fix: preserve client_metadata.scope if already set

Don't override the scope if it was explicitly set by the client.
This allows clients to:
- Request fewer permissions than available
- Work with servers that reject requests for unauthorized scopes

The scope selection strategy now only applies when scope is None.

Fixes #2317

Author: owendevereaux

src/mcp/client/auth/oauth2.py

@@ -571,12 +571,13 @@ async def async_auth_flow(self, request: httpx.Request) -> AsyncGenerator[httpx.
                         else:
                             logger.debug(f"OAuth metadata discovery failed: {url}")
 
-                    # Step 3: Apply scope selection strategy
-                    self.context.client_metadata.scope = get_client_metadata_scopes(
-                        extract_scope_from_www_auth(response),
-                        self.context.protected_resource_metadata,
-                        self.context.oauth_metadata,
-                    )
+                    # Step 3: Apply scope selection strategy (only if not already set)
+                    if self.context.client_metadata.scope is None:
+                        self.context.client_metadata.scope = get_client_metadata_scopes(
+                            extract_scope_from_www_auth(response),
+                            self.context.protected_resource_metadata,
+                            self.context.oauth_metadata,
+                        )
 
                     # Step 4: Register client or use URL-based client ID (CIMD)
                     if not self.context.client_info: