Add application_type support to dynamic client registration per MCP spec SEP-837

Agent-Logs-Url: https://github.com/modelcontextprotocol/csharp-sdk/sessions/8a200407-8cc6-4c69-97e0-c9a6ad509b93

Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>

Author: Copilot

src/ModelContextProtocol.Core/Authentication/ClientOAuthProvider.cs

@@ -33,11 +33,12 @@ internal sealed partial class ClientOAuthProvider : McpHttpClient
     private readonly AuthorizationRedirectDelegate _authorizationRedirectDelegate;
     private readonly Uri? _clientMetadataDocumentUri;
 
-    // _dcrClientName, _dcrClientUri, _dcrInitialAccessToken and _dcrResponseDelegate are used for dynamic client registration (RFC 7591)
+    // _dcrClientName, _dcrClientUri, _dcrInitialAccessToken, _dcrResponseDelegate and _dcrApplicationType are used for dynamic client registration (RFC 7591)
     private readonly string? _dcrClientName;
     private readonly Uri? _dcrClientUri;
     private readonly string? _dcrInitialAccessToken;
     private readonly Func<DynamicClientRegistrationResponse, CancellationToken, Task>? _dcrResponseDelegate;
+    private readonly string? _dcrApplicationType;
 
     private readonly HttpClient _httpClient;
     private readonly ILogger _logger;
@@ -89,6 +90,7 @@ public ClientOAuthProvider(
         _dcrClientUri = options.DynamicClientRegistration?.ClientUri;
         _dcrInitialAccessToken = options.DynamicClientRegistration?.InitialAccessToken;
         _dcrResponseDelegate = options.DynamicClientRegistration?.ResponseDelegate;
+        _dcrApplicationType = options.DynamicClientRegistration?.ApplicationType;
         _tokenCache = options.TokenCache ?? new InMemoryTokenCache();
     }
 
@@ -654,6 +656,7 @@ private async Task PerformDynamicClientRegistrationAsync(
             ClientName = _dcrClientName,
             ClientUri = _dcrClientUri?.ToString(),
             Scope = GetScopeParameter(protectedResourceMetadata),
+            ApplicationType = _dcrApplicationType ?? (IsLocalhostRedirectUri(_redirectUri) ? "native" : "web"),
         };
 
         var requestBytes = JsonSerializer.SerializeToUtf8Bytes(registrationRequest, McpJsonUtilities.JsonContext.Default.DynamicClientRegistrationRequest);
@@ -712,6 +715,11 @@ private async Task PerformDynamicClientRegistrationAsync(
     private static string? GetResourceUri(ProtectedResourceMetadata protectedResourceMetadata)
         => protectedResourceMetadata.Resource;
 
+    private static bool IsLocalhostRedirectUri(Uri redirectUri)
+        => redirectUri.Host.Equals("localhost", StringComparison.OrdinalIgnoreCase)
+        || redirectUri.Host.Equals("127.0.0.1", StringComparison.Ordinal)
+        || redirectUri.Host.Equals("[::1]", StringComparison.Ordinal);
+
     private string? GetScopeParameter(ProtectedResourceMetadata protectedResourceMetadata)
     {
         if (!string.IsNullOrEmpty(protectedResourceMetadata.WwwAuthenticateScope))

src/ModelContextProtocol.Core/Authentication/DynamicClientRegistrationOptions.cs

@@ -46,4 +46,20 @@ public sealed class DynamicClientRegistrationOptions
     /// </para>
     /// </remarks>
     public Func<DynamicClientRegistrationResponse, CancellationToken, Task>? ResponseDelegate { get; set; }
+
+    /// <summary>
+    /// Gets or sets the application type to use during dynamic client registration.
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// Valid values are "native" and "web". If not specified, the application type will be
+    /// automatically determined based on the redirect URI: "native" for localhost/127.0.0.1
+    /// redirect URIs, "web" for all others.
+    /// </para>
+    /// <para>
+    /// Per the MCP specification, native applications (desktop, mobile, CLI, localhost web apps)
+    /// should use "native", and web applications (remote browser-based) should use "web".
+    /// </para>
+    /// </remarks>
+    public string? ApplicationType { get; set; }
 }

src/ModelContextProtocol.Core/Authentication/DynamicClientRegistrationRequest.cs

@@ -48,4 +48,15 @@ internal sealed class DynamicClientRegistrationRequest
     /// </summary>
     [JsonPropertyName("scope")]
     public string? Scope { get; init; }
+
+    /// <summary>
+    /// Gets or sets the application type for the client, as defined in OpenID Connect Dynamic Client Registration 1.0.
+    /// </summary>
+    /// <remarks>
+    /// Valid values are "native" and "web". MCP clients MUST specify this during Dynamic Client Registration.
+    /// Native applications (desktop, mobile, CLI, localhost web apps) should use "native".
+    /// Web applications (remote browser-based) should use "web".
+    /// </remarks>
+    [JsonPropertyName("application_type")]
+    public string? ApplicationType { get; init; }
 }

tests/ModelContextProtocol.AspNetCore.Tests/OAuth/AuthTests.cs

@@ -1261,4 +1261,82 @@ public async Task CanAuthenticate_WithLegacyServerUsingDefaultEndpointFallback()
         await using var client = await McpClient.CreateAsync(
             transport, loggerFactory: LoggerFactory, cancellationToken: TestContext.Current.CancellationToken);
     }
+
+    [Fact]
+    public async Task DynamicClientRegistration_SendsNativeApplicationType_ForLocalhostRedirectUri()
+    {
+        await using var app = await StartMcpServerAsync();
+
+        await using var transport = new HttpClientTransport(new()
+        {
+            Endpoint = new(McpServerUrl),
+            OAuth = new ClientOAuthOptions()
+            {
+                RedirectUri = new Uri("http://localhost:1179/callback"),
+                AuthorizationRedirectDelegate = HandleAuthorizationUrlAsync,
+                DynamicClientRegistration = new()
+                {
+                    ClientName = "Test MCP Client",
+                },
+            },
+        }, HttpClient, LoggerFactory);
+
+        await using var client = await McpClient.CreateAsync(
+            transport, loggerFactory: LoggerFactory, cancellationToken: TestContext.Current.CancellationToken);
+
+        Assert.Equal("native", TestOAuthServer.LastRegistrationRequest?.ApplicationType);
+    }
+
+    [Fact]
+    public async Task DynamicClientRegistration_SendsWebApplicationType_ForNonLocalhostRedirectUri()
+    {
+        await using var app = await StartMcpServerAsync();
+
+        await using var transport = new HttpClientTransport(new()
+        {
+            Endpoint = new(McpServerUrl),
+            OAuth = new ClientOAuthOptions()
+            {
+                RedirectUri = new Uri("https://myapp.example.com/callback"),
+                AuthorizationRedirectDelegate = HandleAuthorizationUrlAsync,
+                DynamicClientRegistration = new()
+                {
+                    ClientName = "Test MCP Client",
+                },
+            },
+        }, HttpClient, LoggerFactory);
+
+        await using var client = await McpClient.CreateAsync(
+            transport, loggerFactory: LoggerFactory, cancellationToken: TestContext.Current.CancellationToken);
+
+        Assert.Equal("web", TestOAuthServer.LastRegistrationRequest?.ApplicationType);
+    }
+
+    [Fact]
+    public async Task DynamicClientRegistration_UsesExplicitApplicationType_WhenConfigured()
+    {
+        await using var app = await StartMcpServerAsync();
+
+        await using var transport = new HttpClientTransport(new()
+        {
+            Endpoint = new(McpServerUrl),
+            OAuth = new ClientOAuthOptions()
+            {
+                // localhost redirect URI would normally auto-detect as "native",
+                // but the explicit setting should override it.
+                RedirectUri = new Uri("http://localhost:1179/callback"),
+                AuthorizationRedirectDelegate = HandleAuthorizationUrlAsync,
+                DynamicClientRegistration = new()
+                {
+                    ClientName = "Test MCP Client",
+                    ApplicationType = "web",
+                },
+            },
+        }, HttpClient, LoggerFactory);
+
+        await using var client = await McpClient.CreateAsync(
+            transport, loggerFactory: LoggerFactory, cancellationToken: TestContext.Current.CancellationToken);
+
+        Assert.Equal("web", TestOAuthServer.LastRegistrationRequest?.ApplicationType);
+    }
 }

tests/ModelContextProtocol.TestOAuthServer/ClientRegistrationRequest.cs

@@ -5,7 +5,7 @@ namespace ModelContextProtocol.TestOAuthServer;
 /// <summary>
 /// Represents a client registration request as defined in RFC 7591.
 /// </summary>
-internal sealed class ClientRegistrationRequest
+public sealed class ClientRegistrationRequest
 {
     /// <summary>
     /// Gets or sets the redirect URIs for the client.
@@ -55,6 +55,12 @@ internal sealed class ClientRegistrationRequest
     [JsonPropertyName("scope")]
     public string? Scope { get; init; }
 
+    /// <summary>
+    /// Gets or sets the application type.
+    /// </summary>
+    [JsonPropertyName("application_type")]
+    public string? ApplicationType { get; init; }
+
     /// <summary>
     /// Gets or sets the contacts for the client.
     /// </summary>

tests/ModelContextProtocol.TestOAuthServer/Program.cs

@@ -81,6 +81,11 @@ public Program(ILoggerProvider? loggerProvider = null, IConnectionListenerFactor
     public HashSet<string> DisabledMetadataPaths { get; } = new(StringComparer.OrdinalIgnoreCase);
     public IReadOnlyCollection<string> MetadataRequests => _metadataRequests.ToArray();
 
+    /// <summary>
+    /// Gets the most recent dynamic client registration request received by the server.
+    /// </summary>
+    public ClientRegistrationRequest? LastRegistrationRequest { get; private set; }
+
     /// <summary>
     /// Entry point for the application.
     /// </summary>
@@ -501,6 +506,8 @@ IResult HandleMetadataRequest(HttpContext context, string? issuerPath = null)
                 });
             }
 
+            LastRegistrationRequest = registrationRequest;
+
             // Validate redirect URIs are provided
             if (registrationRequest.RedirectUris.Count == 0)
             {