Stats
Actions
Tags
From prodsec-skills
Guides implementation of OAuth 2.0 Dynamic Client Registration (RFC 7591) for authorization servers, including endpoint setup, request handling, and security mitigations.
How this skill is triggered — by the user, by Claude, or both
Slash command
/prodsec-skills:dynamic-client-registrationThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Authorization servers MAY support the OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591). This allows MCP clients to register automatically without manual intervention.
Authorization servers MAY support the OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591). This allows MCP clients to register automatically without manual intervention.
If supported, the authorization server MUST expose a registration_endpoint in its discovery metadata and handle registration requests per RFC 7591.
POST /register HTTP/1.1
Host: auth.example.com
Content-Type: application/json
{
"client_name": "MCP Client App",
"redirect_uris": ["https://client.example.com/callback"],
"grant_types": ["authorization_code"],
"response_types": ["code"],
"token_endpoint_auth_method": "none",
"scope": "tools:read tools:execute"
}
{
"client_id": "generated-client-id",
"client_id_issued_at": 1700000000,
"redirect_uris": ["https://client.example.com/callback"],
"grant_types": ["authorization_code"],
"response_types": ["code"],
"token_endpoint_auth_method": "none"
}
| Concern | Mitigation |
|---|---|
| Abuse/spam registrations | Rate limit registration endpoint, require initial access tokens |
| Malicious redirect URIs | Validate redirect URIs strictly (HTTPS, no open redirectors) |
| Resource exhaustion | Limit number of registrations per IP/token, expire unused registrations |
| Privilege escalation | Only grant requested scopes that are within the server's allowed set |
registration_endpoint in discovery metadatanpx claudepluginhub redhatproductsecurity/prodsec-skills --plugin prodsec-skillsImplements OAuth 2.0 Dynamic Client Registration (RFC 7591) for MCP clients, enabling automatic registration with authorization servers without manual setup.
Configures OAuth 2.0 authorization flows including Authorization Code with PKCE, Client Credentials, and Device Authorization Grant. Covers flow selection, PKCE implementation, token lifecycle, and OAuth 2.1 security best practices.
Configures OAuth 2.0 authorization flows including Authorization Code with PKCE, Client Credentials, and Device Authorization Grant. Covers flow selection, PKCE implementation, token lifecycle, and OAuth 2.1 security best practices.