feat(oauth): add CIMD support for client metadata discovery

Author: waleedlatif1

apps/sim/app/(auth)/oauth/consent/page.tsx

@@ -46,7 +46,7 @@ export default function OAuthConsentPage() {
       return
     }
 
-    fetch(`/api/auth/oauth2/client/${clientId}`, { credentials: 'include' })
+    fetch(`/api/auth/oauth2/client/${encodeURIComponent(clientId)}`, { credentials: 'include' })
       .then(async (res) => {
         if (!res.ok) return
         const data = await res.json()
@@ -164,13 +164,13 @@ export default function OAuthConsentPage() {
     <div className='flex flex-col items-center justify-center'>
       <div className='mb-6 flex items-center gap-4'>
         {clientInfo?.icon ? (
-          <Image
+          /* eslint-disable-next-line @next/next/no-img-element */
+          <img
             src={clientInfo.icon}
             alt={clientName ?? 'Application'}
             width={48}
             height={48}
             className='rounded-[10px]'
-            unoptimized
           />
         ) : (
           <div className='flex h-12 w-12 items-center justify-center rounded-[10px] bg-muted font-medium text-[18px] text-muted-foreground'>

apps/sim/lib/auth/auth.ts

@@ -25,6 +25,7 @@ import {
   renderPasswordResetEmail,
   renderWelcomeEmail,
 } from '@/components/emails'
+import { isMetadataUrl, resolveClientMetadata, upsertCimdClient } from '@/lib/auth/cimd'
 import { sendPlanWelcomeEmail } from '@/lib/billing'
 import { authorizeSubscriptionReference } from '@/lib/billing/authorization'
 import { handleNewUser } from '@/lib/billing/core/usage'
@@ -541,6 +542,22 @@ export const auth = betterAuth({
         }
       }
 
+      // CIMD: resolve URL-formatted client_id before Better Auth looks it up
+      if (ctx.path === '/oauth2/authorize' || ctx.path === '/oauth2/token') {
+        const clientId = (ctx.query?.client_id ?? ctx.body?.client_id) as string | undefined
+        if (clientId && isMetadataUrl(clientId)) {
+          try {
+            const metadata = await resolveClientMetadata(clientId)
+            await upsertCimdClient(metadata)
+          } catch (err) {
+            logger.warn('CIMD resolution failed', {
+              clientId,
+              error: err instanceof Error ? err.message : String(err),
+            })
+          }
+        }
+      }
+
       return
     }),
   },
@@ -560,6 +577,9 @@ export const auth = betterAuth({
       allowDynamicClientRegistration: true,
       useJWTPlugin: true,
       scopes: ['openid', 'profile', 'email', 'offline_access', 'mcp:tools'],
+      metadata: {
+        client_id_metadata_document_supported: true,
+      } as Record<string, unknown>,
     }),
     oneTimeToken({
       expiresIn: 24 * 60 * 60, // 24 hours - Socket.IO handles connection persistence with heartbeats

apps/sim/lib/auth/cimd.ts

@@ -0,0 +1,160 @@
+import { randomUUID } from 'node:crypto'
+import dns from 'node:dns/promises'
+import { db } from '@sim/db'
+import { oauthApplication } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { sql } from 'drizzle-orm'
+
+const logger = createLogger('cimd')
+
+/** CIMD document shape per MCP spec (Nov 2025). */
+interface ClientMetadataDocument {
+  client_id: string
+  client_name: string
+  logo_uri?: string
+  redirect_uris: string[]
+  client_uri?: string
+  policy_uri?: string
+  tos_uri?: string
+  contacts?: string[]
+  scope?: string
+}
+
+/** Returns true when the client_id looks like a CIMD metadata URL. */
+export function isMetadataUrl(clientId: string): boolean {
+  return clientId.startsWith('https://')
+}
+
+const PRIVATE_RANGES = [
+  /^127\./,
+  /^10\./,
+  /^172\.(1[6-9]|2\d|3[01])\./,
+  /^192\.168\./,
+  /^169\.254\./,
+  /^0\./,
+  /^::1$/,
+  /^fc/i,
+  /^fd/i,
+  /^fe80/i,
+]
+
+function isPrivateIp(ip: string): boolean {
+  return PRIVATE_RANGES.some((re) => re.test(ip))
+}
+
+/**
+ * Fetches and validates a CIMD document.
+ * Rejects non-HTTPS URLs, private IPs (SSRF), and invalid documents.
+ */
+async function fetchClientMetadata(url: string): Promise<ClientMetadataDocument> {
+  const parsed = new URL(url)
+  if (parsed.protocol !== 'https:') {
+    throw new Error('CIMD URL must use HTTPS')
+  }
+
+  // SSRF: resolve hostname and reject private/loopback IPs
+  const addresses = await dns.resolve4(parsed.hostname).catch(() => [] as string[])
+  const addresses6 = await dns.resolve6(parsed.hostname).catch(() => [] as string[])
+  const allAddresses = [...addresses, ...addresses6]
+
+  if (allAddresses.length === 0) {
+    throw new Error(`Cannot resolve hostname: ${parsed.hostname}`)
+  }
+
+  for (const addr of allAddresses) {
+    if (isPrivateIp(addr)) {
+      throw new Error(`CIMD URL resolves to private IP: ${addr}`)
+    }
+  }
+
+  const controller = new AbortController()
+  const timeout = setTimeout(() => controller.abort(), 5000)
+
+  try {
+    const res = await fetch(url, {
+      signal: controller.signal,
+      headers: { Accept: 'application/json' },
+    })
+
+    if (!res.ok) {
+      throw new Error(`CIMD fetch failed: ${res.status} ${res.statusText}`)
+    }
+
+    const doc = (await res.json()) as ClientMetadataDocument
+
+    // Validate: client_id in document must match the URL exactly
+    if (doc.client_id !== url) {
+      throw new Error(`CIMD client_id mismatch: document has "${doc.client_id}", expected "${url}"`)
+    }
+
+    // Validate: redirect_uris must be present and non-empty
+    if (!Array.isArray(doc.redirect_uris) || doc.redirect_uris.length === 0) {
+      throw new Error('CIMD document must contain at least one redirect_uri')
+    }
+
+    // Validate: client_name must be present
+    if (!doc.client_name || typeof doc.client_name !== 'string') {
+      throw new Error('CIMD document must contain a client_name')
+    }
+
+    return doc
+  } finally {
+    clearTimeout(timeout)
+  }
+}
+
+/** In-memory cache with 5-minute TTL. */
+const cache = new Map<string, { doc: ClientMetadataDocument; expiresAt: number }>()
+const CACHE_TTL_MS = 5 * 60 * 1000
+
+/**
+ * Resolves a CIMD document with caching.
+ * Returns the cached document if still valid, otherwise fetches fresh.
+ */
+export async function resolveClientMetadata(url: string): Promise<ClientMetadataDocument> {
+  const cached = cache.get(url)
+  if (cached && Date.now() < cached.expiresAt) {
+    return cached.doc
+  }
+
+  const doc = await fetchClientMetadata(url)
+  cache.set(url, { doc, expiresAt: Date.now() + CACHE_TTL_MS })
+  return doc
+}
+
+/**
+ * Upserts an OAuth application row from a CIMD document.
+ * Uses the metadata URL as clientId. Public client (no secret).
+ */
+export async function upsertCimdClient(metadata: ClientMetadataDocument): Promise<void> {
+  const now = new Date()
+  const redirectURLs = metadata.redirect_uris.join(',')
+
+  await db
+    .insert(oauthApplication)
+    .values({
+      id: randomUUID(),
+      clientId: metadata.client_id,
+      name: metadata.client_name,
+      icon: metadata.logo_uri ?? null,
+      redirectURLs,
+      type: 'public',
+      clientSecret: null,
+      createdAt: now,
+      updatedAt: now,
+    })
+    .onConflictDoUpdate({
+      target: oauthApplication.clientId,
+      set: {
+        name: sql`excluded.name`,
+        icon: sql`excluded.icon`,
+        redirectURLs: sql`excluded.redirect_urls`,
+        updatedAt: sql`excluded.updated_at`,
+      },
+    })
+
+  logger.info('Upserted CIMD client', {
+    clientId: metadata.client_id,
+    name: metadata.client_name,
+  })
+}