fix: include scope parameter in OAuth authorization code token exchange

[Vadaski]

Problem

When exchanging an authorization code for tokens, the SDK never included a scope parameter in the token request. This breaks providers (e.g. Azure AD) that require the scope to be re-stated in the token exchange, and prevents callers from controlling which scope is requested.

Closes #941

Root Cause

prepareAuthorizationCodeRequest() had no scope parameter; and fetchToken() / auth() had no way to thread scope through to the token endpoint.

Changes

prepareAuthorizationCodeRequest()

Added an optional scope?: string parameter. When provided it is appended to the URLSearchParams; when omitted the function behaves exactly as before (no scope field, fully backwards compatible).

fetchToken() — new scope option

The function now accepts an explicit scope option.

Code path	Scope behaviour
authorization_code via built-in prepareAuthorizationCodeRequest	Only the explicitly supplied scope is forwarded. clientMetadata.scope is never injected. This prevents invalid_scope from servers that narrowed the grant during authorization (RFC 6749 §4.1.3).
Custom prepareTokenRequest() (client_credentials, jwt-bearer, …)	Falls back to provider.clientMetadata.scope as before, because these flows start a fresh request rather than redeeming a pre-authorized grant.

auth() — tokenExchangeScope

auth() now computes a separate tokenExchangeScope = scope (the raw scope from the WWW-Authenticate challenge, if any). It passes only that explicit server-provided value into fetchToken(), so neither PRM scopes_supported nor clientMetadata.scope are re-injected at the token-exchange step.

resolvedScope (the full fallback chain: WWW-Authenticate → PRM → clientMetadata) continues to be used for DCR and the authorization redirect, as before.

Test Coverage

• prepareAuthorizationCodeRequest: includes scope when provided; omits scope when not provided.
• fetchToken: explicit scope reaches the token body; no scope injection from clientMetadata when called without explicit scope.
• Existing exchangeAuthorization / full auth() tests continue to pass unchanged.

Compatibility

No breaking changes. All existing call sites that do not pass scope to prepareAuthorizationCodeRequest or fetchToken behave identically to before.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 98dd73a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1669

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1669

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@1669

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@1669

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@1669

commit: 163e3dd