I was wondering if it is somehow possible to map group memberships Google hosted domains into Keycloak (e.g. as roles into an idtoken)?

This would be great since we already have been using groups in Google to perform authorization in some apps so I know how to get them from the Google API. I am already using the social provider for authentication so I was wondering what SPI implementation or configuration/customization I'd need to do in order to get this done.
Any pointers were to start would be very helpful. I am building Keycloak from github "master".

Thanks

Thorsten