Dynamic Client Registration requests omit scope, leading to over-privileged client registrations
Closed this issue · 2 comments
When Claude performs OAuth 2.0 Dynamic Client Registration, it does not include the scope client metadata in the registration request body. Because our server then falls back to a permissive default, the client gets registered as allowed for all scopes, which is a security risk.
Current behavior (observed):
Registration request from Claude omits scope.
Our server registers the client with a broad default, effectively enabling all scopes.
Expected behavior:
Claude should include a scope value in the registration request, chosen using least-privilege:
Discover scopes_supported from the protected resource (/.well-known/oauth-protected-resource)
Request only the subset required for the intended operations (ideally progressive/just-in-time scoping).
Can confirm this. It existed few months ago when we did our DCR implementation.
As a workaround (which might not be suitable in your architecture) how we worked around is via a web hook called just in time by the AS. That web hook then checked against protected resource and stripped away excessive scopes, just before the AS signed the token.