Skip to content

fix(oauth): drop .strict() from dyn-reg schema per RFC 7591 §3.2#157

Merged
EsTharian merged 1 commit intomainfrom
fix/register-strict-schema
Apr 24, 2026
Merged

fix(oauth): drop .strict() from dyn-reg schema per RFC 7591 §3.2#157
EsTharian merged 1 commit intomainfrom
fix/register-strict-schema

Conversation

@EsTharian
Copy link
Copy Markdown
Member

@EsTharian EsTharian commented Apr 24, 2026

Summary

  • RFC 7591 §3.2 says servers MUST ignore unrecognised client metadata fields — .strict() violated this by returning a 400 for any unknown key
  • Claude Code (and other OAuth 2.1 clients) send application_type: "native" — a valid IANA-registered field absent from our explicit allow-list, which triggered the failure
  • Fix: remove .strict(); Zod's default strip mode accepts and silently discards unrecognised fields, matching the RFC

Caught by the end-to-end smoke test in majordomo scripts/smoke-oauth-chain.sh (section 2 was the only remaining failure after the full OAuth 2.1 stack landed in #156).

Test plan

  • Existing register.test.ts suite still passes (no regressions)
  • New test: POST with application_type: "native" + custom extension returns 201 with client_id, no client_secret, no echoed unknown fields
  • scripts/smoke-oauth-chain.sh --tailscale section 2 passes green

🤖 Generated with Claude Code

@EsTharian @claude
fix(oauth): drop .strict() from dyn-reg schema per RFC 7591 §3.2
e08ac12 
RFC 7591 §3.2 requires servers to silently ignore unrecognised metadata
fields. The .strict() guard caused a 400 for clients sending
application_type (IANA-registered field, e.g. Claude Code). Zod's default
strip mode accepts and silently discards unknown fields, which matches the
spec requirement.

Adds a test confirming application_type + custom extensions are stripped
without error and do not appear in the response.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@nx-cloud
Copy link
Copy Markdown

nx-cloud Bot commented Apr 24, 2026
edited
Loading

View your CI Pipeline Execution ↗ for commit e08ac12

Command Status Duration Result
nx affected -t lint test build ✅ Succeeded <1s View ↗

☁️ Nx Cloud last updated this comment at 2026-04-24 09:29:11 UTC

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the dynamic client registration schema to comply with RFC 7591 §3.2 by allowing and stripping unrecognized metadata fields instead of rejecting them. Specifically, the ".strict()" constraint was removed from the dynamicClientRegistrationRequestSchema in oauth.ts, and a corresponding test case was added to register.test.ts to verify that unrecognized fields are correctly ignored. I have no feedback to provide.

@EsTharian EsTharian merged commit f600282 into main Apr 24, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@EsTharian