Problem
The MCP 2025-06-18 authorization spec introduces Client ID Metadata Documents: when an AS declares client_id_metadata_document_supported: true in its RFC 8414 metadata, clients should skip DCR and instead use a publicly-hosted metadata URL as the client_id. mcp-stdio always attempts DCR, which is unnecessary (and may fail) on AS that support this newer flow.
Reference: mcp-remote#224, MCP Authorization spec 2025-06-18
Proposed solution
- Read
client_id_metadata_document_supported from AS metadata (OAuthMetadata)
- When
True, skip DCR and pass a well-known client metadata URL as client_id
- Add optional
--client-metadata-url flag to override the default URL
- DCR path unchanged for AS that do not support this flow
Scope
oauth.py — discover_oauth_metadata() parses the new field; authorize() branches on itcli.py — optional --client-metadata-url flag- Serve a minimal JSON document at the metadata URL (or require the user to host one)
Difficulty
Medium
Problem
The MCP 2025-06-18 authorization spec introduces Client ID Metadata Documents: when an AS declares
client_id_metadata_document_supported: truein its RFC 8414 metadata, clients should skip DCR and instead use a publicly-hosted metadata URL as theclient_id. mcp-stdio always attempts DCR, which is unnecessary (and may fail) on AS that support this newer flow.Reference: mcp-remote#224, MCP Authorization spec 2025-06-18
Proposed solution
client_id_metadata_document_supportedfrom AS metadata (OAuthMetadata)True, skip DCR and pass a well-known client metadata URL asclient_id--client-metadata-urlflag to override the default URLScope
oauth.py—discover_oauth_metadata()parses the new field;authorize()branches on itcli.py— optional--client-metadata-urlflagDifficulty
Medium