Implement RFC 7591 Dynamic Client Registration for ChatGPT OAuth#55
Merged
Conversation
Spring Authorization Server 1.5.x does not natively support DCR (RFC 7591),
so this adds a minimal manual implementation to unblock the ChatGPT OAuth flow.
ChatGPT requires DCR and treats its absence in the OIDC discovery document as
a hard error ("There was a problem connecting").
Changes:
- DynamicClientRegistrationController: POST /connect/register that registers
public PKCE-required clients (no secret, authorization_code only). Per-IP
rate limit of 5/min prevents DB flooding. Redirect URIs must use HTTPS or
http://localhost. Scopes are validated against the MCP allowed-scope list.
Statically configured GPT/MCP clients are never overridden because the server
always generates the client_id ("dcr-<uuid>") and ignores any client-provided
value.
- AuthorizationServerConfig: OIDC discovery now advertises registration_endpoint
and ensures "none" appears in token_endpoint_auth_methods_supported. Also adds
a userInfoMapper so /userinfo returns sub, email, and name (loaded from
UserRepository) instead of just sub.
- SecurityConfig: permits /connect/register without authentication.
- DynamicClientRegistrationIT: integration tests covering discovery doc, happy
path, scope intersection, redirect_uri validation, and rate limiting.
https://claude.ai/code/session_01X74fzJo874vACX3PM9mrWn
Qodana for JVM3 new problems were found
View the detailed Qodana reportTo be able to view the detailed Qodana report, you can either:
To get - name: 'Qodana Scan'
uses: JetBrains/qodana-action@v2025.3.2
with:
upload-result: trueContact Qodana teamContact us at qodana-support@jetbrains.com
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds support for RFC 7591 Dynamic Client Registration (DCR) to enable ChatGPT plugin OAuth integration. ChatGPT requires a DCR endpoint before it can complete the OAuth flow. This implementation provides a public
/connect/registerendpoint that allows clients to dynamically register without pre-configuration.Key Changes
New DCR Controller (
DynamicClientRegistrationController):/connect/registerPOST endpointOIDC Discovery Updates (
AuthorizationServerConfig):registration_endpointin.well-known/openid-configurationtoken_endpoint_auth_methods_supportedfor public client supportSecurity Configuration (
SecurityConfig):/connect/registerendpointComprehensive Integration Tests (
DynamicClientRegistrationIT):Implementation Details
https://claude.ai/code/session_01X74fzJo874vACX3PM9mrWn