fix: pass OAuth scopes to DCR and extract granted_scopes from token response

Two fixes for OAuth scope handling in MCP server connections:

1. Patch rmcp to include scopes from WWW-Authenticate in the DCR
   registration request (see modelcontextprotocol/rust-sdk#705)

2. Extract granted_scopes from the token response instead of always
   saving an empty vec, so stored credentials accurately reflect
   what the authorization server granted.

Signed-off-by: Peter Siska <63866+peschee@users.noreply.github.com>

Author: peschee

Cargo.lock

@@ -72,3 +72,4 @@ tracing-opentelemetry = "0.32"
 
 [patch.crates-io]
 v8 = { path = "vendor/v8" }
+rmcp = { git = "https://github.com/peschee/rust-sdk.git", branch = "fix-dcr-scopes" }

Cargo.toml

@@ -5,7 +5,7 @@ use axum::response::Html;
 use axum::routing::get;
 use axum::Router;
 use minijinja::render;
-use rmcp::transport::auth::{CredentialStore, OAuthState, StoredCredentials};
+use rmcp::transport::auth::{CredentialStore, OAuthState, StoredCredentials, TokenResponse};
 use rmcp::transport::AuthorizationManager;
 use serde::Deserialize;
 use std::net::SocketAddr;
@@ -101,11 +101,18 @@ pub async fn oauth_flow(
         .into_authorization_manager()
         .ok_or_else(|| anyhow::anyhow!("Failed to get authorization manager"))?;
 
+    let granted_scopes: Vec<String> = token_response
+        .as_ref()
+        .and_then(|tr| tr.scopes())
+        .map(|scopes| scopes.iter().map(|s| s.to_string()).collect())
+        .unwrap_or_default();
+
     credential_store
         .save(StoredCredentials {
             client_id,
             token_response,
-            granted_scopes: vec![],
+            granted_scopes,
+            token_received_at: None,
         })
         .await?;