Add ability to register OAuth applications by API (!197644) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

Add ability to register an anonymous OAuth application by API using the OAuth dynamic registration spec.
Adds auto-discoverability with authorization metadata.
Implements features behind instance level feature flag.
Adds rate limiting to /oauth/register

How to set up and validate locally

Enable the feature flag for your instance. This feature is unauthenticated, so cannot be linked to a user, project or group actor. Feature.enable(:oauth_dynamic_client_registration)

Create an OAuth application dynamically:

POST /oauth/register
Content-Type: application/json

{"client_name":"my example application","redirect_uris":["https://about.gitlab.co"], "scope": ["api"]}

In the log/development.log you should see both an INSERT to oauth_applications scoped to that user, and an audit event created.
Additionally, visit /.well-known/oauth-authorization-server and assert the value of registration_endpoint is set correctly to GDK_HOST/oauth/register - this will aid discoverability for MCP clients.
Also, note that dynamic in oauth_applications is set to true for this application, but all others should be defaulted to false.
Try to hit the register endpoint multiple times in 1 minute - assert that the rate limiting kicks in.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #554820 (closed)

Edited Jul 21, 2025 by Max Woolf

Add ability to register OAuth applications by API

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports