Skip to content

Validate DCR redirect_uris with HTTPS-or-loopback policy#2860

Open
KirtiRamchandani wants to merge 8 commits into
modelcontextprotocol:mainfrom
KirtiRamchandani:fix/dcr-redirect-uri-validation
Open

Validate DCR redirect_uris with HTTPS-or-loopback policy#2860
KirtiRamchandani wants to merge 8 commits into
modelcontextprotocol:mainfrom
KirtiRamchandani:fix/dcr-redirect-uri-validation

Conversation

@KirtiRamchandani

@KirtiRamchandani KirtiRamchandani commented Jun 13, 2026

Copy link
Copy Markdown

Problem

Dynamic client registration accepts dangerous redirect_uris such as javascript:, data:, file:, cleartext non-loopback http://, and URIs with fragments. The SDK already enforces an HTTPS-or-loopback policy for issuer URLs, but DCR did not apply the same checks.

Root cause

RegistrationHandler passed client-submitted redirect_uris straight through after Pydantic URL parsing. AnyUrl accepts any syntactically valid scheme.

Fix

  • Add validate_registered_redirect_uri() alongside the existing issuer URL validator
  • Reject unsafe schemes, non-loopback HTTP, and fragment-bearing redirect URIs during /register
  • Return invalid_client_metadata when validation fails

Testing

  • Extended tests/server/auth/test_routes.py
  • python3 -m pytest tests/server/auth/test_routes.py -q --confcutdir=tests/server/auth

Fixes #2629

@KirtiRamchandani
Validate DCR redirect_uris with HTTPS-or-loopback policy
f896b40 
Reject dangerous redirect URI schemes and fragments during dynamic client
registration, matching the existing issuer URL validation rules.

Fixes modelcontextprotocol#2629
@KirtiRamchandani
Fix CI: import order and reject non-loopback redirect test
e31227d
@KirtiRamchandani
Mark redirect URI scheme requirement as implemented
cbd2d8b
@KirtiRamchandani
fix(auth): always validate required redirect_uris at registration
a18fbd9
@KirtiRamchandani
fix(auth): guard required redirect_uris for pyright and coverage
b6f3ce6
@KirtiRamchandani
fix(auth): drop unreachable redirect_uris guard for coverage
35309c8 
Pydantic already requires redirect_uris with min_length=1; the handler
check was unreachable and blocked 100% coverage.
@KirtiRamchandani
fix(auth): guard None redirect_uris for pyright
46da2f0
@KirtiRamchandani
fix(auth): assert redirect_uris for pyright without coverage gap
728e429
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

DCR registration accepts redirect_uris with non-HTTPS / non-loopback / fragmented schemes

1 participant

@KirtiRamchandani