Add Dynamic Client Registration Tutorial

README.md

@@ -68,18 +68,24 @@ ContextForge MCP Gateway is a feature-rich gateway, proxy and MCP Registry that
 * 10. [Configuration (`.env` or env vars)](#configuration-env-or-env-vars)
     * 10.1. [Basic](#basic)
     * 10.2. [Authentication](#authentication)
-    * 10.3. [UI Features](#ui-features)
-    * 10.4. [Security](#security)
-    * 10.5. [Logging](#logging)
-    * 10.6. [Transport](#transport)
-    * 10.7. [Federation](#federation)
-    * 10.8. [Resources](#resources)
-    * 10.9. [Tools](#tools)
-    * 10.10. [Prompts](#prompts)
-    * 10.11. [Health Checks](#health-checks)
-    * 10.12. [Database](#database)
-    * 10.13. [Cache Backend](#cache-backend)
-    * 10.14. [Development](#development)
+    * 10.3. [A2A (Agent-to-Agent) Features](#a2a-agent-to-agent-features)
+    * 10.4. [Email-Based Authentication & User Management](#email-based-authentication--user-management)
+    * 10.5. [MCP Client Authentication](#mcp-client-authentication)
+    * 10.6. [SSO (Single Sign-On) Configuration](#sso-single-sign-on-configuration)
+    * 10.7. [Dynamic Client Registration & Virtual MCP Server Authentication](#dynamic-client-registration--virtual-mcp-server-authentication)
+    * 10.8. [UI Features](#ui-features)
+    * 10.9. [Security](#security)
+    * 10.10. [Logging](#logging)
+    * 10.11. [Transport](#transport)
+    * 10.12. [Federation](#federation)
+    * 10.13. [Resources](#resources)
+    * 10.14. [Tools](#tools)
+    * 10.15. [Prompts](#prompts)
+    * 10.16. [Health Checks](#health-checks)
+    * 10.17. [Database](#database)
+    * 10.18. [Cache Backend](#cache-backend)
+    * 10.19. [Plugin Configuration](#plugin-configuration)
+    * 10.20. [Development](#development)
 * 11. [Running](#running)
     * 11.1. [Makefile](#makefile)
     * 11.2. [Script helper](#script-helper)
@@ -1209,11 +1215,26 @@ You can get started by copying the provided [.env.example](https://github.com/IB
 | ------------------------------ | ------------------------------------------------ | --------------------- | ------- |
 | `SSO_AUTO_ADMIN_DOMAINS`      | Email domains that automatically get admin privileges | `[]`             | JSON array |
 
+### Dynamic Client Registration & Virtual MCP Server Authentication
+
+ContextForge supports OAuth2 with Dynamic Client Registration (DCR)
+for streamable HTTP servers through integration with an upstream API gateway,
+such as HyperMCP gateway, enabling automatic OAuth2 client provisioning for MCP servers
+without manual configuration.
+
+| Setting                     | Description                                            | Default | Options |
+|-----------------------------|--------------------------------------------------------|---------|---------|
+| `JWT_AUDIENCE_VERIFICATION` | JWT audience verification needs to be disabled for DCR | `true`  | bool    |
+
+You can find an example for using dynamic client registration (DCR) with [HyprMCP Gateway (`hyprmcp/mcp-gateway`)](https://github.com/hyprmcp/mcp-gateway).
+
+Follow the tutorial at https://ibm.github.io/mcp-context-forge/tutorials/dcr-hyprmcp/ to get started.
+
 ### Personal Teams Configuration
 
 | Setting                                  | Description                                      | Default    | Options |
 | ---------------------------------------- | ------------------------------------------------ | ---------- | ------- |
-| `AUTO_CREATE_PERSONAL_TEAMS`            | Enable automatic personal team creation for new users | `true`   | bool    |
+| `AUTO_CREATE_PERSONAL_TEAMS`             | Enable automatic personal team creation for new users | `true`   | bool    |
 | `PERSONAL_TEAM_PREFIX`                   | Personal team naming prefix                      | `personal` | string  |
 | `MAX_TEAMS_PER_USER`                     | Maximum number of teams a user can belong to    | `50`       | int > 0 |
 | `MAX_MEMBERS_PER_TEAM`                   | Maximum number of members per team               | `100`      | int > 0 |

docs/docs/deployment/proxy-auth.md

@@ -43,6 +43,83 @@ AUTH_REQUIRED=true
 
 ## Common Proxy Configurations
 
+### HyprMCP Gateway
+
+Find the completed guide on how to use the [HyprMCP Gateway](https://github.com/hyprmcp/mcp-gateway) to support DCR and OAuth2 here:
+[Tutorial: Dynamic Client Registration with HyprMCP](/ibm/mcp-context-forge/tutorials/dcr-hyprmcp/)
+
+
+```yaml
+# docker-compose.yaml
+services:
+    hyprmcp-dex:
+        image: ghcr.io/dexidp/dex:v2.43.1-alpine
+        command: ["dex", "serve", "/config.yaml"]
+        ports:
+            - 5556:5556
+            - 5557:5557
+        healthcheck:
+            test: wget http://localhost:5556/.well-known/openid-configuration -O -
+            interval: 5s
+            start_period: 10s
+            start_interval: 1s
+        volumes:
+            - type: bind
+              source: config/hyprmcp-dex.yaml
+              target: /config.yaml
+              read_only: true
+            - type: bind
+              source: ./data
+              target: /data
+        #env_file:
+        #  - config/.dex.secret.env
+
+    hyprmcp-gateway:
+        image: ghcr.io/hyprmcp/mcp-gateway:0.2.6
+        command: ["serve", "--config", "/opt/config.yaml"]
+        ports:
+            - 9000:9000
+        volumes:
+            - type: bind
+              source: config/hyprmcp-gateway.yaml
+              target: /opt/config.yaml
+              read_only: true
+        depends_on:
+            hyprmcp-dex:
+                condition: service_healthy
+                required: true
+        network_mode: host
+
+    context-forge:
+        image: ghcr.io/ibm/mcp-context-forge:0.7.0
+        ports:
+            - 4444:4444
+        volumes:
+            - type: bind
+              source: ./data
+              target: /data
+            - ./config/public.pem:/opt/public.pem:ro
+            - ./config/private.pem:/opt/private.pem:ro
+        env_file:
+            - config/context-forge.env
+        environment:
+            JWT_ALGORITHM: RS256
+            JWT_PUBLIC_KEY_PATH: /opt/public.pem
+            JWT_PRIVATE_KEY_PATH: /opt/private.pem
+            JWT_AUDIENCE_VERIFICATION: false
+            JWT_ISSUER: http://localhost:5556
+            DATABASE_URL: sqlite:////data/context-forge.db
+            HOST: 0.0.0.0
+            PORT: "4444"
+            MCPGATEWAY_UI_ENABLED: true
+            MCPGATEWAY_ADMIN_API_ENABLED: true
+            BASIC_AUTH_USER: admin
+            BASIC_AUTH_PASSWORD: changeme
+            AUTH_REQUIRED: false
+            MCP_CLIENT_AUTH_ENABLED: false
+            TRUST_PROXY_AUTH: true
+```
+
 ### OAuth2 Proxy
 
 OAuth2 Proxy is a popular reverse proxy that provides authentication using OAuth2 providers.

docs/docs/manage/.pages

@@ -12,6 +12,7 @@ nav:
   - observability.md
   - observability
   - proxy.md
+  - dcr.md
   - oauth.md
   - securing.md
   - sso.md

docs/docs/manage/dcr.md

@@ -0,0 +1,40 @@
+# Dynamic Client Registration (DCR)
+
+Dynamic Client Registration (DCR) is an OAuth 2.0 extension that enables automatic client registration without manual configuration. This guide explains how to configure and use DCR with MCP Gateway for streamable HTTP servers.
+
+## Overview
+
+DCR solves a common authentication challenge in distributed MCP deployments:
+- **Traditional OAuth2** requires pre-configured client credentials for each MCP server
+- **With DCR**, MCP clients can automatically register themselves as OAuth2 clients
+
+## What is Dynamic Client Registration?
+
+Dynamic Client Registration is defined in [RFC 7591](https://tools.ietf.org/html/rfc7591) as a protocol that allows OAuth 2.0 clients to register with authorization servers dynamically. In the context of MCP Gateway:
+
+## Architecture
+
+A simplified architecture. Please view the following guide for an in depth swimlane chart:
+
+📖 **[Dynamic Client Registration with HyperMCP Tutorial](../tutorials/dcr-hyprmcp.md)**
+
+```mermaid
+graph LR
+    Client[MCP Client]
+    HyprMCP[HyprMCP Gateway]
+    Dex[Dex]
+    IdP[Federated IdP<br/>GitHub/Google/LDAP]
+    ContextForge[ContextForge]
+
+    Client --> HyprMCP
+    HyprMCP --> Dex
+    Dex -.-> IdP
+    HyprMCP --> ContextForge
+```
+
+## Related Documentation
+
+- [OAuth 2.0 Integration](oauth.md) - General OAuth2 configuration
+- [Proxy Authentication](../deployment/proxy-auth.md) - Using authentication proxies
+- [SSO Configuration](sso.md) - Single Sign-On setup
+- [Security Best Practices](securing.md) - Security guidelines

docs/docs/manage/index.md

@@ -20,6 +20,7 @@ Whether you're self-hosting, running in the cloud, or deploying to Kubernetes, t
 | Page | Description |
 |------|-------------|
 | [Configuration](configuration.md) | **Complete configuration reference** - databases, environment variables, and deployment settings |
+| [Dynamic Client Registration](dcr.md) | 🔐 **OAuth2 DCR** - Automatic client provisioning for streamable HTTP servers |
 | [Backups](backup.md) | How to persist and restore your database, configs, and resource state |
 | [Export & Import](export-import.md) | Complete configuration management with CLI, API, and Admin UI |
 | [Export/Import Tutorial](export-import-tutorial.md) | Step-by-step tutorial for getting started with export/import |

docs/docs/tutorials/.pages

@@ -2,3 +2,4 @@ nav:
   - index.md
   - argocd-helm-deployment-ibm-cloud-iks.md
   - openwebui-tutorial.md
+  - dcr-hyprmcp.md