I’m developing an MCP server and implemented dynamic oauth client registration which works perfecly fine with Claude (Web and Code).
ChatGPT however fails to register because, imho, there is an inconsistency in the data posted to the registration endpoint and it’s expectations about the response: It registers with “token_endpoint_auth: none”, which leads my server to believe it’s a non-confidential client that does not want (or need) a client_secret, therefore the registration response does not contain a client_secret.
I could of course hand out a client_secret to all clients regardless of their requested token endpoint auth method, but I would like to raise the question why ChatGPT requires the secret to be present in the registration response when it declares it does not want to use it via “token_endpoint_auth: none”? It could either just use “client_secret_post” instead of “none”, or accept the lack of a secret if it indeed intends to use the token endpoint without authentication.