fix: allow unauthenticated oauth client registration (#109)

Author: mplemay

packages/belgie-alchemy/src/belgie_alchemy/__tests__/integration/core/oauth/test_routes_register.py

@@ -134,9 +134,11 @@ async def test_register_enabled_unauthenticated_allows_omitted_auth_method(
 
 
 @pytest.mark.asyncio
-async def test_register_enabled_unauthenticated_rejects_explicit_confidential_clients(
+@pytest.mark.parametrize("auth_method", ["client_secret_post", "client_secret_basic"])
+async def test_register_enabled_unauthenticated_allows_explicit_confidential_clients(
     belgie_instance,
     oauth_settings: OAuthServer,
+    auth_method: str,
 ) -> None:
     settings_payload = oauth_settings.model_dump(mode="python")
     settings_payload["allow_dynamic_client_registration"] = True
@@ -151,13 +153,42 @@ async def test_register_enabled_unauthenticated_rejects_explicit_confidential_cl
             "/auth/oauth/register",
             json={
                 "redirect_uris": ["http://testserver/callback"],
-                "token_endpoint_auth_method": "client_secret_post",
+                "token_endpoint_auth_method": auth_method,
+            },
+        )
+
+    assert response.status_code == 200
+    payload = response.json()
+    assert payload["client_secret"] is not None
+    assert payload["token_endpoint_auth_method"] == auth_method
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize("auth_method", ["client_secret_post", "client_secret_basic"])
+async def test_register_enabled_without_unauthenticated_registration_rejects_confidential_clients(
+    belgie_instance,
+    oauth_settings: OAuthServer,
+    auth_method: str,
+) -> None:
+    settings_payload = oauth_settings.model_dump(mode="python")
+    settings_payload["allow_dynamic_client_registration"] = True
+    settings = OAuthServer(**settings_payload)
+    belgie_instance.add_plugin(settings)
+    app = FastAPI()
+    app.include_router(belgie_instance.router)
+    transport = httpx.ASGITransport(app=app)
+    async with httpx.AsyncClient(transport=transport, base_url="http://testserver") as client:
+        response = await client.post(
+            "/auth/oauth/register",
+            json={
+                "redirect_uris": ["http://testserver/callback"],
+                "token_endpoint_auth_method": auth_method,
             },
         )
 
     assert response.status_code == 401
     payload = response.json()
-    assert payload["error"] == "invalid_request"
+    assert payload["error"] == "invalid_token"
 
 
 @pytest.mark.asyncio

packages/belgie-alchemy/src/belgie_alchemy/__tests__/unit/core/mixins/test_mixins.py

@@ -11,7 +11,6 @@ def test_primary_key_mixin_defaults() -> None:
     id_column = User.__table__.c.id  # type: ignore[attr-defined]
     assert id_column.primary_key
     assert str(id_column.server_default.arg) == "gen_random_uuid()"
-    assert id_column.index
 
 
 def test_primary_key_client_side_generation() -> None:

packages/belgie-oauth-server/README.md

@@ -20,6 +20,22 @@ To migrate existing clients:
 - Configure a resource with `resources=[OAuthResource(...)]`.
 - Or stop sending the `resource` parameter.
 
+## Dynamic Client Registration
+
+If `allow_dynamic_client_registration=True`, Belgie serves `POST /auth/oauth/register` for OAuth Dynamic Client
+Registration.
+
+If `allow_unauthenticated_client_registration=True`, anonymous registration is allowed for both:
+
+- public clients (`token_endpoint_auth_method="none"`)
+- confidential clients (`client_secret_post`, `client_secret_basic`, or omitted auth method)
+
+When the auth method is omitted, Belgie preserves provider-side defaulting and registers the client as
+`client_secret_post`.
+
+This setting is intentionally permissive. Any anonymous caller can register a confidential client and receive a client
+secret, so treat it as a development or compatibility escape hatch unless you have separate controls around DCR.
+
 ## ID Token Signing for Public Clients
 
 `id_token` signing and verification use the client secret-derived key for confidential clients. Public clients (with

packages/belgie-oauth-server/src/belgie_oauth_server/plugin.py

@@ -333,13 +333,13 @@ async def token_handler(
         return router
 
     @staticmethod
-    def _add_register_route(  # noqa: C901
+    def _add_register_route(
         router: APIRouter,
         belgie: Belgie,
         provider: SimpleOAuthProvider,
         settings: OAuthServer,
     ) -> APIRouter:
-        async def register_handler(  # noqa: PLR0911
+        async def register_handler(
             request: Request,
             client: Annotated[BelgieClient, Depends(belgie)],
         ) -> Response:
@@ -371,22 +371,12 @@ async def register_handler(  # noqa: PLR0911
                 if exc.status_code != status.HTTP_401_UNAUTHORIZED:
                     raise
 
-            # Treat omitted auth method like public registration here so MCP clients can
-            # register anonymously; the provider still defaults it later.
-            is_public_client = metadata.token_endpoint_auth_method in {None, "none"}
-            if not authenticated:
-                if not settings.allow_unauthenticated_client_registration:
-                    return _oauth_error(
-                        "invalid_token",
-                        "authentication required for client registration",
-                        status_code=401,
-                    )
-                if not is_public_client:
-                    return _oauth_error(
-                        "invalid_request",
-                        "authentication required for confidential client registration",
-                        status_code=401,
-                    )
+            if not authenticated and not settings.allow_unauthenticated_client_registration:
+                return _oauth_error(
+                    "invalid_token",
+                    "authentication required for client registration",
+                    status_code=401,
+                )
 
             try:
                 client_info = await provider.register_client(metadata)