pomerium / pomerium / 20866260743

46%

Build Type

push

github

Committed by web-flow

Commit Message

mcp: support client id metadata documents (#6038)

## Summary

MCP: Support for
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-client-id-metadata-document-00

Tested with VSCode which has its client ID at
https://vscode.dev/oauth/client-metadata.json

## Related issues

Fix
https://linear.app/pomerium/issue/ENG-3440/mcp-support-client-ids-as-id-documents

## User Explanation

Pomerium now advertises support for client ID metadata documents. 
If the MCP client tries to authenticate with Pomerium using client ID
metadata, the domain must be allowed in the
`mcp_allowed_client_id_domains` config option, otherwise the request
would fail with

```
{"level":"error","ip":"127.0.0.1","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36","request-id":"0e14388b-ce18-4edd-ad8f-8c0e57f312cc","error":"client metadata validation failed: client_id domain not allowed: \"vscode.dev\" is not in allowed domains","id":"https://vscode.dev/oauth/client-metadata.json","time":"2026-01-09T16:32:29-05:00","message":"failed to get client"}
```

## Checklist

- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Run Details

133 of 234 new or added lines in 7 files covered. (56.84%)

21 existing lines in 7 files now uncovered.

29733 of 56088 relevant lines covered (53.01%)

127.35 hits per line