DCR is cool, but I haven't seen anyone roll it out. I know it has to be enabled per-tenant in Okta and Azure (which nobody does), and I don't think Google Workspace supports it at all yet. It's a shame that OIDC spent so long and got so much market-share tied to OAuth client secrets, especially since classic OpenID had no such configuration step.

DCR is now being pushed by AI companies, using the MCP protocol that basically requires DCR.

So it might get some traction, and finally break the monopoly of "Login With Google" buttons.

This is because the MCP folks focus almost entirely on the client developer experience at the expense of implementability CIMD is a bit better and will supplant DCR, but overall there's yet to be a good flow here that supports management in enterprise use cases.