Implement server-side support for Client ID Metadata Documents (CIMD) #1801
Description
Summary
PR #1652 implemented client-side support for Client ID Metadata Documents (CIMD) per SEP-991, but the server-side implementation is missing. Authorization servers built with the Python SDK cannot currently support CIMD.
Background
CIMD (draft-ietf-oauth-client-id-metadata-document-00) allows OAuth clients to use HTTPS URLs as client identifiers, where the URL points to a JSON document containing client metadata. This is the recommended registration approach per the MCP spec (ahead of DCR).
From the MCP Authorization spec:
Authorization servers and MCP clients SHOULD support OAuth Client ID Metadata Documents
Current State
Client-side (implemented in #1652)
- ✅
is_valid_client_metadata_url()- validates HTTPS URLs with path component - ✅
should_use_client_metadata_url()- checks if server advertises CIMD support - ✅
create_client_info_from_metadata_url()- uses URL as client_id - ✅ OAuth flow integration with DCR fallback
Server-side (missing)
- ❌ Never advertises
client_id_metadata_document_supported=truein OAuth metadata - ❌ No detection of URL-formatted client_ids
- ❌ No metadata document fetching
- ❌ No validation (client_id matching, redirect_uri verification, document structure)
- ❌ No caching infrastructure
- ❌ No SSRF protection for fetching
Spec Requirements for Authorization Servers
From the MCP spec and CIMD RFC:
| Requirement | Level |
|---|---|
| Fetch metadata documents when encountering URL-formatted client_ids | SHOULD |
Validate that fetched document's client_id matches the URL exactly |
MUST |
| Validate redirect URIs against those in the metadata document | MUST |
| Validate document structure is valid JSON with required fields | MUST |
| Cache metadata respecting HTTP cache headers | SHOULD |
| Protect against SSRF attacks | SHOULD |
| Limit document size (~5KB recommended) | SHOULD |
| Display client_id hostname during consent | SHOULD |
| Never cache error responses | MUST NOT |
References
- MCP Spec: https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#client-id-metadata-documents
- CIMD RFC: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-client-id-metadata-document-00
- SEP-991: SEP-991: Enable URL-based Client Registration using OAuth Client ID Metadata Documents modelcontextprotocol#991
- Client-side PR: feat: implement SEP-991 URL-based client ID (CIMD) support #1652
- Original tracking issue: Implement SEP-991: URL-based Client Registration (OAuth Client ID Metadata) #1538 (closed prematurely - only client-side was implemented)