It would be great to support authenticating to TFC/TFE via OIDC Federated Authentication. We must authenticate to the API when we use it with a token. The organization and team tokens only allow for a single instance of each. Code can be written that runs in a TFC/TFE workspace that authenticates back to the platform via a token. One can even write code to regenerate the token and write it back to the variable store so it can be used… but that process could fail, and then it is broken requiring intervention. Additionally, the token has the risk of being leaked.
Supporting OIDC solves all of these problems. It can be used for circular authentication from a TFC/TFE workspace, as noted… or via a CI platform when launching API-driven workflows.
This could also be great for self-hosted cloud agents to register to their agent pools if the compute workload has a particular identity that can be federated.