CIMD should fall back to DCR on failure, and be explicit opt-in #156
Description
Problem
Two issues with the current CIMD (Client ID Metadata Document) implementation:
1. CIMD failure is fatal — should fall back to DCR on client side. we just error out.
When a client uses a URL as its client_id and CIMD fetching fails (e.g. the metadata document exceeds the 5KB size limit, or the fetch times out, or the URL returns an error), the library throws an error that propagates as a 500 to the user.
We're seeing this in production where clients using URL-based client_ids (e.g. https://claude.ai/oauth/mcp-oauth-client-metadata) hit the 5KB response size limit and get a "Server Error" on /authorize. Maybe due to blot blocking?
2. No explicit way to disable CIMD
The only way to disable CIMD is to remove the global_fetch_strictly_public compatibility flag from wrangler.jsonc. This is a very indirect mechanism:
CIMD should be opt in.
- The flag's purpose is SSRF protection, not CIMD control
- Removing it has side effects on all
fetch()calls in the worker, not just CIMD - There's no documentation that removing this flag is how you opt out of CIMD
- It's not discoverable — you have to read the library source to figure this out
There should be an explicit option on OAuthProvider, e.g.:
new OAuthProvider({
clientIdMetadataDocument: false, // or { enabled: false }
// ...
})