abpframework
Enable Dynamic Client Registration (DCR) Support in OpenIddict for ABP Applications (Needed for MCP Server Integration)
Is there an existing issue for this?
- [x] I have searched the existing issues
Is your feature request related to a problem? Please describe the problem.
No response
Describe the solution you'd like
Hello ABP Team,
I would like to request support for Dynamic Client Registration (DCR) in the OpenIddict module used by ABP Framework.
Why this is needed
We are implementing an MCP Server (Model Context Protocol) that needs to expose OAuth2-compliant authentication for tools such as Anthropic Claude, which currently do not support dynamic OAuth client registration on their side.
Therefore, the server must be able to accept client registration dynamically, following the IETF OAuth2 Dynamic Client Registration RFC (RFC 7591/7592). Right now, ABP’s OpenIddict integration does not expose or configure Dynamic Client Registration endpoints.
Use Case Example
MCP tools like Claude need to authenticate against our ABP application, but they cannot register a client manually or statically. Instead, the server must expose:
/connect/register
Token-based or initial-access-token-based client registration
Support for updating or deleting registered clients (RFC 7592)
Without DCR, MCP integration is not possible unless we manually implement custom controllers and override OpenIddict behavior — which is not ideal and makes upgrades difficult.
Requested Feature(s)
Enable OpenIddict Dynamic Client Registration endpoints in ABP OpenIddict module
Support for RFC 7591 (Client Registration)
Optional support for RFC 7592 (Client Management)
Provide ABP-style configuration, e.g.:
options.DisableAccessTokenEncryption(); options.AllowDynamicClientRegistration();
Allow hooking into ABP permission and audit systems for DCR operations.
Provide extensibility points to define:
Allowed application types
Allowed redirect URIs
Request validation logic
Benefits to the ABP Community
Enables future-facing integration with AI agent ecosystems (e.g., Claude, LLM agent tools, automation frameworks)
Allows external SaaS apps to self-onboard securely
Brings ABP/OpenIddict closer to OAuth2 best practices and modern interoperability standards
Current Workarounds
At the moment, the only workaround is building a custom OpenIddict Application Manager implementation and custom controllers, which bypasses ABP’s built-in configuration and creates maintenance issues.
Request
Please consider adding first-class support for Dynamic Client Registration in a future ABP release or provide an official extension package.
Thank you!
Additional context
No response
We should implement this new protocol/specification in the OpenIddict library. After that, the ABP application will support it.
I've already created an issue in OpenIddict. See https://github.com/openiddict/openiddict-core/issues/2404
BTW, Duende's IdentityServer already supports this feature. https://docs.duendesoftware.com/identityserver/configuration/dcr/
Hi @itw-DheerG
Unfortunately, this request is out of scope of ABP project. We never wanted to create an authentication server library. We used IdentityServer, and now using OpenIddict. If OpenIddict implements it, it is appreciated. You can request from them :)
By the way, if you want to dynamically create clients with ABP's OpenIddict module, it is already possible and easy using the IAbpApplicationManager service's CreateAsync method. However, you should care about where to do it, how to integrate that code with other applications, etc.