With the new Gateway resource is IAP still configured the same way using BackendConfig or has this changed?

I'm using the new Kubernetes Gateway Resource to create an external loadbalancer to expose services.
https://cloud.google.com/kubernetes-engine/docs/how-to/gatewayclass-capabilities#gateway

I use a GKE Backend config to enable IAP. This doesn't appear to properly enable IAP on the backend service that gets created.

The gateway resource shows the error

Warning SYNC 28s sc-gateway-controller error ensuring load balancer: generic::invalid_argument: Update: Invalid value for field 'resource.iap.oauth2ClientId': ''. IAP OAuth2 client ID must be set if IAP is enabled.

However my BackendConfig resource correctly sets the oauth2credentials secret (see below)

When I go to the IAP UI, I see an error that the oauth client id is not set and telling me to reenable IAP. When I reenable IAP on the backend service via the UI; it is turned on and everything works correctly. The only place I specified the OAuth2 config is in the BackendConfig so it does appear to be getting the OAuth2 credentials from there.

The documentation is unclear about whether this is supported or not. I'm not sure if the "-" for IAP on the capabilities page means IAP doesn't work with the gateway resource or it means its not configured by the gateway resource but via the BackendConfig. I'm assuming the latter.

I'm using the gateway class: gke-l7-global-external-managed

Here's the YAML for my GKEBackendConfig

apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: mesh
spec:
healthCheck:
type: HTTP
requestPath: /healthz/ready
port: 15021
iap:
enabled: true
oauthclientCredentials:
secretName: iap-oauth