My specific issue: I'm trying to authenticate to Google Artifact Registry (GAR) directly using Workload Identity Federation without an intermediary service account (which I'm aware is one of the few options presently available). The Google documentation for Workload Identity Federation recommends the direct federation approach, but GAR seems to specifically require OAuth 2.0 access tokens for authentication. I'm well aware that using a Service Account along along with the Workload Identity Provider fixes this issue. I'm simply interested in exploring an alternative solution that relies solely on Federated auth tokens.

What I've already tried:
1. Instead of providing an OAuth 2.0 Access Token, I've tried configuring the gcloud CLI credential helper after setting up the Workload Identity Federation. It didn't help. When I tried pushing a built Docker container image to GAR, I've received this error:

```

ERROR: failed to solve: failed to push <region/location>-docker.pkg.dev/<project_id>/<ar_repo>/<image_name>:v1: failed to authorize: failed to fetch oauth token: unexpected status from GET request to <valid_address> 403 Forbidden

```

Even though I hadn't provided/mentioned an OAuth Access Token.

2. I've done the same but with the Standalone Docker credential helper. I've received the exact same error, without referencing/providing an OAuth Access Token anywhere.

Error messages:

```

ERROR: failed to solve: failed to push <region/location>-docker.pkg.dev/<project_id>/<ar_repo>/<image_name>:v1: failed to authorize: failed to fetch oauth token: unexpected status from GET request to <valid_address> 403 Forbidden

```

Detailed Questions: 

1. Is it possible to authenticate to Google Artifact Registry using direct Workload Identity Federation without a service account?
2. Does GAR specifically require OAuth 2.0 access tokens rather than the federated token format?
3. If direct authentication isn't supported, could this be considered for a feature enhancement, since the official documentation recommends direct federation?

Assuming I'm correct in thinking that it is an actual limitation of GAR, I think it would be a good idea to address it by adding the option to use Federated auth tokens. However, if I'm mistaken, I'd greatly appreciate your help.