fix(auth): pass WWW-Authenticate scopes to DCR registration request

[peschee]

Summary

When an MCP server returns a 401 with WWW-Authenticate: Bearer scope="read write", the scopes are correctly parsed and stored in AuthorizationManager.www_auth_scopes, and used for the authorization URL. However, they are never included in the Dynamic Client Registration (DCR) request.

Per RFC 7591, the DCR request should include a scope field so the authorization server knows what scopes the client intends to use. Servers that enforce scope-matching between registration and authorization reject the flow without this.

Changes

• Add optional scope field to ClientRegistrationRequest with #[serde(skip_serializing_if = "Option::is_none")] for backward compatibility — servers that don't expect scope in DCR won't see it
• Update register_client() to accept a scopes parameter and include it in the DCR request body and returned OAuthClientConfig
• Thread scopes from AuthorizationSession::new() into both register_client() call sites
• Re-export oauth2::TokenResponse trait so downstream consumers (e.g., Goose) can call .scopes() on token responses to extract granted scopes
• Add serialization tests verifying the scope field is present when Some and absent when None

Test plan

• cargo test -p rmcp --features auth --lib -- client_registration_request — both new tests pass
• Connect to an MCP server that returns scopes in WWW-Authenticate and verify the DCR request includes the scope field (inspect via RUST_LOG=debug)
• Verify backward compatibility: servers that don't expect scope in DCR continue to work (field omitted when no scopes)

[DaleSeo]

Thanks for your contribution, @peschee! I have some suggestions.

[DaleSeo]

ClientRegistrationRequest is a public struct that doesn't have #[non_exhaustive]. Adding the new scope field means that any downstream code constructing this struct directly will fail to compile. If this type is part of the crate's public API, consider adding #[non_exhaustive] to the struct. This would be a breaking change, but it’s a good way to future-proof it.

[peschee]

Good point! However, adding #[non_exhaustive] is itself a breaking change (it prevents downstream from constructing the struct with literal syntax), so it should probably be done as a separate PR that also considers the other public structs like ClientRegistrationResponse. Happy to open a follow-up for that if you'd like — or would you prefer to include it in this PR?

[DaleSeo]

I took another look and noticed this struct isn't actually re-exported from the crate. Would it make sense to just scope it to pub(crate) here?

[peschee]

Updated to pub(crate) in 3e08474.

[DaleSeo]

Is this re-export is intentional?

Re-exporting oauth2::TokenResponse ties this crate's public API to the oauth2 crate's specific version. If oauth2 is upgraded to a new major version, downstream consumers who depend on this re-export will also break.

[peschee]

This re-export is pre-existing and was not introduced by this PR — it's been there since the auth module was added. I agree it's worth reviewing, but I'd suggest addressing it separately to keep this PR focused on the DCR scopes fix. Would you like me to open a separate issue for it?

[DaleSeo]

This re-export is pre-existing and was not introduced by this PR — it's been there since the auth module was added.

Just to clarify, it's been only imported privately and this PR is the first to make it a pub use re-export.

[peschee]

Removed the public re-export in 174456a. Downstream now imports oauth2::TokenResponse directly.