Implement SEP-835: Default Scopes Definition in Authorization

[devcrocod]

This is a tracking issue for implementation of SEP-835.

Summary

This SEP proposes enhancements to the MCP OAuth 2.1-based authorization specification to improve scope management and client experience. The changes include: structured scope selection strategies following the principle of least privilege (prioritizing WWW-Authenticate scope parameter with fallback to scopes_supported), comprehensive scope error handling with upgrade flows, differentiated behavior for client credentials vs. interactive clients, and improved consistency in error responses by including resource_metadata in 403 insufficient_scope responses. This addresses gaps in scope selection guidance, runtime scope upgrades, and error handling that currently lead to over-privileged token requests and implementation inconsistencies.

The Kotlin SDK currently does not provide built-in OAuth or authorization functionality. This implementation will require adding comprehensive scope management support including: priority-based scope selection logic (WWW-Authenticate first, then scopes_supported fallback), enhanced error handling for 403 insufficient_scope responses with resource_metadata, scope upgrade flow implementation with different behavior for interactive vs. client credentials clients, retry limits and caching mechanisms to prevent infinite loops, and security guidance for scope minimization and progressive access patterns. This may be implemented as part of an optional OAuth extension module for the SDK.