1. Deploy Dex behind a Google Cloud IAP-protected load balancer.
2. Configure the connector with the backend service audience string.
3. Optionally enable group resolution by setting groupsFilter and domain/customerID.
   Unit tests cover JWT verification (valid, expired, wrong audience, missing header), config validation, glob filtering logic, and URL construction.

Refs #4567

[nabokihms]

Hello, thank you for opening the PR. We are currently not accepting new connectors to upstream - we are figuring out the way to implement external connectors #4578