Is authorization server DCR a MUST requirement and how PKCE fits in this workflow?

[davidshen84]

Pre-submission Checklist

• I have checked that this question would not be more appropriate as an issue in a specific repository
• I have searched existing discussions and documentation for answers

Question Category

• Protocol Specification
• SDK Usage
• Server Implementation
• General Implementation
• Documentation
• Other

Your Question

Hi,

According to this section, DCR is not a required feature of the authorization server. But for all the code implementations I can find, they all assume the authorization servers provides DCR. Especially, the MCP Inspector has a hardcoded step to register a new client every time you start the oauth workflow.

In this section, it says MCP client MUST implement PKCE. But a client secret or credential is not required to implement PKCE. Then why a MCP client must require or register a oauth client? Wouldn't using PKCE to get an access token more secure and easier to implement?

I am quite confused about this two requirement.

Lastly, does Claude.ai and Claude Desktop support PKCE? If I want to implement a MCP server specifically for Claude.ai with authorization, can I configure my oauth provider to support PKCE only without DCR? Is there a place I can get technical details for integration with claude.ai and Claude Desktop?

Thanks