fix: handle None required_scopes in validate_scope as no restrictions

When a client is registered without scope restrictions (self.scope is None),
validate_scope() incorrectly treated it as an empty allowed-scopes list,
causing all requested scopes to be rejected with InvalidScopeError.

Now when self.scope is None, the method returns the requested scopes as-is,
treating None as 'no restrictions' rather than 'no scopes allowed'.

Fixes #2216

Author: MaxwellCalkin

src/mcp/shared/auth.py

@@ -71,11 +71,14 @@ def validate_scope(self, requested_scope: str | None) -> list[str] | None:
         if requested_scope is None:
             return None
         requested_scopes = requested_scope.split(" ")
-        allowed_scopes = [] if self.scope is None else self.scope.split(" ")
+        if self.scope is None:
+            # No scope restrictions registered for this client; allow any scopes
+            return requested_scopes
+        allowed_scopes = self.scope.split(" ")
         for scope in requested_scopes:
-            if scope not in allowed_scopes:  # pragma: no branch
+            if scope not in allowed_scopes:
                 raise InvalidScopeError(f"Client was not registered with scope {scope}")
-        return requested_scopes  # pragma: no cover
+        return requested_scopes
 
     def validate_redirect_uri(self, redirect_uri: AnyUrl | None) -> AnyUrl:
         if redirect_uri is not None: