OAuth2: Protected-resource URL passed as scope instead of parsed scope

### Initial Checks

- [x] I confirm that I'm using the latest version of MCP Python SDK
- [x] I confirm that I searched for my issue in https://github.com/modelcontextprotocol/python-sdk/issues before opening this issue

### Description

I noticed that the scope parameter is being set to the OAuth protected-resource URL instead of the parsed scope (or None when no scope is provided).

After inspecting the code, it seems the URL is passed directly as the scope here:

https://github.com/modelcontextprotocol/python-sdk/blob/9724ad1ce66c2a4f18c7539ef589d4d3b9aebd82/src/mcp/client/auth/oauth2.py#L508-L512

This results in an incorrect scope value being propagated during OAuth2 authentication.

### Example Code

```Python

```

### Python & MCP Python SDK

```Text
1.21.1
```

	self.context.client_metadata.scope = get_client_metadata_scopes(
	www_auth_resource_metadata_url,
	self.context.protected_resource_metadata,
	self.context.oauth_metadata,
	)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

OAuth2: Protected-resource URL passed as scope instead of parsed scope #1630

Initial Checks

Description

Example Code

Python & MCP Python SDK

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

OAuth2: Protected-resource URL passed as scope instead of parsed scope #1630

Description

Initial Checks

Description

Example Code

Python & MCP Python SDK

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions