Dynamic Client Registration endpoint

[Zaimwa9]

Context

MCP clients apps self-register at connection time and do not pre-configure a client_id.
We need to implement POST endpoint where a client sends its name and redirect URIs and gets a client_id back.

Registration alone grants zero access. A real user must still log in and consent before any token is issued.

• Create a view at POST /o/register/
• The view accepts a JSON body with:
  • client_name (required)
  • redirect_uris (required, array of strings)
  • grant_types (optional, default ["authorization_code", "refresh_token"])
  • response_types (optional, default ["code"])
  • token_endpoint_auth_method (optional, default "none")
• The view creates a DOT Application object with client_type="public", authorization_grant_type="authorization_code"
• Returns 201 Created with the generated client_id and submitted metadata
• Rate limiting: per-IP and global limits to prevent abuse -> Re-use login throttle
• Redirect URI validation:
  • HTTPS required for all redirect URIs
  • No wildcards, exact match only
  • localhost exception: http://localhost:* and http://127.0.0.1:* permitted (standard for native/CLI OAuth clients, required by MCP clients)
• No authentication required on this endpoint

Definition of done

• POST /o/register/ creates a DOT Application and returns a client_id
• Only public clients are created (no client secret issued)
• Redirect URI validation enforced (HTTPS, no wildcards, localhost exception)
• Rate limiting active
• Invalid requests return error response
• The client_id can be used to start an Authorization Code + PKCE flow
• Monitor the registration of new applications and potential abuses / Recurring Tasks