Skip to content

feat: specify OIDC application_type during dynamic client registration (SEP-837)#883

Open
stefanoamorelli wants to merge 2 commits into
modelcontextprotocol:mainfrom
stefanoamorelli:sep-837-oidc-dcr-application-type
Open

feat: specify OIDC application_type during dynamic client registration (SEP-837)#883
stefanoamorelli wants to merge 2 commits into
modelcontextprotocol:mainfrom
stefanoamorelli:sep-837-oidc-dcr-application-type

Conversation

@stefanoamorelli
Copy link
Copy Markdown

@stefanoamorelli stefanoamorelli commented Jun 3, 2026
edited
Loading

Closes #880

Motivation and Context

SEP-837 clarifies the client type requirements for OIDC Dynamic Client Registration: a client must send an application_type, because a server that receives none assumes "web". That clashes with the loopback and localhost redirect URIs CLI and desktop clients use, and the server can reject the registration over it.

register_client currently sends no application_type, so the SDK hits exactly that. This PR makes it always send one: "native" by default (matching the loopback redirect), with an OAuthClientConfig::with_application_type(..) builder to opt into "web". I also set "native" in client-metadata.json so the URL-based client metadata (SEP-991) and dynamic registration agree.

How Has This Been Tested?

Added unit tests covering the serialized request (application_type present when set, omitted when None) and the config default and override. The full rmcp suite passes with the auth feature, and cargo +nightly fmt --all and clippy are clean.

Breaking Changes

No API breaking changes: OAuthClientConfig is #[non_exhaustive] and built via OAuthClientConfig::new, and ClientRegistrationRequest is crate-private.

One behavior change: register_client now always includes application_type ("native" unless overridden) where it sent none before. Non-OIDC servers ignore it; OIDC servers treat the client as native instead of assuming "web".

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

No new error handling was needed: the change only sets a request field, and the registration failure SEP-837 mentions is already surfaced by AuthError::RegistrationFailed.

@stefanoamorelli
feat(auth): specify OIDC application_type during client registration
167b7dc 
SEP-837 [1] requires an MCP client to specify an application_type during
OIDC Dynamic Client Registration. When it is omitted, OIDC servers
default the client to "web", which conflicts with the loopback redirect
URIs that CLI and desktop clients use, so the registration can be
rejected.

I make register_client always send an application_type. It defaults to
"native" to match the loopback redirect this SDK uses, and I added
OAuthClientConfig::with_application_type so web clients can opt in. Tests
cover the serialized request body and the config default. Implements [2].

[1]: https://github.com/modelcontextprotocol/modelcontextprotocol/blob/main/docs/specification/draft/basic/authorization.mdx#L395
[2]: modelcontextprotocol#880

Signed-off-by: Stefano Amorelli <stefano@amorelli.tech>
@stefanoamorelli
chore(auth): declare application_type in client metadata document
8a1477e 
I set application_type to "native" in the hosted client metadata
document so the URL-based client id flow and dynamic registration agree
on the client type that SEP-837 [1] expects.

[1]: https://github.com/modelcontextprotocol/modelcontextprotocol/blob/main/docs/specification/draft/basic/authorization.mdx#L395

Signed-off-by: Stefano Amorelli <stefano@amorelli.tech>
@stefanoamorelli stefanoamorelli requested a review from a team as a code owner June 3, 2026 17:52
@github-actions github-actions Bot added T-config Configuration file changes T-core Core library changes T-transport Transport layer changes labels Jun 3, 2026
@stefanoamorelli stefanoamorelli mentioned this pull request Jun 3, 2026
Open
5 tasks
@stefanoamorelli stefanoamorelli changed the title feat: specify OIDC application_type during dynamic client registration feat: specify OIDC application_type during dynamic client registration (SEP-837) Jun 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

T-config Configuration file changes T-core Core library changes T-transport Transport layer changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement SEP-837: Clarify client type requirements (OIDC DCR)

1 participant

@stefanoamorelli