This ticket introduces the supportsHumanFlows configuration field to every element in the oidcIdentityProviders setParameter array. supportsHumanFlows is a boolean flag that defaults to true. If it is set to false, then the clientId configuration field is optional for that identity provider. Subsequently, if a driver runs saslStart for MONGODB-OIDC while providing a principal name, the server's response may not include a clientId if the matched IdP had supportsHumanFlows set to false.

In practice, this is expected to only be used for machine flow/workload IdPs. These clients should never be performing authorization code flow or device authorization grant for token acquisition, so setting supportsHumanFlows to false will allow them to elide clientId entirely when it's not needed.

Description of Linked Ticket

Today, the clientId field of the OIDC IdP configuration is mandatory, and the server fails to start if it is not supplied with one for every configured IdP. It is included in the saslStart reply to Drivers running that command with MONGODB-OIDC as the auth mech. However, Drivers only need this field if the token acquisition flow that they run is a human-based flow such as authorization code flow or device authorization grant. Service accounts authenticating with OIDC may not need to register a clientId with the IdP.

This ticket will introduce a new IdP configuration field called supportsHumanFlows that is defaulted to true. When it is toggled to false, clientId will be optional and the server will not supply that in the saslStart reply to clients authenticating with MONGODB-OIDC.