pomerium / pomerium / 21485441037

44%

Build Type

push

github

Committed by web-flow

Commit Message

mcp: improve domain validation UX and make allowed domains optional (#6066)

## Summary

This PR improves the user experience when MCP client domains are not
authorized and makes `mcp_allowed_client_id_domains` optional instead of
required.

**Previously:** 
- `mcp_allowed_client_id_domains` was required when MCP was enabled,
which was too restrictive
- Users saw a generic JSON error `{"error":"invalid_client"}` when their
client domain wasn't authorized

**Now:**
- `mcp_allowed_client_id_domains` is optional (empty list is valid) to
support dynamic client registration
- Users see a user-friendly HTML error page explaining:
  - Which domain was rejected
- How to fix it (contact admin to add domain to
`mcp_allowed_client_id_domains`)
  - Clear, actionable guidance

## Related issues

Fix https://linear.app/pomerium/issue/ENG-3513

## User Explanation

When using MCP (Model Context Protocol) with URL-based client IDs, if
your client's domain is not in the allowed list, you'll now see a clear
error page in your browser explaining the issue and what to do, instead
of a cryptic JSON error.

Administrators can now also enable MCP without pre-configuring allowed
domains if they only want to use dynamic client registration.

## Checklist

- [x] reference any related issues (N/A - internal improvement)
- [x] updated unit tests
- [x] add appropriate label (`enhancement`)
- [x] ready for review

Run Details

0 of 15 new or added lines in 1 file covered. (0.0%)

10 existing lines in 4 files now uncovered.

30928 of 69165 relevant lines covered (44.72%)

103.0 hits per line