From 2114894118131a82ecc1be8c51606bdfd352399f Mon Sep 17 00:00:00 2001
From: Aymeric GEFFROY <aymeric.geffroy@koesio.com>
Date: Thu, 9 Apr 2026 16:20:31 +0200
Subject: [PATCH] fix(mcp): exclude null fields from Dynamic Client
 Registration payload

`OAuthClientMetadata.model_dump()` serializes optional `None` fields
(e.g. `scope`, `client_uri`) as JSON `null`. Some MCP servers that
perform strict validation on the registration payload (e.g. GitLab MCP)
reject the request with 400 Bad Request:

  {"error":"invalid_client_metadata","error_description":"expected string, received null"}

Using `model_dump(exclude_none=True)` omits unset optional fields from
the JSON body, which conforms to RFC 7591 (OAuth 2.0 Dynamic Client
Registration) where absent fields should use server defaults.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 api/core/mcp/auth/auth_flow.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/core/mcp/auth/auth_flow.py b/api/core/mcp/auth/auth_flow.py
index d015769b54..c96686ba35 100644
--- a/api/core/mcp/auth/auth_flow.py
+++ b/api/core/mcp/auth/auth_flow.py
@@ -527,7 +527,7 @@ def register_client(
 
     response = ssrf_proxy.post(
         registration_url,
-        json=client_metadata.model_dump(),
+        json=client_metadata.model_dump(exclude_none=True),
         headers={"Content-Type": "application/json"},
     )
     if not response.is_success: