feat(oauth): add CIMD support for client metadata discovery

[waleedlatif1]

Summary

• Add CIMD (Client ID Metadata Document) support so clients like Claude Desktop can register via metadata URL instead of DCR
• Fetch, validate, and cache CIMD documents with SSRF protection
• Upsert CIMD clients as public OAuth apps (no secret, PKCE-only)
• Advertise client_id_metadata_document_supported in OIDC discovery
• Fix consent page to handle URL-formatted client_ids (encodeURIComponent) and arbitrary logo domains (<img>)

Type of Change

• New feature

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Feb 21, 2026 10:21pm

[greptile-apps]

Greptile Summary

Adds CIMD (Client ID Metadata Document) support to enable OAuth clients like Claude Desktop to register dynamically via metadata URL instead of manual Dynamic Client Registration. The implementation fetches and validates CIMD documents with SSRF protection using DNS-pinned IP resolution, caches metadata with a 5-minute TTL and deduplicates concurrent requests, and upserts clients as public PKCE-only apps with userId: null.

Key changes:

• New cimd.ts module handles metadata fetching with secureFetchWithValidation for SSRF protection, validates redirect_uris (blocks dangerous schemes, commas), and sanitizes logo_uri to HTTPS-only
• OAuth flow hook in auth.ts resolves CIMD URLs before authorize/token endpoints, evicts cache on upsert failure to allow retry
• Consent page encodes URL-formatted client_ids and switches to native <img> to support arbitrary logo domains
• OIDC discovery advertises client_id_metadata_document_supported: true

Issue found: onConflictDoUpdate missing userId: null - on re-registration, userId won't be explicitly reset

Confidence Score: 4/5

• Safe to merge with one minor data consistency fix needed
• Strong security implementation with proper SSRF protection via DNS-pinned IP resolution, comprehensive validation of metadata documents, and efficient caching. The missing userId: null in conflict update could cause inconsistency if a CIMD client is re-registered, but this is unlikely to occur in practice and doesn't pose a security risk
• apps/sim/lib/auth/cimd.ts needs userId field added to conflict update

Important Files Changed

Filename	Overview
apps/sim/lib/auth/cimd.ts	New CIMD implementation with SSRF protection, caching, validation - missing userId: null in conflict update
apps/sim/lib/auth/auth.ts	Added CIMD resolution hook in OAuth flow with proper error handling and cache eviction on upsert failure
apps/sim/app/(auth)/oauth/consent/page.tsx	URL-encoded client_id for CIMD URLs, switched to native <img> for arbitrary logo domains

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    Start[OAuth Request with URL clientId] --> Check{isMetadataUrl?}
    Check -->|No| Normal[Normal OAuth Flow]
    Check -->|Yes| CacheCheck{In Cache?}
    
    CacheCheck -->|Yes| UseCache[Use Cached Metadata]
    CacheCheck -->|No| Fetch[Fetch CIMD Document]
    
    Fetch --> DNS[DNS Lookup]
    DNS --> ValidateIP{IP Private?}
    ValidateIP -->|Yes| Block[Block Request]
    ValidateIP -->|No| PinnedFetch[Fetch with Pinned IP]
    
    PinnedFetch --> Validate[Validate Document]
    Validate --> ValidateClient{clientId matches URL?}
    ValidateClient -->|No| Error1[Reject - Mismatch]
    ValidateClient -->|Yes| ValidateRedirects{redirectUris valid?}
    
    ValidateRedirects -->|No| Error2[Reject - Invalid URIs]
    ValidateRedirects -->|Yes| Cache[Cache Metadata 5min]
    
    Cache --> UseCache
    UseCache --> Upsert[Upsert to DB]
    
    Upsert --> UpsertOK{Success?}
    UpsertOK -->|No| Evict[Evict Cache]
    UpsertOK -->|Yes| Continue[Continue OAuth]
    
    Evict --> Fail[Fail Request]

Loading

_{Last reviewed commit: f61ff70}

[greptile-apps]

_{3 files reviewed, 7 comments}

_{Edit Code Review Agent Settings | Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[greptile-apps]

_{3 files reviewed, 4 comments}

_{Edit Code Review Agent Settings | Greptile}

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[greptile-apps]

_{3 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@curosr review

[greptile-apps]

_{3 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[greptile-apps]

_{3 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

apps/sim/app/(auth)/oauth/consent/page.tsx
unused import - Image is imported but no longer used after switching to native <img> tag

import { useCallback, useEffect, useState } from 'react'

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[greptile-apps]

_{3 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[greptile-apps]

_{3 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}