Add application_type to the Dynamic Client Registration request#1613
Conversation
application_type to the Dynamic Client Registration requestapplication_type to the Dynamic Client Registration request
5063493 to
cd9ba60
Compare
|
@mikekistler - can you please help reviewing this PR |
mikekistler
left a comment
There was a problem hiding this comment.
Looks good! 👍
Thank you for this contribution!
|
@mikekistler |
jeffhandley
left a comment
There was a problem hiding this comment.
Thanks for getting this together, @jayaraman-venkatesan.
Before we merge, SEP-837's normative language ("MCP clients MUST be prepared to handle registration failures…", "SHOULD surface a meaningful error", "MAY retry with adjusted application_type or redirect URIs") is aimed at MCP clients. As the C# SDK those clients are built on, we don't have to implement the surfacing or retry behavior ourselves, but we do need to make sure a developer using the SDK is able to do those things, and we should prove it with tests in this PR before we close out #1545.
Two test scenarios I'd like added here:
- DCR failure is recoverable from the consumer's perspective. When an OIDC AS rejects the DCR call (e.g. 400
invalid_redirect_uri), the failure should propagate to the SDK consumer with enough context: the HTTP status, the AS error body, and ideally theapplication_type/redirect_urithe SDK actually sent; so the consumer can produce a meaningful error. Please add a negative test that mocks an OIDC AS rejecting registration and asserts the thrown exception (or returned result) carries that information. - A consumer can retry registration with adjusted parameters. The SDK's resolved
ApplicationTypeis fixed in theClientOAuthProviderconstructor today, so a retry implies the consumer constructing a new provider with a differentApplicationType(or different redirect URI). Please add a test that does exactly that: first DCR attempt rejected, second attempt succeeds after swappingApplicationType; to (a) prove the surface supports the MAY behavior and (b) catch any subtle state-carryover bugs.
One related point worth thinking about while you're in here: the synchronous ArgumentException on conflict (e.g. "web" + localhost) is a nice guardrail, but it also blocks a consumer from retrying with a combination the AS happens to require; for example, if an AS demanded "web" paired with a localhost redirect, the SDK would refuse to even attempt that registration. Probably fine to leave the behavior as-is, but worth a sentence in the xmldoc noting that consumers who need that flexibility must set ApplicationType explicitly and that the inference will not override it. Up to you.
…ble and retryable and enrich the DCR-failure McpException with the application_type and redirect_uri the SDK sent
|
Thanks @jeffhandley, pushed 2643b0b addressing both test scenarios
The failure is build (windows-latest, Release), I suppose is pre-existing flake in McpServerBuilderExtensionsMessageFilterTests, a re-run should clear it, please help kick one off when you get a chance. Thanks! |
jeffhandley
left a comment
There was a problem hiding this comment.
Thanks for your patience on this, @jayaraman-venkatesan, and for adding those tests as requested--they fill in that coverage gap well. I have another round of feedback but it looks really close. I hope you don't mind, but since I had a delay getting back to this review I am going to proceed with pushing a commit that addresses this feedback directly.
-
DCR-only validation runs even when DCR is bypassed.
ResolveApplicationTyperuns in the provider constructor, so a static-client or successful-CIMD configuration can fail because of an unused DCRApplicationTypemismatch.DynamicClientRegistrationOptionsis documented as applying only when noClientIdis configured. Please resolve/validate immediately before constructing the DCR request, or otherwise gate it on the DCR path. -
An explicit application type cannot override the heuristic. The resolver rejects an explicit value that differs from URI inference. SEP-837 makes the native/web classification SHOULD-level guidance and allows retrying with an adjusted
application_type; the other Tier 1 SDKs preserve a configured value and infer only when it is absent. Please treat an explicit value as authoritative and use inference only as the default.
Defer application type validation until dynamic registration is selected, so static-client and CIMD flows ignore unused DCR settings. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Use explicit application types as configured and infer a value only when no override is supplied. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
jeffhandley
left a comment
There was a problem hiding this comment.
This is now good with me and Copilot-assisted deep review of the SEP vs. the implementation confirms the SEP to be fully satisfied.
@halter73 I'd like a review from you on this too before we merge for the 2.0.0 release.
Fixes #1545
Implements SEP-837 — adds
application_typeto the Dynamic Client Registration request when the C# SDK registers against an OIDC-flavored authorization server.Summary
Without
application_type, an OIDC AS applies its spec-mandated default. This PR makes the SDK supply the correct value.What happens in the changes
When the caller sets
DynamicClientRegistrationOptions.ApplicationTypeexplicitly, that value is sent unchanged. Otherwise, the SDK infers the value from the redirect URI immediately before Dynamic Client Registration is performed.What changed
src/ModelContextProtocol.Core/Authentication/DynamicClientRegistrationRequest.cs— adds theapplication_typefield on the wire DTO.DynamicClientRegistrationOptions.cs— adds theApplicationTypesetter so callers can opt out of inference and force a specific value.ClientOAuthProvider.cs— resolves the application type only when Dynamic Client Registration is selected:InferApplicationType(Uri redirectUri)helper.tests/ModelContextProtocol.Tests/Authentication/ClientOAuthProviderApplicationTypeTests.cs(new)Contract changes
DynamicClientRegistrationOptions:ApplicationType { get; set; }. Backwards-compatible — existing callers default tonulland now get an inferred value where they previously got nothing on the wire.Test plan
dotnet build— 0 warnings, 0 errors.native, explicitweboverride, DCR failure/retry, and static-client/CIMD flows with unused DCR settings.