Include the authorizing user on dynamic OAuth application names
What does this MR do and why?
Dynamically-registered (DCR, POST /oauth/register) OAuth applications are
created anonymously on behalf of MCP clients — there is no authenticated
user at registration time. As a result, an admin looking at
/admin/applications can see the client name but not which user is actually
using a given dynamic application.
This MR records the authorizing user on the application name, without adding
any columns to the oauth_applications table.
Changes (app/controllers/oauth/authorizations_controller.rb)
- When a user approves authorization of a dynamic application, append
— authorized by @<username>to the application name. - Approval only: stamping is gated on Doorkeeper's authorization outcome —
the name is stamped only when
authorize_responseis aCodeResponse(an authorization code was issued). A denial or error yields anErrorResponse, so it is left untouched and we never misattribute an authorization the user did not grant. - Sanitized: GitLab usernames are already restricted to a safe character
set, but the value is defensively stripped of anything outside
[A-Za-z0-9_.-]before being persisted into the name (which is rendered in the admin UI). - Idempotent: applied once — repeat authorizations do not append again.
- Dynamic only: non-dynamic / instance-wide applications are never modified.
Example resulting name:
[Unverified Dynamic Application] kiro — authorized by @jessieay
No database changes
The identifying data lives in the existing name column, already surfaced in
the Admin UI and REST API. The single-record application.update(name: ...)
runs on the already-loaded application record (no bulk update, no new query
against a large table).
References
How to set up and validate locally
- Register a client via DCR and complete the authorization flow, approving on the consent screen.
- In Admin → Applications, confirm the app name reads
[Unverified Dynamic Application] <client_name> — authorized by @<your-username>. - Repeat the authorization — confirm the username is not appended twice.
- Deny an authorization for a fresh dynamic app — confirm the name is not stamped.
Screenshots or screen recordings
N/A — no UI changes; only the stored application name is affected.