From 7d0f00f00d3c19cbfeb8cf1fad91df7f81c58360 Mon Sep 17 00:00:00 2001
From: dumko2001 <dumko.raj@gmail.com>
Date: Wed, 18 Mar 2026 13:42:09 +0530
Subject: [PATCH 1/3] feat(auth): support Domain-Wide Delegation for Service
 Accounts (fixes #528)

---
 src/auth.rs | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/auth.rs b/src/auth.rs
index b602d840..317e29d7 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -200,11 +200,20 @@ async fn get_token_inner(
                 .map(|f| f.to_string_lossy().to_string())
                 .unwrap_or_else(|| "token_cache.json".to_string());
             let sa_cache = token_cache_path.with_file_name(format!("sa_{tc_filename}"));
-            let builder = yup_oauth2::ServiceAccountAuthenticator::builder(key).with_storage(
-                Box::new(crate::token_storage::EncryptedTokenStorage::new(sa_cache)),
-            );
+
+            // Support Domain-Wide Delegation (impersonation)
+            let mut builder = yup_oauth2::ServiceAccountAuthenticator::builder(key);
+            if let Ok(sub) = std::env::var("GOOGLE_WORKSPACE_IMPERSONATE_USER") {
+                if !sub.is_empty() {
+                    tracing::debug!(impersonate = %sub, "Using Domain-Wide Delegation");
+                    builder = builder.subject(sub);
+                }
+            }
 
             let auth = builder
+                .with_storage(Box::new(crate::token_storage::EncryptedTokenStorage::new(
+                    sa_cache,
+                )))
                 .build()
                 .await
                 .context("Failed to build service account authenticator")?;

From 454ad886f0bc22e3111ada0ca77e0de2a405d3f9 Mon Sep 17 00:00:00 2001
From: dumko2001 <dumko.raj@gmail.com>
Date: Wed, 18 Mar 2026 14:54:26 +0530
Subject: [PATCH 2/3] chore: add changeset for user impersonation feature

---
 .changeset/feat-issue-528-impersonation.md | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 .changeset/feat-issue-528-impersonation.md

diff --git a/.changeset/feat-issue-528-impersonation.md b/.changeset/feat-issue-528-impersonation.md
new file mode 100644
index 00000000..47cedef5
--- /dev/null
+++ b/.changeset/feat-issue-528-impersonation.md
@@ -0,0 +1 @@
+---\n"gws": patch\n---\n\nfeat(auth): support Domain-Wide Delegation for Service Accounts

From 535081a07fd6c22b6be8dcb0406e16064d6e4c15 Mon Sep 17 00:00:00 2001
From: dumko2001 <dumko.raj@gmail.com>
Date: Wed, 18 Mar 2026 15:11:42 +0530
Subject: [PATCH 3/3] chore: correct changeset package name

---
 .changeset/feat-issue-528-impersonation.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.changeset/feat-issue-528-impersonation.md b/.changeset/feat-issue-528-impersonation.md
index 47cedef5..8133153a 100644
--- a/.changeset/feat-issue-528-impersonation.md
+++ b/.changeset/feat-issue-528-impersonation.md
@@ -1 +1 @@
----\n"gws": patch\n---\n\nfeat(auth): support Domain-Wide Delegation for Service Accounts
+---\n"@googleworkspace/cli": patch\n---\n\nfeat(auth): support Domain-Wide Delegation for Service Accounts