Skill

dynamic-client-registration

Guides implementation of OAuth 2.0 Dynamic Client Registration (RFC 7591) for authorization servers, including endpoint setup, request handling, and security mitigations.

Oauth

security

authentication

npx claudepluginhub redhatproductsecurity/prodsec-skills --plugin prodsec-skills

Popularity

Stars

Forks

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/prodsec-skills:dynamic-client-registration

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

Authorization servers MAY support the OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591). This allows MCP clients to register automatically without manual intervention.

SKILL.md

67 lines · ~572 tokens

Similar Skills

mcp-client-dynamic-client-registration

Implements OAuth 2.0 Dynamic Client Registration (RFC 7591) for MCP clients, enabling automatic registration with authorization servers without manual setup.

prodsec-skills

configuring-oauth2-authorization-flow

13.2k

Configures OAuth 2.0 authorization flows including Authorization Code with PKCE, Client Credentials, and Device Authorization Grant. Covers flow selection, PKCE implementation, token lifecycle, and OAuth 2.1 security best practices.

7 files

cybersecurity-skills

mcp-oauth-setup

Implements MCP server authentication using OAuth dynamic client registration (RFC 7591/8414), PKCE, bearer tokens, and API keys for admin UIs. Supports per-agent credentials, metadata discovery, token exchange, and tool sync for providers like Linear, Sentry.

4 files

majestic-rails

Stats

LanguagePython

Stars34

Forks3

MaintenanceExcellent

Last CommitMay 26, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Stats

Actions

Help us improve

Share bugs, ideas, or general feedback.

Dynamic Client Registration for Authorization Servers

Security Recommendation

Authorization servers MAY support the OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591). This allows MCP clients to register automatically without manual intervention.

Registration Endpoint

If supported, the authorization server MUST expose a registration_endpoint in its discovery metadata and handle registration requests per RFC 7591.

Example Registration Request

POST /register HTTP/1.1 Host: auth.example.com Content-Type: application/json { "client_name": "MCP Client App", "redirect_uris": ["https://client.example.com/callback"], "grant_types": ["authorization_code"], "response_types": ["code"], "token_endpoint_auth_method": "none", "scope": "tools:read tools:execute" }

Example Registration Response

{ "client_id": "generated-client-id", "client_id_issued_at": 1700000000, "redirect_uris": ["https://client.example.com/callback"], "grant_types": ["authorization_code"], "response_types": ["code"], "token_endpoint_auth_method": "none" }

Security Considerations

Concern

Mitigation

Abuse/spam registrations

Rate limit registration endpoint, require initial access tokens

Malicious redirect URIs

Validate redirect URIs strictly (HTTPS, no open redirectors)

Resource exhaustion

Limit number of registrations per IP/token, expire unused registrations

Privilege escalation

Only grant requested scopes that are within the server's allowed set

Implementation Checklist

Expose registration_endpoint in discovery metadata

Implement RFC 7591 registration request processing

Validate all client metadata fields per OAuth 2.1 requirements

Enforce HTTPS-only redirect URIs

Rate limit registration requests

Optionally require initial access tokens for registration

Auto-expire inactive client registrations

Log all registration events for audit