feat: RFC 7591 dynamic client registration, server session ID presevation, and OAuth timeout fix

[acziryak-everhealth]

• Add dynamic client registration (RFC 7591) so servers with a registration_endpoint in their OAuth discovery metadata can be used without providing oauth_client_id in config
• Capture Mcp-Session-Id from server response headers instead of overwriting with a client-generated UUID
• Extend transport creation timeout to 120s when OAuth browser flow may be required (was 5s, insufficient for user interaction)
• Store dynamically registered client_id alongside tokens in the cache for reuse on subsequent connections

Why

I was trying to get Atlassian's hosted MCP server (mcp.atlassian.com) working through dynamic-mcp, and ran into a chain of issues that all needed fixing to make it work end-to-end.

Atlassian's MCP server uses OAuth with dynamic client registration (RFC 7591) — there's no static oauth_client_id you can just plug into the config. Tools like VS Code and opencode handle this natively, but dynamic-mcp required a pre-registered oauth_client_id in the config, which meant you had to do the registration dance yourself externally and then somehow get the client ID into the right place. Not great.

On top of that, even if you got past the OAuth hurdle, the connection would still fail because of two other issues:

1. After initialize, the client overwrites the server-assigned Mcp-Session-Id with a random UUID — so subsequent requests like tools/list get rejected by the server
2. The transport creation timeout is 5 seconds, which isn't enough time for a user to complete an OAuth browser flow

---

What Changed

1. RFC 7591 Dynamic Client Registration

If no oauth_client_id is provided in the config, the client now checks the server's OAuth discovery metadata for a registration_endpoint. If one exists, it dynamically registers a new client — using the actual callback server port in the redirect_uris so the redirect URI matches exactly. The registered client_id gets cached alongside the tokens in ~/.dynamic-mcp/oauth-servers/<name>.json so it's reused on subsequent connections.

This means the config for an OAuth-protected server can be as simple as:

{
  "description": "Atlassian",
  "url": "https://mcp.atlassian.com/v1/mcp"
}

No oauth_client_id, no external setup scripts. dynamic-mcp handles discovery, registration, browser auth, token caching, and refresh all on its own.

2. Server Session ID Preservation

After initialize, the client now captures the Mcp-Session-Id header from the server's response and uses it for subsequent requests. A client-generated UUID is only used as a fallback if the server doesn't assign one. This fixes connections to servers like Atlassian that require their own session ID to be echoed back.

3. OAuth-Aware Transport Timeout

When a server might need an OAuth browser flow (has oauth_client_id set, or has no Authorization header and might trigger dynamic registration), the transport creation timeout is extended to 120 seconds. This gives the user enough time to complete the browser authorization. Non-OAuth servers still use the original 5-second timeout.

---

Files Changed

• src/auth/oauth_client.rs — Dynamic client registration, authenticate() now accepts Option<&str> for client_id, registration uses actual callback port
• src/auth/store.rs — Added client_id field to OAuthTokens for caching the registered client ID
• src/config/schema.rs — Added needs_oauth() method for timeout decisions
• src/proxy/client.rs — Session ID fallback logic (only generate UUID if server didn't assign one), OAuth-aware timeout
• src/proxy/transport.rs — Capture Mcp-Session-Id from response headers, OAuth flow without explicit oauth_client_id