Skill

mcp-client-dynamic-client-registration

Implements OAuth 2.0 Dynamic Client Registration (RFC 7591) for MCP clients, enabling automatic registration with authorization servers without manual setup.

Oauth

security

authentication

npx claudepluginhub redhatproductsecurity/prodsec-skills --plugin prodsec-skills

Popularity

Stars

Forks

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/prodsec-skills:mcp-client-dynamic-client-registration

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

Authorization servers and MCP clients MAY support the OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591). This allows MCP clients to register with authorization servers automatically without manual pre-registration.

SKILL.md

49 lines · ~521 tokens

Similar Skills

dynamic-client-registration

Guides implementation of OAuth 2.0 Dynamic Client Registration (RFC 7591) for authorization servers, including endpoint setup, request handling, and security mitigations.

prodsec-skills

mcp-oauth-setup

Implements MCP server authentication using OAuth dynamic client registration (RFC 7591/8414), PKCE, bearer tokens, and API keys for admin UIs. Supports per-agent credentials, metadata discovery, token exchange, and tool sync for providers like Linear, Sentry.

4 files

majestic-rails

configuring-oauth2-authorization-flow

13.2k

Configures OAuth 2.0 authorization flows including Authorization Code with PKCE, Client Credentials, and Device Authorization Grant. Covers flow selection, PKCE implementation, token lifecycle, and OAuth 2.1 security best practices.

7 files

cybersecurity-skills

Stats

LanguagePython

Stars34

Forks3

MaintenanceExcellent

Last CommitMay 26, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Stats

Actions

Help us improve

Share bugs, ideas, or general feedback.

Dynamic Client Registration for MCP Clients

Security Recommendation

When to Use

Dynamic Client Registration is useful when:

MCP clients connect to many different MCP servers with different authorization servers

Manual client registration is impractical at scale

The authorization server supports it (check the discovery metadata for registration_endpoint)

Registration Flow

1. MCP client discovers authorization server via Protected Resource Metadata 2. MCP client fetches authorization server metadata 3. Check for registration_endpoint in the metadata 4. If available, POST client registration request: POST /register HTTP/1.1 Content-Type: application/json { "client_name": "MCP Client App", "redirect_uris": ["https://client.example.com/callback"], "grant_types": ["authorization_code"], "response_types": ["code"], "token_endpoint_auth_method": "none" } 5. Authorization server returns client_id (and optionally client_secret) 6. Use returned credentials for subsequent OAuth flows

Implementation Checklist

Check authorization server metadata for registration_endpoint

Implement RFC 7591 client registration request

Store returned client_id and client_secret securely

Handle registration errors by logging the failure reason and falling back to manual registration or retrying with corrected parameters

Support re-registration if credentials are lost or expired

Prefer Client ID Metadata Documents when both mechanisms are available

Dynamic Client Registration for MCP Clients

Security Recommendation

When to Use

Dynamic Client Registration is useful when:

MCP clients connect to many different MCP servers with different authorization servers
Manual client registration is impractical at scale
The authorization server supports it (check the discovery metadata for registration_endpoint)

Registration Flow

1. MCP client discovers authorization server via Protected Resource Metadata
2. MCP client fetches authorization server metadata
3. Check for registration_endpoint in the metadata
4. If available, POST client registration request:
   POST /register HTTP/1.1
   Content-Type: application/json
   {
     "client_name": "MCP Client App",
     "redirect_uris": ["https://client.example.com/callback"],
     "grant_types": ["authorization_code"],
     "response_types": ["code"],
     "token_endpoint_auth_method": "none"
   }
5. Authorization server returns client_id (and optionally client_secret)
6. Use returned credentials for subsequent OAuth flows

Implementation Checklist

Check authorization server metadata for registration_endpoint
Implement RFC 7591 client registration request
Store returned client_id and client_secret securely
Handle registration errors by logging the failure reason and falling back to manual registration or retrying with corrected parameters
Support re-registration if credentials are lost or expired
Prefer Client ID Metadata Documents when both mechanisms are available

mcp-client-dynamic-client-registration

Popularity

Invocation

Context Preview

SKILL.md

Similar Skills

Help us improve

Help us improve

Find plugins for your project

mcp-client-dynamic-client-registration

Popularity

Invocation

Context Preview

SKILL.md

Dynamic Client Registration for MCP Clients

Security Recommendation

When to Use

Registration Flow

Implementation Checklist

Similar Skills

Help us improve

Dynamic Client Registration for MCP Clients

Security Recommendation

When to Use

Registration Flow

Implementation Checklist