@@ -159,43 +159,27 @@ remain unchanged.
159159
160160### 2.3 Dynamic Client Registration
161161
162- MCP authorization makes use of the
162+ MCP clients and servers ** SHOULD ** support the
163163[ OAuth 2.0 Dynamic Client Registration Protocol] ( https://datatracker.ietf.org/doc/html/rfc7591 )
164- to allow MCP clients to obtain OAuth client IDs without user interaction.
165-
166- - MCP clients ** SHOULD** support
167- [ OAuth 2.0 Dynamic Client Registration Protocol] ( https://datatracker.ietf.org/doc/html/rfc7591 )
168- - MCP servers with non-localhost redirect URIs ** SHOULD** support Dynamic Client
169- Registration.
170- - MCP servers with localhost redirect URIs ** MAY** support Dynamic Client Registration.
171-
172- Note that it is not required to support Dynamic Client Registration. MCP clients that do
173- not support Dynamic Client Registration need to provide alternative ways to obtain a
174- client id (and if applicable client secret).
175-
176- #### 2.3.1 Localhost Redirect URIs
177-
178- When using localhost redirect URIs (http://localhost:{port} or http://127.0.0.1:{port} ),
179- clients:
180-
181- - Dynamic registration is ** OPTIONAL** (a client ID is not required).
182- - ** MAY** proceed directly to authorization.
183- - ** SHOULD** be considered public clients and not store any clients secrets.
184-
185- This exception for localhost is explicitly supported by OAuth 2.1 for public clients and
186- provides a secure flow through the combination of PKCE and localhost-only redirects.
187-
188- #### 2.3.2 Non-Localhost Redirect URIs
189-
190- For all other redirect URIs, MCP clients and servers ** SHOULD** support dynamic client
191- registration. This provides a standardized way for clients to automatically register with
192- new servers, which is crucial for MCP because:
164+ to allow MCP clients to obtain OAuth client IDs without user interaction. This provides a
165+ standardized way for clients to automatically register with new servers, which is crucial
166+ for MCP because:
193167
194168- Clients cannot know all possible servers in advance
195169- Manual registration would create friction for users
196170- It enables seamless connection to new servers
197171- Servers can implement their own registration policies
198172
173+ Any MCP servers that _ do not_ support Dynamic Client Registration need to provide
174+ alternative ways to obtain a client ID (and, if applicable, client secret). For one of
175+ these servers, MCP clients will have to either:
176+
177+ 1 . Hardcode a client ID (and, if applicable, client secret) specifically for that MCP
178+ server, or
179+ 2 . Present a UI to users that allows them to enter these details, after registering an
180+ OAuth client themselves (e.g., through a configuration interface hosted by the
181+ server).
182+
199183### 2.4 Authorization Flow Steps
200184
201185The complete Authorization flow proceeds as follows:
@@ -213,7 +197,7 @@ sequenceDiagram
213197 M->>C: 404 (Use default endpoints)
214198 end
215199
216- alt Non-Localhost Redirect URI
200+ alt Dynamic Client Registration
217201 C->>M: POST /register
218202 M->>C: Client Credentials
219203 end
@@ -237,17 +221,13 @@ flowchart TD
237221 B -->|Available| C[Use Metadata Endpoints]
238222 B -->|Not Available| D[Use Default Endpoints]
239223
240- C --> E{Check Redirect URI}
241- D --> E
242-
243- E -->|Localhost| F[Skip Registration]
244- E -->|Non-localhost| G{Check Registration Endpoint}
224+ C --> G{Check Registration Endpoint}
225+ D --> G
245226
246227 G -->|Available| H[Perform Dynamic Registration]
247228 G -->|Not Available| I[Alternative Registration Required]
248229
249- F --> J[Start OAuth Flow]
250- H --> J
230+ H --> J[Start OAuth Flow]
251231 I --> J
252232
253233 J --> K[Generate PKCE Parameters]
0 commit comments