oauth: use requested scopes instead of all supported scope

[howardjohn]

Motivation and Context

This mirrors the logic in client_registration

Fixes #587

Without this change, all supported scopes are requested rather than just the ones suggested by the PRM

How Has This Been Tested?

Manually tested

Breaking Changes

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

[cliffhall]

Hi @howardjohn! Thanks for this contribution. It's right, but we also need to do the same thing in useConnection.ts in the handleAuthError function.

Separately, we were considering a solution like this in useConnection

const handleAuthError = async (error: unknown) => {  
  if (is401Error(error)) {  
    const serverAuthProvider = new InspectorOAuthClientProvider(sseUrl);  
      
    // Minimal scope discovery  
    let scope: string | undefined = undefined;  
    try {  
      const metadata = await discoverOAuthMetadata(sseUrl);  
      if (metadata?.scopes_supported) {  
        scope = metadata.scopes_supported.join(" ");  
      }  
    } catch (error) {  
      // Continue without scope if discovery fails  
    }  
  
    const result = await auth(serverAuthProvider, {   
      serverUrl: sseUrl,  
      scope   
    });  
    return result === "AUTHORIZED";  
  }  
  
  return false;  
};

I think we should try and extract the logic into a function that can be used in both places. Would you mind looking into that here?