fix: disable CIMD to prevent size limit errors on /authorize#46
Merged
mattzcarey merged 2 commits intomainfrom Feb 26, 2026
Merged
fix: disable CIMD to prevent size limit errors on /authorize#46mattzcarey merged 2 commits intomainfrom
mattzcarey merged 2 commits intomainfrom
Conversation
Remove the global_fetch_strictly_public compatibility flag which enabled Client ID Metadata Document (CIMD) fetching. When clients use a URL as their client_id (e.g. claude.ai), the library fetches metadata from that URL with a 5KB size limit, causing "Response exceeded size limit of 5120 bytes" errors on /authorize. With CIMD disabled, the OAuth metadata endpoint reports client_id_metadata_document_supported: false and clients fall back to Dynamic Client Registration (DCR) instead. Fixes #45
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
global_fetch_strictly_publiccompatibility flag fromwrangler.jsonc, which disables Client ID Metadata Document (CIMD) support in@cloudflare/workers-oauth-providerProblem
When MCP clients use a URL as their
client_id(e.g.https://claude.ai/oauth/mcp-oauth-client-metadata), the OAuth provider fetches the metadata document from that URL. The library enforces a 5KB size limit on the response, and some client metadata documents exceed this, causing:This results in a 500 error page on
/authorize— users see "Server Error" immediately when trying to connect. We found 68 such errors on/authorizein the last 24 hours via Workers Observability telemetry.Fix
Removing
global_fetch_strictly_publicfrom compatibility flags makes the library reportclient_id_metadata_document_supported: falsein the OAuth metadata discovery endpoint. Clients then fall back to Dynamic Client Registration (DCR) instead of CIMD, avoiding the size limit entirely.Test plan
npm run checkpasses (format, lint, typecheck, 69 tests)Fixes #45