Add application_type to Dynamic Client Registration per MCP spec SEP-837

[Copilot]

SEP-837 (merged 2026-03-28) adds "Application Type and Redirect URI Constraints" to the MCP auth spec, requiring clients to include application_type in DCR requests. Omitting it defaults to "web" under OIDC, which breaks native-style localhost redirect URIs.

Changes

• DynamicClientRegistrationRequest — adds [JsonPropertyName("application_type")] string? ApplicationType
• DynamicClientRegistrationOptions — adds ApplicationType (marked [Experimental(MCPEXP001)]) for explicit override; if unset, auto-detected from redirect URI
• ClientOAuthProvider — populates application_type in every DCR request:
  • "native" when redirect URI resolves to a loopback address (localhost, 127.0.0.1, ::1, etc.) via IPAddress.IsLoopback
  • "web" for all other redirect URIs
  • Explicit DynamicClientRegistrationOptions.ApplicationType takes precedence over auto-detection
• Experimentals.cs — adds DcrApplicationType_DiagnosticId/Message/Url constants (sharing MCPEXP001 as a spec-level experimental feature)
• docs/list-of-diagnostics.md — updates MCPEXP001 entry to mention SEP-837 and the application_type DCR parameter
• Test OAuth server — ClientRegistrationRequest gains ApplicationType; Program exposes LastRegistrationApplicationType for test assertions
• Tests — three new integration tests covering localhost auto-detect → "native", remote URI auto-detect → "web", and explicit override

// Auto-detected as "native" (localhost redirect URI)
DynamicClientRegistration = new() { ClientName = "My App" }

// Explicitly set to "web" regardless of redirect URI — suppress MCPEXP001
#pragma warning disable MCPEXP001
DynamicClientRegistration = new() { ApplicationType = "web" }
#pragma warning restore MCPEXP001

Original prompt

Background

The MCP authorization spec was updated via SEP-837 (merged 2026-03-28) to add a new section "Application Type and Redirect URI Constraints" under Dynamic Client Registration. The C# SDK needs to be updated to comply with these new requirements.

Spec Requirements (from SEP-837)

The new spec text (lines 334-361 of docs/specification/draft/basic/authorization.mdx) states:

When authorization servers support OpenID Connect (OIDC) and Dynamic Client Registration, they may enforce additional constraints on redirect URIs based on the application_type parameter as defined in OpenID Connect Dynamic Client Registration 1.0.

MCP clients MUST specify an appropriate application_type during Dynamic Client Registration. Omitting it defaults to "web" under OIDC, which can conflict with native-style redirect URIs; non-OIDC servers safely ignore the parameter.

• Native applications (desktop applications, mobile apps, CLI tools, and locally-hosted web applications accessed via localhost) SHOULD use application_type: "native"
• Web applications (remote browser-based applications served from a non-local host) SHOULD use application_type: "web"

MCP clients MUST be prepared to handle registration failures due to redirect URI constraints when authorization servers implement OIDC. When a registration request is rejected, clients SHOULD surface a meaningful error to the user or developer. Clients MAY retry registration with an adjusted application_type or with redirect URIs that conform to the authorization server's requirements for the given application type.

Changes Needed in the C# SDK

1. Add application_type to DynamicClientRegistrationRequest

In src/ModelContextProtocol.Core/Authentication/DynamicClientRegistrationRequest.cs, add a new property:

/// <summary>
/// Gets or sets the application type for the client, as defined in OpenID Connect Dynamic Client Registration 1.0.
/// </summary>
/// <remarks>
/// Valid values are "native" and "web". MCP clients MUST specify this during Dynamic Client Registration.
/// Native applications (desktop, mobile, CLI, localhost web apps) should use "native".
/// Web applications (remote browser-based) should use "web".
/// </remarks>
[JsonPropertyName("application_type")]
public string? ApplicationType { get; init; }

2. Add ApplicationType option to DynamicClientRegistrationOptions

In src/ModelContextProtocol.Core/Authentication/DynamicClientRegistrationOptions.cs, add a property so users can explicitly override the application type:

/// <summary>
/// Gets or sets the application type to use during dynamic client registration.
/// </summary>
/// <remarks>
/// <para>
/// Valid values are "native" and "web". If not specified, the application type will be
/// automatically determined based on the redirect URI: "native" for localhost/127.0.0.1
/// redirect URIs, "web" for all others.
/// </para>
/// <para>
/// Per the MCP specification, native applications (desktop, mobile, CLI, localhost web apps)
/// should use "native", and web applications (remote browser-based) should use "web".
/// </para>
/// </remarks>
public string? ApplicationType { get; set; }

3. Update ClientOAuthProvider.PerformDynamicClientRegistrationAsync()

In src/ModelContextProtocol.Core/Authentication/ClientOAuthProvider.cs, update the method that builds the DynamicClientRegistrationRequest to include application_type. The logic should be:

• If DynamicClientRegistrationOptions.ApplicationType is explicitly set, use that value.
• Otherwise, auto-detect based on the redirect URI: use "native" if the redirect URI host is localhost or 127.0.0.1 (or [::1]), and "web" otherwise.

The registration request construction (currently around line 648-656) should include:

ApplicationType = _dcrApplicationType ?? (IsLocalhostRedirectUri(_redirectUri) ? "native" : "web"),

Add a helper method:

private static bool IsLocalhostRedirectUri(Uri redirectUri)
    => redirectUri.Host.Equals("localhost", StringComparison.OrdinalIgnoreCase)
    || redirectUri.Host.Equals("127.0.0.1", StringComparison.Ordinal)
    || redirectUri.Host.Equals("[::1]", StringComparison.Ordinal);

Store the configured application type from options in the constructor:

_dcrApplicationType = options.DynamicClientRegistration?.ApplicationType;

4. Update the test OAuth server's ClientRegistrationRequest

In tests/ModelContextProtocol.TestOAuthServer/ClientRegistrationRequest.cs, add:

/// <summary>
/// Gets or sets the application type.
/// </summary>
[JsonPropertyName("application_type")]
public string? ApplicationType { get; init; }

5. Add tests

Add tests to verify:

• The application_type is include...

This pull request was created from Copilot chat.

---

⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.

[stephentoub]

@copilot as this is part of a not-yet-published version of the spec, it should be [Experimental]. Same for any other public surface area added in the PR.

[Copilot]

Done in fcf950e. DynamicClientRegistrationOptions.ApplicationType is now marked [Experimental(Experimentals.DcrApplicationType_DiagnosticId, UrlFormat = Experimentals.DcrApplicationType_Url)] (using MCPEXP001 since it's a spec feature). Added the corresponding constants to Experimentals.cs, updated docs/list-of-diagnostics.md, and added #pragma warning disable MCPEXP001 suppressions in ClientOAuthProvider.cs and the test that sets the property.

DynamicClientRegistrationRequest.ApplicationType is internal so it doesn't need the attribute.