Implement SEP-991: URL-based Client Registration (OAuth Client ID Metadata) #416
Description
This is a tracking issue for implementation of SEP-991.
Summary
This SEP proposes adopting OAuth Client ID Metadata Documents as an additional client registration mechanism for MCP. This approach allows OAuth clients to use HTTPS URLs as client identifiers, where the URL points to a JSON document containing client metadata. This addresses the common MCP scenario where servers and clients have no pre-existing relationship, enabling servers to trust clients without pre-coordination while maintaining full control over access policies.
The Kotlin SDK currently does not provide built-in OAuth or authorization functionality - it focuses on the core MCP protocol for communication between clients and servers. OAuth implementation is typically handled at the application level or through integration with external OAuth libraries. This implementation will require adding support for OAuth flows with Client ID Metadata Documents, including: client-side utilities for hosting and serving metadata documents, server-side utilities for fetching and validating metadata from HTTPS URLs, integration with OAuth metadata to advertise support via client_id_metadata_document_supported, and proper validation of redirect URIs against metadata documents. This may be implemented as an optional OAuth extension module for the SDK.