Skip to main content
Admin-configured dynamic client restrictions is a new feature and may not be available in your tenant yet.
The Glean OAuth Authorization Server supports Dynamic Client Registration (DCR). This is the preferred approach for MCP host applications to connect to Glean. By default, any MCP host application can register with the Glean OAuth Authorization Server. Admins who prefer to restrict dynamic client registration can do so by limiting the redirect URIs that dynamically registered clients may use.

Restriction options

You have two options for restricting DCR:
OptionDescription
Glean-managed listUse a Glean curated list of clients, with optional additional redirect URIs for other applications. This list may change over time as new clients are evaluated.
Static listUse a list of redirect URI patterns fully maintained by you. You have complete control over which clients can register.
Use the Glean-managed list if you want to automatically allow popular MCP host applications as Glean vets them. Use a static list if your security policy requires explicit approval of every client.

Configuring the Glean-managed list

Use this option to allow Glean-vetted clients while optionally adding your own.
1

Enable the Glean OAuth Authorization Server

Follow the steps in Enabling the Glean OAuth Authorization Server.
2

Open settings

Click Manage settings to open the settings modal.
Manage settings button
3

Enable redirect URI restrictions

Enable the Restrict Dynamic Clients by Redirect URI toggle.Leave the Use Glean-managed List toggle enabled to automatically allow future Glean-vetted clients.
Glean-managed list toggle enabled
4

Add additional redirect URIs (optional)

Add any additional redirect URI patterns for clients you want your users to connect with.
Add redirect URI pattern

Configuring your own static list

Use this option for complete control over which clients can register.
1

Enable the Glean OAuth Authorization Server

Follow the steps in Enabling the Glean OAuth Authorization Server.
2

Open settings

Click Manage settings to open the settings modal.
Manage settings button
3

Enable redirect URI restrictions

Enable the Restrict Dynamic Clients by Redirect URI toggle.
Restrict Dynamic Clients by Redirect URI toggle
4

Disable Glean-managed list

Disable the Use Glean-managed List toggle. Now the only redirect URIs allowed during client registration are those that match the patterns in the table.
Glean-managed list toggle disabled
5

Configure allowed clients

Toggle individual clients to add or remove their redirect URI patterns.
Toggle individual clients
Alternatively, remove redirect URI patterns individually.
Delete redirect URI pattern
6

Add redirect URI patterns

Add redirect URI patterns for any additional clients you want your users to connect with.
Add redirect URI pattern

Redirect URI patterns

Patterns can match redirect URIs exactly or use * as a wildcard to match characters within a single path segment.
The wildcard * does not match path separators (/) or traverse directory boundaries. This prevents overly broad patterns from inadvertently allowing unintended redirect URIs.

Example

For a redirect URI https://my.example.com/oauth/callback:
PatternMatches?Reason
https://my.example.com/oauth/callbackYesExact match
https://my.example.com/oauth/*YesWildcard matches callback
https://my.example.com/*/callbackYesWildcard matches oauth
https://my.example.com/*NoWildcard cannot match across path separators (oauth/callback)