I am able to authenticate users to my app using Google sign in, I can also identify the domain they are part of using the scopes openid email profile on my login request.
But I need to authorize different users within a domain to only access some places and not others or none at all, and allow my clients from their google admin console to set which users get what permissions
my first though was to use google groups and use the google Directory API to retrieve the groups a user belongs to, but it turns out that only admin users can use most of the google api's, and I can not expect my clients to make all users admins.
so the question comes: is there a way to get a non admin user membership in a group(s)? or some way to tag google users in a way that I can read the tags on login? like an ldap
I also consider the case for service accounts, but I can not find much information on them, and would also require all my clients to create such account with the correct permissions in their domains and give me the credentials, which sounds quite complicated for clients to do
Your question is not clear on what you are trying to control access to. In general, use Google for authentication and implement your own backend logic to handle authorization. You can then implement fine-grained control over what resources a user can access.
Google is an OAuth/OIDC Identity provider. With OAuth, typically you control authorization via OAuth scopes. However, you cannot create or add your own custom scopes to Google OAuth servers. If you want to give different users different permissions, you must implement that in your application's logic which is typically stored in a database.
Regarding your comment about service accounts. Do not provide users with services accounts. Once a user is authenticated and authorized, your backend logic will make Google Cloud requests on behalf of the user. Do not allow the user to directly access Google Cloud unless you control and secure the user and their environment.