Anonymous Dynamic Client Registration - Scalability & Lifecycle Management Concerns

Hello folks,

With the growing adoption of AI tooling and the MCP ecosystem, I've been exploring anonymous Dynamic Client Registration (DCR) to enable MCP clients (IDEs, coding assistants, etc.) to autonomously create Keycloak clients. This would allow their users to obtain JWTs via the Authorization Code flow and access MCP Servers that require authorization.

I've encountered two challenges:

1. Unbounded Client Creation

It is possible to create an unlimited number of clients through anonymous DCR. The default realm threshold of 300 clients could be easily exhausted through a DDoS attack, potentially impacting legitimate users.

2. Missing Client Creation Timestamp

There doesn't seem to be a built-in timestamp indicating when a client was created. While there is a CLIENT_REGISTRATION user event, it gets purged over time (similar to LOGIN events). This makes it difficult to crossreference CLIENT_REGISTRATION with LOGIN events and implement proper lifecycle management—e.g. distinguishing between a client registered 5 minutes ago that hasn't been used yet versus one that has been stale for a year.

Potential Solutions

I've been considering a few approaches and would appreciate any feedback:

1. IP-based throttling — Rate-limit client registrations per source IP to prevent abuse through Client Registration Policies
2. Schema extension — Extend Keycloak schema and create a new table with created_at timestamp per client to support cleanup jobs and retention policies

Questions for the Community

• Are there any plans to address these concerns in upcoming releases?
• Are there better approaches or existing workarounds that I might have overlooked?
• Has anyone implemented similar solutions in production they'd be willing to share?

Thanks in advance! I'm happy to contribute if there's interest in tackling these issues.