Support Google IdP for OIDC Workforce Federation

The Atlas supports federated login with external Identity Providers via OIDC (https://www.mongodb.com/docs/atlas/workforce-oidc/) for authenticating human users in tools like mongosh or Mongo Compass. Unfortunately the OIDC login doesn't work with the GCP IdP: OAuth2 clients in Google IdP always have a client secret (even clients considered as "public"). There is no way to specify the client secret in Atlas UI in the Workload Federation configuration and this leads to "invalid_request (client_secret is missing.)" error returned from the IdP as it always expects a client secret to be present. The support of an optional client secret in the Atlas Workload Federation configuration will enable the integration with the GCP IdP.

Post comment

Guest

Aug 20, 2025

This is critical because of audits

Reply
Hide replies
Like

Guest

Aug 6, 2025

Thank you for the feedback. MongoDB Workforce Identity Federation uses Authorization Code Flow with PKCE (https://datatracker.ietf.org/doc/html/rfc7636) which does not require client secret. There is a discussion on Google forums about it, yet no action has taken so far https://discuss.google.dev/t/authorization-code-flow-without-client-secret/168113/7 In order to help our customers, we plan to introduce optional client-secret parameter in OIDC configuration so that you can use Google as a Workforce Federation IdP. We are going to update this feedback item, when the work is started.

Reply
Hide replies
Like

Guest

May 29, 2025

For the preparation of auditing, this feature is also important to us. Thank you

Reply
Hide replies
Like

Guest

Jan 23, 2025

+1 I am also currently stuck in the same position and need client secret to be supported. Thanks

Reply
Hide replies
Like

Please enter your email address

RELATED FEEDBACK

Support Google IdP for OIDC Workforce Federation