Skip to content

add client_id_metadata_document_supported flag #1993

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
martimfasantos wants to merge 4 commits into
base: main
Choose a base branch
from
Open

add client_id_metadata_document_supported flag #1993

martimfasantos wants to merge 4 commits into from
+30 −0

Conversation

@martimfasantos
Copy link

@martimfasantos martimfasantos commented Feb 4, 2026
edited
Loading

Problem

The MCP SDK's OAuth implementation currently only supports Dynamic Client Registration (DCR) for obtaining client credentials. While the OAuthMetadata schema includes the client_id_metadata_document_supported field (per RFC 7591 Section 3.3), this field is never populated in build_metadata(), preventing clients from using URL-based client IDs as an alternative to DCR.

This limitation means:

  • Clients cannot use predetermined, stable client_id values
  • Every client session generates a new UUID client_id via dynamic registration
  • No support for the Client ID Metadata Document (CIMD) pattern, where the client_id itself is an HTTPS URL pointing to client metadata

Changes

This PR adds client_id_metadata_document_supported as an optional field in ClientRegistrationOptions:

class ClientRegistrationOptions(BaseModel):
    enabled: bool = False
    client_secret_expiry_seconds: int | None = None
    valid_scopes: list[str] | None = None
    default_scopes: list[str] | None = None
    client_id_metadata_document_supported: bool = False # NEW

When enabled, the OAuth authorization server metadata will advertise support for URL-based client IDs, allowing clients to skip dynamic registration by providing an HTTPS URL as their client_id.

Benefits

  1. Stable Client Identities: Applications can use consistent client_id values across restarts
  2. Simplified Client Management: Pre-registered clients bypass the registration endpoint entirely
  3. RFC Compliance: Properly implements RFC 7591 Client ID Metadata Document discovery
  4. Backwards Compatible: Defaults to False, preserving existing DCR-only behavior

Example Usage

from mcp.server.auth.settings import ClientRegistrationOptions

options = ClientRegistrationOptions(
    	enabled=True,
    	valid_scopes=["read", "write"],
    	client_id_metadata_document_supported=True,
)

Clients can then query /.well-known/oauth-authorization-server and see:

{
  "issuer": "https://example.com",
  "client_id_metadata_document_supported": true,
  ...
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@martimfasantos