Domain Wide Delegation tokens without a key file on GCP

[iamacarpet]

Is your feature request related to a problem? Please describe.
We had a requirement to use the AdWords API from an application running on App Engine, but all the authentication methods described in the library require either manually generating a client ID and a refresh token for a user, or using DWD, but the latter is only supported with a JSON key file.

This kind of goes against the grain with the convention on GCP of using credentials provided by the environment, in the form of the default service account, accessible from the metadata server with additional signing capability via the Service Account Credentials API.

Looking at this library, which is what AdWords is using for the underlying authentication (and we are also using in a lot of other places, with being on App Engine & GCP, namely the google-cloud-php library), it seems they couldn't implement it any other way, as there is a lack of functionality for doing DWD with the GCECredentials provider.

Describe the solution you'd like
The ability to use the GCECredentials class for DWD tokens, using the metadata server provided service account.

This would be useful from not just App Engine, but also Cloud Run, Cloud Functions, GKE with Workload Identity & GCE.

It would mean not needing to deploy credentials along with our applications, which regardless of KMS encryption for Cloud Build, still isn't an ideal solution.

Describe alternatives you've considered
We've already implemented our own version of this, by extending the OAuth2 class in this library, see here.

It would be nice to get something integrated & supported natively in this library.

[nchicong]

+1