Implement OAuth 2.0 Dynamic Client Registration Protocol

Overview

OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591) allows OAuth clients to register with an authorization server, obtaining client credentials and configuration without manual intervention. Currently, GitLab only supports manual client registration through the web interface.

Current State

GitLab's OAuth implementation:

• Uses the Doorkeeper gem for OAuth 2.0 server functionality
• Supports multiple OAuth flows (authorization code, PKCE, device flow, etc.)
• Requires manual registration through the web interface at /user_settings/applications or via admin panel
• Has no existing dynamic registration endpoint

Requirements

• The ability to register an OAuth Application using the client registration protocol defined in RFC 7571.
• Alerting users to this ability in our documentation.

Implementation Plan

• Create a new client registration endpoint at /oauth/register by creating a new controller: app/controllers/oauth/registrations_controller.rb.

• Add dynamic column to oauth_applications to track dynamically created applications. (See PoC example)

  • Support for this may already exist in doorkeeper, if not we can add it manually.

    application = Doorkeeper::Application.new(

• Add appropriate unit & functional tests

• Add appropriate documentation, as use of this feature wouldn't be limited to the MCP server.

• Consider the use of a feature flag to roll this out and guard against any unforseen security issues