feat: add ID Token sign in with Google SDK

[jonas-jonas]

This PR adds support for social sign in via Google using an ID token instead of the browser based OIDC flows. This allows integration of the SDK for Google sign in on Android & iOS.

Related issue(s)

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got the approval (please contact
  [email protected]) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments

[codecov]

Codecov Report

Merging #3515 (98958e0) into master (dd5a9f3) will decrease coverage by 0.01%.
Report is 5 commits behind head on master.
The diff coverage is 68.18%.

❗ Current head 98958e0 differs from pull request most recent head e418cbe. Consider uploading reports for the commit e418cbe to get more accurate results

@@            Coverage Diff             @@
##           master    #3515      +/-   ##
==========================================
- Coverage   78.41%   78.40%   -0.01%     
==========================================
  Files         340      340              
  Lines       22533    22533              
==========================================
- Hits        17669    17667       -2     
- Misses       3556     3557       +1     
- Partials     1308     1309       +1     

Files Changed	Coverage Δ
driver/config/config.go	83.66% <0.00%> (ø)
driver/registry.go	40.62% <ø> (ø)
driver/registry_default.go	87.19% <ø> (ø)
session/session.go	78.90% <ø> (ø)
selfservice/strategy/password/registration.go	67.74% <50.00%> (ø)
session/handler.go	68.60% <66.66%> (ø)
selfservice/strategy/password/settings.go	73.13% <71.42%> (ø)
selfservice/strategy/oidc/provider_google.go	86.66% <73.33%> (ø)
persistence/sql/persister.go	69.89% <77.77%> (ø)
selfservice/strategy/oidc/provider_apple.go	37.93% <80.00%> (ø)
... and 1 more

... and 1 file with indirect coverage changes

[jonas-jonas]

This will cause Ory to only validate nonces for Google if the ID Token from Google contains a nonce.

Since the SDKs I saw, don't support setting nonces, this is the best solution I can come up, without excluding a bunch of SDKs here.

[aeneasr]

Ok this is fine for me. Please document this as a caveat though when writing docs for this!

[jonas-jonas]

I adjusted it to only return true, if no nonce is present in the claims.

[aeneasr]

One issue with the HTTP client (it is not using the SSRF protected HTTP client). Otherwise LGTM

[jonas-jonas]

Docs PR: ory/docs#1540