Support authorization without client registration when disabled via config

[Rodriguespn]

Is your feature request related to a problem? Please describe.
Clients like Claude Desktop and Cursor do not perform client registration, meaning they do not implement the MCP OAuth spec’s dynamic client registration step. These clients call the /.well-known/oauth-authorization-server and then immediately call the /authorize endpoint, skipping client registration entirely.

This behavior leads to a 400 error during authorization since the server tries to fetch the client_id, assuming the client has already registered. While this complies with the OAuth spec, it introduces usability issues for servers that explicitly disabled client registration. According to the spec, client registration is not mandatory, so servers with registration disabled should still be able to authorize clients to follow the rest of the flow correctly.

Describe the solution you’d like
When client_registration_options.enabled is set to False, the /authorize endpoint should not attempt to load or validate the client_id. Instead, it should use the values provided directly from the auth_request, such as redirect_uri and scopes.

Here’s a proposed conditional logic update for the /authorize endpoint:

# src/mcp/server/auth/handlers/authorize.py

@dataclass
class AuthorizationHandler:
    provider: OAuthAuthorizationServerProvider[Any, Any, Any]

    async def handle(self, request: Request) -> Response:
    ...

    # Get client information only if registration is enabled
    if self.settings.auth.client_registration_options.enabled:
        client = await self.provider.get_client(auth_request.client_id)
        if not client:
            return await error_response(
                error="invalid_request",
                error_description=f"Client ID '{auth_request.client_id}' not found",
                attempt_load_client=False,
            )
        
        try:
            redirect_uri = client.validate_redirect_uri(auth_request.redirect_uri)
        except InvalidRedirectUriError as validation_error:
            return await error_response(
                error="invalid_request",
                error_description=validation_error.message,
            )
    
        try:
            scopes = client.validate_scope(auth_request.scope)
        except InvalidScopeError as validation_error:
            return await error_response(
                error="invalid_scope",
                error_description=validation_error.message,
            )
    else:
        # Trust values from the auth_request
        redirect_uri = auth_request.redirect_uri
        scopes = auth_request.scopes

And then proceed to build the AuthorizationParams from these values:

auth_params = AuthorizationParams(
    state=state,
    scopes=scopes,
    code_challenge=auth_request.code_challenge,
    redirect_uri=redirect_uri,
    redirect_uri_provided_explicitly=auth_request.redirect_uri is not None,
)

Describe alternatives you’ve considered

• Manually pre-registering clients like Cursor and Claude (impractical and not scalable).
• Forcing all clients to register, even when the server has client_registration_options.enabled=False (not spec-compliant).

Additional context
This change would enhance compatibility with real-world MCP clients that omit registration, while remaining spec-compliant. It improves developer experience when running MCP servers in environments where client registration is not required or desired.

[asparsh29kumar]

I am not sure if Cursor is not performing client registration. Based on my experiments, I believe the 400 error it is due to Cursor not supporting Custom URI Schemes as mentioned #897.

[Rodriguespn]

I am not sure if Cursor is not performing client registration. Based on my experiments, I believe the 400 error it is due to Cursor not supporting Custom URI Schemes as mentioned #897.

I just tested my remote MCP server on Cursor and Cursor doesn't even initiate the oAuth flow. It receives a 401 Unauthorized after trying to connect to my MCP server but doesn't call the metadata endpoint.

Any suggestions on how I can make Cursor to start the Auth flow @asparsh29kumar ? I also have been using Claude Desktop but it seems that it doesn't fully implement the oAuth flow from MCP Auth spec.

Any recommendation of MCP clients that follow the spec is appreciated

[asparsh29kumar]

Oh. Are you on the latest version of Cursor? Oauth is supported on the 1.0.0 version. The documentation for the same is here. They released it this week I believe.

Before this I used to use this mcp-remote node package to connect to remote servers with Oauth. It still works if you want to try it out:

{
  "mcpServers": {
    "auth-mcp-server": {
      "command": "npx",
      "args": ["mcp-remote", "https://mcp.example.com/mcp"]
    }
  }
}

[Rodriguespn]

Oh. Are you on the latest version of Cursor? Oauth is supported on the 1.0.0 version. The documentation for the same is here. They released it this week I believe.

Before this I used to use this mcp-remote node package to connect to remote servers with Oauth. It still works if you want to try it out:

{
  "mcpServers": {
    "auth-mcp-server": {
      "command": "npx",
      "args": ["mcp-remote", "https://mcp.example.com/mcp"]
    }
  }
}

Thanks @asparsh29kumar ! I was on an older version of Cursor — just updated to 1.0.0, and also upgraded the Python SDK to v1.9.3.

I had previously used mcp-remote successfully with Cursor, but after these upgrades, I’m now getting this error when calling the /authorize:

{"error":"invalid_request","error_description":"redirect_uri: URL scheme should be 'http' or 'https'"}

It looks like the change introduced in #895 didn’t update the URL Pydantic class accordingly — that might be the root cause here.

@sam-tombury @Kludex

[sam-tombury]

Yep that's the issue that #895 should solve. That PR isn't included in v1.9.3 - I'm not sure what the cadence/process for releases is here, but you should be able to pin your build to main (e.g. pip install git+https://github.com/modelcontextprotocol/python-sdk.git@main) if you'd like to test the fix

[Rodriguespn]

Yep that's the issue that #895 should solve. That PR isn't included in v1.9.3 - I'm not sure what the cadence/process for releases is here, but you should be able to pin your build to main (e.g. pip install git+https://github.com/modelcontextprotocol/python-sdk.git@main) if you'd like to test the fix

Thank you @sam-tombury, I'm past the URL validation error, but now it seems that Cursor is not registering as a client before calling /authorize. Does your Cursor register itself before calling /authorize? This is also happening with Claude Desktop so idk if this is the correct behavior or not (according to the MCP auth spec, it's not)

[sam-tombury]

Yes, it works end-to-end in Cursor for me and it seems like Cursor registers a new OAuth client for each authentication (if I logout and then authenticate again, it re-triggers the registration flow).

Just to check, have you configured client_registration_options properly? Example here, in particular you need to explicitly set enabled=True for the OAuth metadata to advertise that registration is supported.

[Rodriguespn]

Yes, it works end-to-end in Cursor for me and it seems like Cursor registers a new OAuth client for each authentication (if I logout and then authenticate again, it re-triggers the registration flow).

Just to check, have you configured client_registration_options properly? Example here, in particular you need to explicitly set enabled=True for the OAuth metadata to advertise that registration is supported.

Yes, I’ve set client_registration_options with enabled=True — I’ve attached a screenshot to show the current configuration.

Could this be because it's local dev? I've also tried using SSE transport, but it doesn't work.