Hi @infosecreg, welcome to the community and to OpenZiti and thanks for reaching out!
I'm sorry you spent days on this. I've also spent a bunch of time on it in the past. I'm currently working through adding IdP related walkthroughs for different IdPs and hit similar snags with Google. If you're interested, I could bore you with the details but the short answer is with the release last week of OpenZiti 1.4.x stream we have added functionality that we believe will work with Google. Specifically, the ability to choose which token from the IdP OpenZiti will use for authentication.
We are in the midst of rolling out changes to the ZAC to enable this functionality and I believe BrowZer is in the process of being modified to adapt to this as well. I believe we are going to drive the IdP information via the OpenZiti Controller's ext-jwt-signer, similar to what we are doing for the tunnelers. @curt can keep me honest here, but I think that's the plan still.
When done, the BrowZer configuration section should become a bit easier and we'll make sure to verify using Goolge as well. This came up on a different post not long back here ZDEW and Google OIDC. A relatively quick and painless way around this is to federate to Google either through someone like Auth0, Keycloak, Zitadel, etc. If you're just testing things out, that might keep you moving along while we get the pieces in place for directly using Google.
Hopefully that helps, but if not let us know. Cheers