feat(auth): support custom scope in authorization requests

[xiaoyijun]

Add support for specifying custom OAuth scopes during authorization requests, separating client registration metadata from authorization request parameters.

Motivation and Context

Previously, the authorization request was hardcoded to use the scope from client metadata (clientMetadata.scope)(in #464), which incorrectly mixed two different OAuth 2.0 concepts:

1. Client Registration Metadata: defines the maximum scope capabilities a client is registered for
2. Authorization Request Parameters: specific scope requested during an individual authorization flow

This change properly separates these concerns by:

• Making the scope in authorization requests configurable
• Allowing different scopes for different authorization flows
• Maintaining the original client metadata scope for registration purposes

This better aligns with OAuth 2.0 specification where authorization request scopes and client registration metadata serve different purposes.

How Has This Been Tested?

Existing unit tests passed.

Breaking Changes

No. If the scope is not provided, it will fallback to clientMetadata.scope.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

This change focuses on architectural correctness in OAuth 2.0 implementation by properly separating client registration metadata from authorization request parameters. While this is a breaking change, it enforces better OAuth 2.0 practices by making scope requirements explicit in authorization requests.

Migration guide:

// Old code
await auth(provider, { serverUrl });

// New code
await auth(provider, { 
  serverUrl,
  scope: "your-required-scope" // Explicitly specify the scope
});

[xiaoyijun]

Hi @pcarleton @ihrpr , I hope you don't mind me tagging you here. Would you mind taking a look at this PR? I've made some changes to properly separate the OAuth scopes between client registration metadata and authorization requests.

Would really appreciate your thoughts on this, especially if you see any potential issues or have suggestions for improvement.

[pcarleton]

Good catch, thanks for this.

I added one suggestion lmkwyt

[pcarleton]

LGTM! Thanks