Securing Dynamic Client Registration (DCR) from Abuse in OAuth for MCP Server

conflict_commit · July 23, 2025, 2:18pm

I am looking for a reliable way to secure Dynamic Client Registration (DCR) to prevent malicious users from creating unauthorized clients on my IdentityServer. We’re currently exposing DCR as part of our OAuth setup for securing access to our MCP server and allowing MCP clients like Cursor and Claude to use it for authenticating users.

My concern is how to prevent abuse of the DCR endpoint, especially from anonymous or untrusted sources. Has anyone implemented a secure pattern for DCR in a production environment?

I would appreciate insights into:

Any best practices.
Whether it makes sense to completely disable DCR in favor of manual registration for MCP clients like cursor or claude.

Thanks in advance for any guidance or examples you can share!

ke-yu · July 24, 2025, 8:31am

There is a SEP about client registgration (SEP-007: Enable URL-based Client Registration using OAuth Client ID Metadata Documents · Issue #991 · modelcontextprotocol/modelcontextprotocol · GitHub), client ID metadata looks is promising - Authorization Server only needs to maintain a list of known client ID metadata URLs and return the same client ID.

Topic		Replies	Views
OAuth Code Flow with Cursor in MCP Server Without Dynamic Client Registration Help	1	1174	July 10, 2025
We need Cursor to support OAuth flow for remote MCP servers Feature Requests	10	4285	December 20, 2025
Custom MCP Client - No Option to Disable Dynamic Client Registration (DCR) and Use Static MCP_CLIENT_ID in Cursor IDE Feature Requests	3	1351	August 8, 2025
Integrating Google OAuth for MCP SSE Connections in Cursor Discussions	7	3750	February 13, 2026
Cursor Creating Hundreds of Thousands of MCP Oauth Clients Bug Reports	6	453	December 23, 2025

Securing Dynamic Client Registration (DCR) from Abuse in OAuth for MCP Server

Related topics