authorization-server: add spring.ai.mcp.authorizationserver.dynamic-client-registration.enabled property

Signed-off-by: Daniel Garnier-Moiroux <git@garnier.wf>

Author: Kehrlann

mcp-authorization-server-boot/src/main/java/org/springaicommunity/mcp/security/authorizationserver/boot/McpAuthorizationServerAutoConfiguration.java

@@ -21,6 +21,7 @@
 
 import org.springframework.boot.autoconfigure.AutoConfiguration;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.security.autoconfigure.web.servlet.ConditionalOnDefaultWebSecurity;
 import org.springframework.boot.security.autoconfigure.web.servlet.SecurityFilterProperties;
@@ -58,14 +59,17 @@
  */
 @AutoConfiguration(before = OAuth2AuthorizationServerAutoConfiguration.class)
 @ConditionalOnDefaultWebSecurity
-@EnableConfigurationProperties(OAuth2AuthorizationServerProperties.class)
+@EnableConfigurationProperties({ OAuth2AuthorizationServerProperties.class,
+		McpOAuth2AuthorizationServerProperties.class })
 class McpAuthorizationServerAutoConfiguration {
 
 	@Bean
 	@Order(Ordered.HIGHEST_PRECEDENCE)
-	SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) {
+	SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http,
+			McpOAuth2AuthorizationServerProperties properties) {
 		return http.authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
 			.with(mcpAuthorizationServer(), mcp -> {
+				mcp.dynamicClientRegistration(properties.getDynamicClientRegistration().isEnabled());
 				mcp.authorizationServer(authzServer -> {
 					http.securityMatcher(new OrRequestMatcher(authzServer.getEndpointsMatcher(),
 							PathPatternRequestMatcher.withDefaults().matcher("/.well-known/openid-configuration")));
@@ -85,7 +89,9 @@ SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) {
 
 	@Bean
 	@ConditionalOnMissingBean
-	RegisteredClientRepository registeredClientRepository(OAuth2AuthorizationServerProperties properties) {
+	@ConditionalOnProperty(prefix = McpOAuth2AuthorizationServerProperties.CONFIG_PREFIX,
+			name = "dynamic-client-registration.enabled", havingValue = "true", matchIfMissing = true)
+	RegisteredClientRepository dcrRegisteredClientRepository(OAuth2AuthorizationServerProperties properties) {
 		var clients = new OAuth2AuthorizationServerPropertiesMapper(properties).asRegisteredClients();
 		// default generated client: the repository cannot be empty, but we support DCR
 		// so we should be able to add clients after it's wired. This client cannot be

mcp-authorization-server-boot/src/main/java/org/springaicommunity/mcp/security/authorizationserver/boot/McpOAuth2AuthorizationServerProperties.java

@@ -0,0 +1,56 @@
+/*
+ * Copyright 2026-2026 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springaicommunity.mcp.security.authorizationserver.boot;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+
+/**
+ * @author Daniel Garnier-Moiroux
+ */
+@ConfigurationProperties(value = McpOAuth2AuthorizationServerProperties.CONFIG_PREFIX)
+class McpOAuth2AuthorizationServerProperties {
+
+	public static final String CONFIG_PREFIX = "spring.ai.mcp.authorizationserver";
+
+	private DynamicClientRegistration dynamicClientRegistration = new DynamicClientRegistration();
+
+	public DynamicClientRegistration getDynamicClientRegistration() {
+		return dynamicClientRegistration;
+	}
+
+	public void setDynamicClientRegistration(DynamicClientRegistration dynamicClientRegistration) {
+		this.dynamicClientRegistration = dynamicClientRegistration;
+	}
+
+	public static class DynamicClientRegistration {
+
+		/**
+		 * Enable dynamic client registration.
+		 */
+		private boolean enabled = true;
+
+		public boolean isEnabled() {
+			return enabled;
+		}
+
+		public void setEnabled(boolean enabled) {
+			this.enabled = enabled;
+		}
+
+	}
+
+}

mcp-authorization-server-boot/src/test/java/org/springaicommunity/mcp/security/authorizationserver/boot/McpAuthorizationServerAutoConfigurationTests.java

@@ -34,6 +34,9 @@
 import org.springframework.security.web.SecurityFilterChain;
 import static org.assertj.core.api.Assertions.assertThat;
 
+/**
+ * @author Daniel Garnier-Moiroux
+ */
 class McpAuthorizationServerAutoConfigurationTests {
 
 	private final WebApplicationContextRunner contextRunner = new WebApplicationContextRunner()
@@ -86,7 +89,7 @@ void registeredClientProperties() {
 	}
 
 	@Test
-	void useDefaultRegisteredClientRepository() {
+	void useDefaultDcrRegisteredClientRepository() {
 		this.contextRunner.withUserConfiguration(CustomRegisteredClientRepositoryConfiguration.class).run((context) -> {
 			assertThat(context).hasSingleBean(RegisteredClientRepository.class);
 			RegisteredClientRepository repository = context.getBean(RegisteredClientRepository.class);
@@ -95,6 +98,42 @@ void useDefaultRegisteredClientRepository() {
 		});
 	}
 
+	@Test
+	void dynamicClientRegistrationDisabled() {
+		this.contextRunner
+			.withPropertyValues("spring.ai.mcp.authorizationserver.dynamic-client-registration.enabled=false")
+			.run((context) -> {
+				assertThat(context).hasFailed()
+					.getFailure()
+					.hasMessageContaining(
+							"No qualifying bean of type 'org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository'");
+			});
+	}
+
+	@Test
+	void dynamicClientRegistrationDisabledWithRegistrations() {
+		this.contextRunner.withPropertyValues(
+				"spring.ai.mcp.authorizationserver.dynamic-client-registration.enabled=false",
+				"spring.security.oauth2.authorizationserver.client.test-client.registration.client-id=my-client",
+				"spring.security.oauth2.authorizationserver.client.test-client.registration.client-secret={noop}secret",
+				"spring.security.oauth2.authorizationserver.client.test-client.registration.client-authentication-methods=client_secret_basic",
+				"spring.security.oauth2.authorizationserver.client.test-client.registration.authorization-grant-types=client_credentials")
+			.run((context) -> {
+				RegisteredClientRepository repository = context.getBean(RegisteredClientRepository.class);
+				assertThat(repository.findByClientId("my-client")).isNotNull();
+				assertThat(repository.findByClientId("default")).isNull();
+			});
+	}
+
+	@Test
+	void dynamicClientRegistrationDisabledWithCustomRepository() {
+		this.contextRunner.withUserConfiguration(CustomRegisteredClientRepositoryConfiguration.class)
+			.withPropertyValues("spring.ai.mcp.authorizationserver.dynamic-client-registration.enabled=false")
+			.run((context) -> {
+				assertThat(context).hasNotFailed();
+			});
+	}
+
 	@Configuration(proxyBeanMethods = false)
 	static class CustomSecurityConfiguration {
 

mcp-authorization-server/src/main/java/org/springaicommunity/mcp/security/authorizationserver/config/McpAuthorizationServerConfigurer.java

@@ -51,6 +51,8 @@ public class McpAuthorizationServerConfigurer
 
 	private Customizer<OAuth2AuthorizationServerConfigurer> authServerCustomizer = Customizer.withDefaults();
 
+	private boolean supportDynamicClientRegistration = true;
+
 	public static McpAuthorizationServerConfigurer mcpAuthorizationServer() {
 		return new McpAuthorizationServerConfigurer();
 	}
@@ -70,6 +72,16 @@ public McpAuthorizationServerConfigurer authorizationServer(
 		return this;
 	}
 
+	/**
+	 * Enable or disable dynamic client registration (DCR).
+	 * @param enabled turn on DCR when true, off otherwise. Defaults to true.
+	 * @return The {@link McpAuthorizationServerConfigurer} for further configuration.
+	 */
+	public McpAuthorizationServerConfigurer dynamicClientRegistration(boolean enabled) {
+		this.supportDynamicClientRegistration = enabled;
+		return this;
+	}
+
 	@Override
 	public void init(HttpSecurity http) {
 		http.authorizeHttpRequests(
@@ -79,7 +91,9 @@ public void init(HttpSecurity http) {
 				authServer.authorizationServerMetadataEndpoint(Customizer.withDefaults());
 				OAuth2TokenGenerator<?> tokenGenerator = getTokenGenerator(http);
 				authServer.tokenGenerator(tokenGenerator);
-				authServer.clientRegistrationEndpoint(cr -> cr.openRegistrationAllowed(true));
+				if (this.supportDynamicClientRegistration) {
+					authServer.clientRegistrationEndpoint(cr -> cr.openRegistrationAllowed(true));
+				}
 				this.authServerCustomizer.customize(authServer);
 			});
 

samples/sample-authorization-server/src/main/resources/application.yml

@@ -1,6 +1,15 @@
 spring:
   application:
     name: sample-authorization-server
+
+  # To disable dynamic client registration:
+  # ai:
+  #   mcp:
+  #     authorizationserver:
+  #       dynamic-client-registration:
+  #         enabled: true
+
+  # To use with a pre-existing client:
   security:
     oauth2:
       authorizationserver: