google.FindDefaultCredentialsWithParams silently ignores unsupported parameters.

[kramarz]

The issue is that when I want to use a domain wide delegation with GCP service account I need to use

credentials, err := google.FindDefaultCredentialsWithParams(ctx, google.CredentialsParams{
		Subject: "user-to-impersonate@my-domain.com",
		Scopes:  []string{"https://www.googleapis.com/auth/calendar"},
})

Then I can use my credentials to call the calendar API as an impersonated user. This code works fine if I use credentials stored in a private key, but If I try to run it in App Engine, Cloud Run, GCE VM etc. Subject field is silently ignored and which leads to some hard to diagnose errors, e.g. "Error : invalid conference type value while creating event with google meet link" (As explained here this is because account to impersonate is not provided: https://issuetracker.google.com/issues/187572926#comment4)

It would be a much better experience saving hours of troubleshooting if creating credentials would return an error if an unsupported parameter is provided here: https://cs.opensource.google/go/x/oauth2/+/master:google/default.go;l=114;drc=e07593a4c41a489556d019d1ad4d82e9ee66b4a7;bpv=0;bpt=1

Something like that would be great:

if metadata.OnGCE() {
    id, _ := metadata.ProjectID()
    if params.Subject != "" {
        return nil, errors.New("google: Can't use Subject param with GCE credentials")
    }
    return &DefaultCredentials{
        ProjectID:   id,
        TokenSource: ComputeTokenSource("", params.Scopes...),
    }, nil
}

Note that I am requesting to just fail explicitly when trying to use unsupported features. To actually get domain delegation working for this kind of credentials I just used a custom TokenSource created by modifyning jwt.go to use signJWT endpoint instead of signing it locally: https://gist.github.com/kramarz/6d132c34372614570fd5808335ba4a9c