fix(auth): always validate required redirect_uris at registration

KirtiRamchandani · KirtiRamchandani · commit a18fbd948a2c · 2026-06-13T19:37:43.000Z
diff --git a/src/mcp/server/auth/handlers/register.py b/src/mcp/server/auth/handlers/register.py
@@ -91,18 +91,17 @@ async def handle(self, request: Request) -> Response:
                 status_code=400,
             )
 
-        if client_metadata.redirect_uris is not None:
-            for redirect_uri in client_metadata.redirect_uris:
-                try:
-                    validate_registered_redirect_uri(redirect_uri)
-                except ValueError as error:
-                    return PydanticJSONResponse(
-                        content=RegistrationErrorResponse(
-                            error="invalid_client_metadata",
-                            error_description=str(error),
-                        ),
-                        status_code=400,
-                    )
+        for redirect_uri in client_metadata.redirect_uris:
+            try:
+                validate_registered_redirect_uri(redirect_uri)
+            except ValueError as error:
+                return PydanticJSONResponse(
+                    content=RegistrationErrorResponse(
+                        error="invalid_client_metadata",
+                        error_description=str(error),
+                    ),
+                    status_code=400,
+                )
 
         client_id_issued_at = int(time.time())
         client_secret_expires_at = (
