Dynamic Client Registration
Admin-configured dynamic client restrictions is a new feature and may not be available in your tenant yet.
The Glean OAuth Authorization Server supports Dynamic Client Registration (DCR). This is the preferred approach for MCP host applications to connect to Glean.
By default, any MCP host application can register with the Glean OAuth Authorization Server. Admins who prefer to restrict dynamic client registration can do so by limiting the redirect URIs that dynamically registered clients may use.
Restriction options
You have two options for restricting DCR:
| Option | Description |
|---|---|
| Glean-managed list | Use a Glean curated list of clients, with optional additional redirect URIs for other applications. This list may change over time as new clients are evaluated. |
| Static list | Use a list of redirect URI patterns fully maintained by you. You have complete control over which clients can register. |
Use the Glean-managed list if you want to automatically allow popular MCP host applications as Glean vets them. Use a static list if your security policy requires explicit approval of every client.
Allow only static OAuth clients (block dynamic registration)
Some organizations want admin-created static OAuth clients for integrations but do not want any dynamic client registration (for example, ad hoc MCP host registration). You can achieve that by turning on redirect URI restrictions and leaving the allowlist empty.
At a high level:
- Enable Restrict Dynamic Clients by Redirect URI.
- Use a static list only: disable Use Glean-managed List so no Glean-vetted patterns are applied automatically.
- Do not add any redirect URI patterns to the allowlist.
With this configuration, new dynamic client registration requests fail because no redirect URI can match an allowed pattern—the same rule as configuring your own static list, where only URIs matching patterns in the table are permitted during registration. Integrations should use static OAuth clients created in the Admin Console instead.
Here are steps to allow only static OAuth clients:
- Enable the Glean OAuth Authorization Server. Follow Enable the Glean OAuth Authorization Server.
- Navigate to Admin Console → Settings → Third‑party access (OAuth).
- Next to Enable Glean OAuth server, click Manage settings. See Configuring your own static list for the UI reference.
- Enable Restrict Dynamic Clients by Redirect URI.
- Disable Use Glean-managed List so only your explicit patterns apply.
- Do not add redirect URI patterns. With an empty allowlist, dynamic registration is denied; use static OAuth clients for each integration.
Configure the Glean-managed list
Use this option to allow Glean-vetted clients while optionally adding your own.
- Enable the Glean OAuth Authorization Server. Follow Enable the Glean OAuth Authorization Server.
- Navigate to Admin Console → Settings → Third‑party access (OAuth).
- Next to Enable Glean OAuth server, click Manage settings to open the settings modal.
- Enable Restrict Dynamic Clients by Redirect URI. Leave Use Glean-managed List enabled so Glean-vetted clients stay allowed automatically.
- Optionally add any extra redirect URI patterns for other clients your users should be able to connect.
Configuring your own static list
Use this option for complete control over which clients can register.
- Enable the Glean OAuth Authorization Server. Follow Enable the Glean OAuth Authorization Server.
- Navigate to Admin Console → Settings → Third‑party access (OAuth).
- Next to Enable Glean OAuth server, click Manage settings to open the settings modal.
- Enable Restrict Dynamic Clients by Redirect URI.
- Disable Use Glean-managed List. Only redirect URIs that match patterns you configure in the table are allowed during client registration.
- Toggle individual clients to add or remove their redirect URI patterns, or remove redirect URI patterns one at a time.
- Add redirect URI patterns for any additional clients you want your users to connect with.
Redirect URI patterns
Patterns can match redirect URIs exactly or use * as a wildcard to match characters within a single path segment.
The wildcard * does not match path separators (/) or traverse directory boundaries. This prevents overly broad patterns from inadvertently allowing unintended redirect URIs.
Example
For a redirect URI https://my.example.com/oauth/callback:
| Pattern | Matches? | Reason |
|---|---|---|
https://my.example.com/oauth/callback | Yes | Exact match |
https://my.example.com/oauth/* | Yes | Wildcard matches callback |
https://my.example.com/*/callback | Yes | Wildcard matches oauth |
https://my.example.com/* | No | Wildcard cannot match across path separators (oauth/callback) |