Missing scopes in authorization request #162
Description
I've noticed that mcp-remote does not send the supported scopes listed by the server at its /.well-known/oauth-protected-resource endpoint. This makes it difficult to ensure that the supplied token has the right scopes when doing authentication.
Based on the authorization spec, the client should request the resource server metadata when it encounters a 403. While mcp-remote does request this information to extract the authorization server list, it seems to ignore the scopes_supported parameter and instead requests only scopes defined by the authorization server itself (or none if the authorization server does not provide a list).