Skip to content

feat: implement dynamic client registration#7096

Merged
Zaimwa9 merged 42 commits intomainfrom
feat/implement-dynamic-client-registration
Apr 8, 2026
Merged

feat: implement dynamic client registration#7096
Zaimwa9 merged 42 commits intomainfrom
feat/implement-dynamic-client-registration

Conversation

@Zaimwa9
Copy link
Copy Markdown
Contributor

@Zaimwa9 Zaimwa9 commented Apr 1, 2026

Thanks for submitting a PR! Please check the boxes below:

  • I have read the Contributing Guide.
  • I have added information to docs/ if required so people know about the feature.
  • I have filled in the "Changes" section below.
  • I have filled in the "How did you test this code" section below.

Changes

Closes #7033

Implements POST /o/register/ for DCR OAuth Dynamic Client Registration to enable MCP clients to self-register their application.

  • Added DCR endpoint that
    • accepts client_name and redirect_uris
    • creates a public DOT Application
    • returns a client_id
  • Redirect URI validation: HTTPS required (localhost/127.0.0.1 exception), no wildcards, no fragments, max 5 URIs
  • XSS on consent screen protection with client name sanitisation
  • Dedicated DCR_THROTTLE_RATE throttle scope at 10/min per IP
  • RFC 7591 compliant error responses (error + error_description format)
  • Daily recurring task to clean up stale applications (registered > 14 days ago, never used)

How did you test this code?

https://www.loom.com/share/8f821fda00cd48cbbc4673a509047364

  1. Start the dev server: make docker-up django-migrate && make serve
  2. Register a client:
curl -s -X POST http://localhost:8000/o/register/ \
  -H 'Content-Type: application/json' \
  -d '{"client_name": "OAuth Test Server", "redirect_uris": ["http://localhost:3000/oauth/callback"]}' \
  | python3 -m json.tool
  1. Update CLIENT_ID in api/oauth2_test_server.mjs with the returned client_id
  2. Run node api/oauth2_test_server.mjs and open http://localhost:3000
  3. Log in via the Django admin page, then authorise the application on the consent screen
  4. Verify the token response is returned (access_token, refresh_token, scope: mcp)

Zaimwa9 and others added 22 commits March 27, 2026 13:10
@Zaimwa9
feat: initial-dot-setup
fccaa3a
@Zaimwa9
feat: node-test-application
e190637
@Zaimwa9
feat: lint
cf0c378
@Zaimwa9
feat: registered-metadata-for-task-processing
02d5fba
@pre-commit-ci
[pre-commit.ci] auto fixes from pre-commit.com hooks
eeb1584 
for more information, see https://pre-commit.ci
@Zaimwa9
feat: updated-url-default
6780f71
@Zaimwa9
Merge branch 'feat/setup-dot-and-as-metadata' of github.com:Flagsmith…
e330174 
…/flagsmith into feat/setup-dot-and-as-metadata
@Zaimwa9
feat: regenerated-open-api-specs
ccd5ffd
@Zaimwa9
feat: oauth-only-consumes-authorization-header
262ebda
@pre-commit-ci
[pre-commit.ci] auto fixes from pre-commit.com hooks
1f0d84e 
for more information, see https://pre-commit.ci
@Zaimwa9
feat: type-linting
ba950be
@Zaimwa9
feat: tested-authentication-and-cleartoken-call
a528acc
@Zaimwa9
feat: lint
eb8ccff
@Zaimwa9
feat: rebased
74d4fc1
@Zaimwa9
feat: fixed-dependencies-type-errors
36477da
@Zaimwa9
feat: regenerate-openapi-specs
ec0b067
@Zaimwa9
feat: added-dcr-endpoints
8e9005d
@Zaimwa9
feat: added-throttle-on-dcr-registration-endpoint
df96c27
@Zaimwa9
feat: clean-up-stale-apps
5e28088
@Zaimwa9
feat: added-dcr-tests
8a92a8a
@Zaimwa9
feat: use-standard-rfc7591-errors
d741808
@Zaimwa9
feat: removed-daily-logging-of-created-apps
2783d3e
@Zaimwa9 Zaimwa9 requested a review from gagantrivedi April 1, 2026 14:56
@Zaimwa9 Zaimwa9 requested a review from a team as a code owner April 1, 2026 14:56
claude[bot]
claude bot reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Code review skipped — your organization's overage spend limit has been reached.

Code review is billed via overage credits. To resume reviews, an organization admin can raise the monthly limit at claude.ai/admin-settings/claude-code.

Once credits are available, reopen this pull request to trigger a review.

@vercel
Copy link
Copy Markdown

vercel bot commented Apr 1, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview, Comment Apr 8, 2026 8:16am
flagsmith-frontend-preview Ready Ready Preview, Comment Apr 8, 2026 8:16am
flagsmith-frontend-staging Ready Ready Preview, Comment Apr 8, 2026 8:16am

Request Review

@github-actions github-actions bot added api Issue related to the REST API feature New feature or request labels Apr 1, 2026
@github-actions github-actions bot added the feature New feature or request label Apr 6, 2026
@Zaimwa9 Zaimwa9 requested a review from gagantrivedi April 6, 2026 09:04
gagantrivedi
gagantrivedi previously approved these changes Apr 6, 2026
View reviewed changes
@github-actions github-actions bot added feature New feature or request and removed feature New feature or request labels Apr 7, 2026
@github-actions github-actions bot added feature New feature or request and removed feature New feature or request labels Apr 7, 2026
Base automatically changed from feat/setup-dot-and-as-metadata to main April 8, 2026 07:59
@Zaimwa9 Zaimwa9 dismissed gagantrivedi’s stale review April 8, 2026 07:59

The base branch was changed.

@Zaimwa9 Zaimwa9 requested a review from a team as a code owner April 8, 2026 07:59
@Zaimwa9 Zaimwa9 requested review from germangarces and removed request for a team April 8, 2026 07:59
@github-actions github-actions bot added feature New feature or request and removed feature New feature or request labels Apr 8, 2026
@Zaimwa9 Zaimwa9 merged commit 8cd740f into main Apr 8, 2026
36 checks passed
@Zaimwa9 Zaimwa9 deleted the feat/implement-dynamic-client-registration branch April 8, 2026 08:37
@flagsmithdev flagsmithdev mentioned this pull request Apr 8, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

@gagantrivedi gagantrivedi gagantrivedi approved these changes

@germangarces germangarces Awaiting requested review from germangarces germangarces was automatically assigned from Flagsmith/flagsmith-infrastructure

Assignees

@gagantrivedi gagantrivedi

Labels

api Issue related to the REST API feature New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Dynamic Client Registration endpoint

2 participants

@Zaimwa9 @gagantrivedi