In WRITING-14037, one recommendation was for Workforce OIDC clients to use implement RFC8707. Specifically, we would tell the identity provider which resource (i.e. MongoDB cluster/endpoint we are connecting to, so that it can issue custom tokens (or, in particular, reject the authentication attempt outright) depending on whether it knows the cluster.

The core challenge here is defining an unambiguous, unforgeable URI for a given cluster. WRITING-15830 runs into a similar challenge and currently suggests using TLS certificate server names; that may not be feasible if we connect to multiple nodes in the same cluster at the same time, though.

The outcome should be captured in the workforce OIDC requirements spec document.