Skip to content

Add SEP-991 (CIMD) support for URL-based client IDs#570

Merged
alexhancock merged 8 commits intomodelcontextprotocol:mainfrom
tanish111:feat/cimd
Dec 10, 2025
Merged

Add SEP-991 (CIMD) support for URL-based client IDs#570
alexhancock merged 8 commits intomodelcontextprotocol:mainfrom
tanish111:feat/cimd

Conversation

@tanish111
Copy link
Contributor

@tanish111 tanish111 commented Dec 4, 2025
edited
Loading

  • Added SEP-991 (CIMD) support in crates/rmcp/src/transport/auth.rs.
  • Updated AuthorizationSession::new() to accept an optional client_metadata_url and check client_id_metadata_document_supported in the authorization server metadata. When a valid metadata URL is provided and supported, the client uses the URL as the client_id (CIMD flow); otherwise, it falls back to dynamic client registration.
  • Added OAuthState::start_authorization_with_metadata_url(), and updated start_authorization() to call it with None for backward compatibility. This maintains existing behavior while enabling URL-based client IDs when servers support CIMD.

Motivation and Context

Implement SEP-991: URL-based Client Registration (OAuth Client ID Metadata)

How Has This Been Tested?

  1. Created a CIMD-compliant OAuth server example (cimd_auth_streamhttp.rs) implementing SEP-991: validates client_id URLs, fetches and validates client metadata documents, and enforces CIMD restrictions according to specs. This is tested against external CIMD-compliant testing tools (client.dev and example-app.com/client).
    Testing Results form client.dev for example server:-
Screenshot 2025-12-05 at 12 44 57 AM

  1. Updated oauth_client.rs to support CIMD with 2 CLI arguments (server URL and client metadata URL). End-to-end flow verified:
    Start the server using cargo run --example servers_cimd_auth_streamhttp
    In a seperate terminal run the client with cargo run --example clients_oauth_client --package mcp-client-examples -- http://127.0.0.1:3000 https://raw.githubusercontent.com/tanish111/cimd-local-oauth-server/refs/heads/main/client-metadata.json. And complete the OAuth Flow.

  2. Added unit tests for the is_https_url helper covering valid HTTPS URLs, invalid schemes, root paths, and edge cases.

Breaking Changes

No

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

Fix issue #519

@github-actions github-actions bot added T-dependencies Dependencies related changes T-config Configuration file changes T-core Core library changes T-examples Example code changes T-transport Transport layer changes labels Dec 4, 2025
@tanish111 tanish111 changed the title Feat/cimd Add SEP-991 (CIMD) support for URL-based client IDs Dec 4, 2025
@tanish111 tanish111 mentioned this pull request Dec 4, 2025
Closed
@tanish111
feat(auth): add cimd support for SEP-991
1fb0ef3 
add cimd support for url-based client ids

Signed-off-by: tanish111 <tanishdesai37@gmail.com>
@tanish111
test(auth): add unit tests for is_https_url helper
2784a6d 
Add test coverage for is_https_url helper to validate HTTPS scheme, non-root paths,
and reject http, javascript, data schemes, and invalid inputs per SEP-991 requirements.

Signed-off-by: tanish111 <tanishdesai37@gmail.com>
@tanish111
feat(example): add CIMD OAuth server for SEP-991 testing
45af2c2 
Implements a new server example (servers_cimd_auth_streamhttp) that
demonstrates CIMD (Client ID Metadata Document) support for URL-based
client IDs. The server validates client_id URLs, fetches and validates
client metadata documents, and provides OAuth 2.0 authorization endpoints
with MCP integration for end-to-end testing.

Signed-off-by: tanish111 <tanishdesai37@gmail.com>
@tanish111
fix(oauth): add CORS headers to token endpoint
b131bb1 
Add CORS headers to token endpoint to allow cross-origin requests from browsers
during OAuth authorization code exchange flow.

Signed-off-by: tanish111 <tanishdesai37@gmail.com>
@jokemanfire
Copy link
Member

jokemanfire commented Dec 9, 2025

There's a interface set_credentials , Can it already cover CIMD?

jokemanfire
jokemanfire reviewed Dec 9, 2025
View reviewed changes
@tanish111
refactor: improve is_https_url function and consolidate tests
463b73a 
- Improve is_https_url function formatting and readability
- Merge all test cases into single test_is_https_url_scenarios function
- Add missing test case for "https://" URL

Signed-off-by: tanish111 <tanishdesai37@gmail.com>
@tanish111
Merge remote-tracking branch 'origin/main' into feat/cimd
88f4c30
jokemanfire
jokemanfire previously approved these changes Dec 9, 2025
View reviewed changes
@jokemanfire
Copy link
Member

jokemanfire commented Dec 9, 2025

LGTM ,but a little grammar simplification.

@tanish111
refactor: use map_err instead of match for error handling in auth.rs
51f0209 
Replace the verbose match statement with
map_err for more idiomatic

Signed-off-by: tanish111 <tanishdesai37@gmail.com>
@tanish111
Copy link
Contributor Author

tanish111 commented Dec 9, 2025

@alexhancock can you also review it?

@tanish111 tanish111 requested a review from jokemanfire December 9, 2025 18:32
jokemanfire
jokemanfire previously approved these changes Dec 10, 2025
View reviewed changes
alexhancock
alexhancock previously approved these changes Dec 10, 2025
View reviewed changes
examples/clients/src/auth/oauth_client.rs Outdated
const MCP_REDIRECT_URI: &str = "http://127.0.0.1:8080/callback";
const CALLBACK_PORT: u16 = 8080;
const CALLBACK_HTML: &str = include_str!("callback.html");
const CLIENT_METADATA_URL: &str = "https://raw.githubusercontent.com/tanish111/cimd-local-oauth-server/refs/heads/main/client-metadata.json";
Copy link
Contributor

@alexhancock alexhancock Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you put one in the rust-sdk repo itself?

Copy link
Contributor Author

@tanish111 tanish111 Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alexhancock yes I can

Copy link
Contributor Author

@tanish111 tanish111 Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alexhancock I have updated it with new metadata json hosted on rust-sdk repo.

@tanish111
feat: add client-metadata.json
a8a5e92 
Add client metadata file for SEP-991 CIMD
authentication support

Signed-off-by: tanish111 <tanishdesai37@gmail.com>
@tanish111 tanish111 dismissed stale reviews from alexhancock and jokemanfire via a8a5e92 December 10, 2025 02:18
@alexhancock alexhancock self-requested a review December 10, 2025 13:55
@alexhancock alexhancock merged commit f20ed20 into modelcontextprotocol:main Dec 10, 2025
11 checks passed
@github-actions github-actions bot mentioned this pull request Dec 10, 2025
Merged
@tanish111 tanish111 mentioned this pull request Dec 11, 2025
Merged
9 tasks
takumi-earth pushed a commit to earthlings-dev/rmcp that referenced this pull request Jan 27, 2026
@tanish111
Add SEP-991 (CIMD) support for URL-based client IDs (modelcontextprot…
4cdcb02 
…ocol#570)

* feat(auth): add cimd support for SEP-991

add cimd support for url-based client ids

Signed-off-by: tanish111 <tanishdesai37@gmail.com>

* test(auth): add unit tests for is_https_url helper

Add test coverage for is_https_url helper to validate HTTPS scheme, non-root paths,
and reject http, javascript, data schemes, and invalid inputs per SEP-991 requirements.

Signed-off-by: tanish111 <tanishdesai37@gmail.com>

* feat(example): add CIMD OAuth server for SEP-991 testing

Implements a new server example (servers_cimd_auth_streamhttp) that
demonstrates CIMD (Client ID Metadata Document) support for URL-based
client IDs. The server validates client_id URLs, fetches and validates
client metadata documents, and provides OAuth 2.0 authorization endpoints
with MCP integration for end-to-end testing.

Signed-off-by: tanish111 <tanishdesai37@gmail.com>

* fix(oauth): add CORS headers to token endpoint

Add CORS headers to token endpoint to allow cross-origin requests from browsers
during OAuth authorization code exchange flow.

Signed-off-by: tanish111 <tanishdesai37@gmail.com>

* refactor: improve is_https_url function and consolidate tests

- Improve is_https_url function formatting and readability
- Merge all test cases into single test_is_https_url_scenarios function
- Add missing test case for "https://" URL

Signed-off-by: tanish111 <tanishdesai37@gmail.com>

* refactor: use map_err instead of match for error handling in auth.rs

Replace the verbose match statement with
map_err for more idiomatic

Signed-off-by: tanish111 <tanishdesai37@gmail.com>

* feat: add client-metadata.json

Add client metadata file for SEP-991 CIMD
authentication support

Signed-off-by: tanish111 <tanishdesai37@gmail.com>

---------

Signed-off-by: tanish111 <tanishdesai37@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexhancock alexhancock alexhancock approved these changes

@jokemanfire jokemanfire jokemanfire left review comments

Assignees

No one assigned

Labels

T-config Configuration file changes T-core Core library changes T-dependencies Dependencies related changes T-examples Example code changes T-transport Transport layer changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tanish111 @jokemanfire @alexhancock