Feature: adds security to the OAuth registration endpoint

[jsandfordhughescoop]

This PR enhances the OAuth client registration endpoint by adding validation and configurable redirect domain restrictions.

Changes

• Validate redirect URIs against configured allowed domains.
• Added config/mcp.php with:
  • allow_all_redirect_domains — toggle to allow all redirect domains.
  • allowed_redirect_domains — list of whitelisted domains.

Benefits

• Improved security: prevents registration with unauthorized redirect URIs.
  This is effectively the only meaningful security enforcement available within the MCP specification, which otherwise does not provide mechanisms for authenticating or authorizing clients during registration.

Notes

I have not validated client name as this could be a breaking change to users who have overwritten the default of Passport functionality.

[github-actions]

Thanks for submitting a PR!

Note that draft PR's are not reviewed. If you would like a review, please mark your pull request as ready for review in the GitHub user interface.

Pull requests that are abandoned in draft may be closed due to inactivity.

[alankpax]

Maybe another way would be to be able to set or override middleware and middleware groups on these routes by configuration ?

In my project I'm using spatie/csp package to have more control on what CSP I want to use on specific route.

[jsandfordhughescoop]

Maybe another way would be to be able to set or override middleware and middleware groups on these routes by configuration ?

In my project I'm using spatie/csp package to have more control on what CSP I want to use on specific route.

That’s a good idea. However, I think adding redirect domain whitelists as a configuration option makes it simpler for developers to implement, while also signalling that this is a recommended best practice.

[taylorotwell]

Some formatting things that would need to be fixed here.

[jsandfordhughescoop]

Some formatting things that would need to be fixed here.

@taylorotwell - Is there anything specific?

The composer test command has been run and Rector reformatted some code.

[jsandfordhughescoop]

Some formatting things that would need to be fixed here.

@taylorotwell - Is there anything specific?

The composer test command has been run and Rector reformatted some code.

Have had a stab at some reformatting 🤞

[hafezdivandari]

Please consider RFC 7591: OAuth 2.0 Dynamic Client Registration Protocol:

• Error responses are different: https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.2
• According to RFC redirect_uris accepts array of URIs, but you're forcing URLs by adding url validation rule.
• Controller name doesn't refer to "client", I suggest something like Oauth\ClientRegisterationConstroller.
• It is going ro be useful to convert other defined routes to invokable controllers too, make it easier to customize:
  • RFC 9728: OAuth 2.0 Protected Resource Metadata
  • RFC 8414: OAuth 2.0 Authorization Server Metadata
• It is not possible to change the route without a BC change but POST oauth/clients was a better choice IMO.

[jsandfordhughescoop]

RFC 7591: OAuth 2.0 Dynamic Client Registration Protocol

A few points here are out of the scope of this PR IMO. I am just trying to provide some protection to the register endpoint.

[barryvdh]

I think the request parameter client_name got accidentally changed to name
Before:
https://github.com/laravel/mcp/pull/87/files#diff-92678f35c558701ce8a360588eb08f99026231c8b32cd0d118315b84ea75efb0L113
After:
https://github.com/laravel/mcp/pull/87/files#diff-728478d0055c4873d77a0804b2b3c8663a55a6204c39ea99063a57ab91573f85R40

The tests pass because not typehints are on the fake registry, but in practice they fail.

My colleague has added a fix in #104