We have a number of internal and external applications that use OIDC for authentication. These applications are a mixture of Public Clients (i.e. no client secret should be used) and "trusted" Clients (i.e. they require both a client id and client secret).

I want to control access from our Google Workspace console, limiting access to our Google Workspace users, using groups in Google Workspace to limit access to each OIDC application. We've noticed this feature is available in Google Workspace for SAML applications. I don't see the same feature for OIDC applications. I've spoken with Google Workspace Support who mentioned I should open a ticket with "the Google Cloud team", thus the reason for this post. For your reference, the Google Workspace Support ticket is 58533494.

How do I create a "public" client (i.e. a *private* application to our organisation only, but one that does not require a Client Secret to get an access token from Google Workspace/IAM). And, how do I create a "trusted" client (i.e. a *private* application to our organisation only, but one we get a "client secret" for, from Google IAM)? Also, how can I control access to that application so that only our Google Workspace users may access these applications? And, limit access to each application using groups defined in Google Workspace.

Google Workspace Support seemed to think this is something we should raise with your team.