🐞 Bug Summary
When a user adds the Atlassian Remote MCP Server from the MCP Registry and clicks 🔐 Authorize, ContextForge auto-triggers Dynamic Client Registration (DCR, RFC 7591) because the gateway has an issuer URL but no `client_id`. Atlassian's authorization server (`https://auth.atlassian.com\`) does not expose a `registration_endpoint` in its OIDC metadata, so DCR fails mid-flow with a raw error:
{
"detail": "Dynamic Client Registration failed: AS https://auth.atlassian.com does not support Dynamic Client Registration (no registration_endpoint). Please configure client_id and client_secret manually or check your OAuth server supports RFC 7591."
}The user is left on a raw JSON error page with no path forward. There is no UI prompt to enter `client_id` and `client_secret` manually, and the error appears after the OAuth flow has already been initiated (not at save time where it could be caught early).
🧩 Affected Component
🔁 Steps to Reproduce
- Open the MCP Registry tab in the Admin UI
- Find the Atlassian Remote MCP Server (auth type: OAuth2.1) and click Add Server
- The gateway is registered with `auth_type=oauth`, `oauth_config=None`, `enabled=False`
- Navigate to the Gateways tab — the gateway appears with a 🔐 Authorize button
- Edit the gateway, set the issuer to `https://auth.atlassian.com\`, save (no `client_id` or `client_secret` set)
- Click 🔐 Authorize
- ContextForge auto-triggers DCR since `issuer` is set but `client_id` is absent
- DCR fetch of `https://auth.atlassian.com/.well-known/openid-configuration\` finds no `registration_endpoint`
- `DcrService` raises `DcrError` → `initiate_oauth_flow()` surfaces it as an unhandled 500/400
- User sees raw JSON error, no way back to the admin UI
🤔 Expected Behavior
One of:
Option A — Pre-flight detection (preferred): When saving a gateway with `auth_type=oauth` and an issuer but no `client_id`, ContextForge should probe the issuer's OIDC metadata and warn the user immediately if DCR is unsupported — prompting them to supply `client_id`/`client_secret` before saving.
Option B — Graceful mid-flow fallback: If DCR is attempted at authorize-time and fails because there is no `registration_endpoint`, the error should redirect back to the Admin UI (not show raw JSON) with a clear, actionable message and a direct link to the gateway edit form to enter credentials manually.
Either way, the user should never be dropped onto a raw JSON error page with no navigation path.
📓 Logs / Error Output
DcrError: AS https://auth.atlassian.com does not support Dynamic Client Registration (no registration_endpoint).
Please configure client_id and client_secret manually or check your OAuth server supports RFC 7591.
Surfaced to the user as:
{"detail":"Dynamic Client Registration failed: AS https://auth.atlassian.com does not support Dynamic Client Registration (no registration_endpoint). Please configure client_id and client_secret manually or check your OAuth server supports RFC 7591."}
🧠 Environment Info
| Key |
Value |
| Version or commit |
main |
| Runtime |
Python 3.11, FastAPI |
| Platform / OS |
any |
| Container |
any |
🧩 Additional Context
Root cause in code:
- `mcpgateway/services/dcr_service.py` — raises `DcrError` when `registration_endpoint` is absent from OIDC metadata
- `mcpgateway/routers/oauth_router.py:363-411` — `initiate_oauth_flow()` triggers DCR when `issuer` is set but `client_id` is absent; the `DcrError` is not caught and converted to a graceful redirect
- `mcpgateway/services/catalog_service.py:327-355` — Atlassian servers are registered from the catalog with `auth_type=oauth` but `oauth_config=None`, leaving the user with no credentials and no wizard to complete setup
Related issues:
Atlassian OAuth app setup requires manual registration at developer.atlassian.com, which means DCR will never work for Atlassian — making pre-flight detection or a guided manual-credentials fallback essential for this integration.
🐞 Bug Summary
When a user adds the Atlassian Remote MCP Server from the MCP Registry and clicks 🔐 Authorize, ContextForge auto-triggers Dynamic Client Registration (DCR, RFC 7591) because the gateway has an issuer URL but no `client_id`. Atlassian's authorization server (`https://auth.atlassian.com\`) does not expose a `registration_endpoint` in its OIDC metadata, so DCR fails mid-flow with a raw error:
{ "detail": "Dynamic Client Registration failed: AS https://auth.atlassian.com does not support Dynamic Client Registration (no registration_endpoint). Please configure client_id and client_secret manually or check your OAuth server supports RFC 7591." }The user is left on a raw JSON error page with no path forward. There is no UI prompt to enter `client_id` and `client_secret` manually, and the error appears after the OAuth flow has already been initiated (not at save time where it could be caught early).
🧩 Affected Component
🔁 Steps to Reproduce
🤔 Expected Behavior
One of:
Option A — Pre-flight detection (preferred): When saving a gateway with `auth_type=oauth` and an issuer but no `client_id`, ContextForge should probe the issuer's OIDC metadata and warn the user immediately if DCR is unsupported — prompting them to supply `client_id`/`client_secret` before saving.
Option B — Graceful mid-flow fallback: If DCR is attempted at authorize-time and fails because there is no `registration_endpoint`, the error should redirect back to the Admin UI (not show raw JSON) with a clear, actionable message and a direct link to the gateway edit form to enter credentials manually.
Either way, the user should never be dropped onto a raw JSON error page with no navigation path.
📓 Logs / Error Output
Surfaced to the user as:
🧠 Environment Info
🧩 Additional Context
Root cause in code:
Related issues:
audienceparameter support — enable Atlassian and non-RFC-8707 OAuth providers #3499 — Atlassian `audience` parameter support (separate but companion issue — Atlassian also requires `audience=api.atlassian.com` which ContextForge doesn't send)Atlassian OAuth app setup requires manual registration at developer.atlassian.com, which means DCR will never work for Atlassian — making pre-flight detection or a guided manual-credentials fallback essential for this integration.