Support Google IdP for OIDC Workforce Federation
The Atlas supports federated login with external Identity Providers via OIDC (https://www.mongodb.com/docs/atlas/workforce-oidc/) for authenticating human users in tools like mongosh or Mongo Compass.
Unfortunately the OIDC login doesn't work with the GCP IdP: OAuth2 clients in Google IdP always have a client secret (even clients considered as "public"). There is no way to specify the client secret in Atlas UI in the Workload Federation configuration and this leads to "invalidrequest (clientsecret is missing.)" error returned from the IdP as it always expects a client secret to be present.
The support of an optional client secret in the Atlas Workload Federation configuration will enable the integration with the GCP IdP.
Andre
shared this idea
-
Samuel
commented
This is critical because of audits
-
AdminFuat
(Admin, MongoDB)
commented
Thank you for the feedback. MongoDB Workforce Identity Federation uses Authorization Code Flow with PKCE (https://datatracker.ietf.org/doc/html/rfc7636) which does not require client secret. There is a discussion on Google forums about it, yet no action has taken so far https://discuss.google.dev/t/authorization-code-flow-without-client-secret/168113/7
In order to help our customers, we plan to introduce optional client-secret parameter in OIDC configuration so that you can use Google as a Workforce Federation IdP. We are going to update this feedback item, when the work is started.
-
Sungje
commented
For the preparation of auditing, this feature is also important to us. Thank you
-
Sam
commented
+1 I am also currently stuck in the same position and need client secret to be supported. Thanks