fix: validate_scope allows any scope when client has no registered scope restriction

When OAuthClientMetadata.scope is None it means the client was registered
without any scope restriction. The previous code built allowed_scopes as an
empty list in that case, causing every requested scope to raise
InvalidScopeError — the opposite of the intended behavior.

Fix: return requested_scopes immediately when self.scope is None, bypassing
the per-scope membership check.

Also remove the now-unreachable pragma comments that suppressed coverage for
the success path of the loop.

Github-Issue: #2216

Author: enjoykumawat

src/mcp/shared/auth.py

@@ -71,11 +71,14 @@ def validate_scope(self, requested_scope: str | None) -> list[str] | None:
         if requested_scope is None:
             return None
         requested_scopes = requested_scope.split(" ")
-        allowed_scopes = [] if self.scope is None else self.scope.split(" ")
+        if self.scope is None:
+            # Client registered without scope restrictions — allow any requested scope
+            return requested_scopes
+        allowed_scopes = self.scope.split(" ")
         for scope in requested_scopes:
-            if scope not in allowed_scopes:  # pragma: no branch
+            if scope not in allowed_scopes:
                 raise InvalidScopeError(f"Client was not registered with scope {scope}")
-        return requested_scopes  # pragma: no cover
+        return requested_scopes
 
     def validate_redirect_uri(self, redirect_uri: AnyUrl | None) -> AnyUrl:
         if redirect_uri is not None:

tests/shared/test_auth.py

@@ -1,6 +1,40 @@
 """Tests for OAuth 2.0 shared code."""
 
-from mcp.shared.auth import OAuthMetadata
+import pytest
+
+from mcp.shared.auth import InvalidScopeError, OAuthClientInformationFull, OAuthClientMetadata, OAuthMetadata
+
+
+def _make_client(scope: str | None) -> OAuthClientInformationFull:
+    return OAuthClientInformationFull(
+        redirect_uris=["https://example.com/callback"],
+        scope=scope,
+        client_id="test-client",
+    )
+
+
+def test_validate_scope_returns_none_when_no_scope_requested():
+    client = _make_client("read write")
+    assert client.validate_scope(None) is None
+
+
+def test_validate_scope_allows_registered_scopes():
+    client = _make_client("read write")
+    assert client.validate_scope("read") == ["read"]
+    assert client.validate_scope("read write") == ["read", "write"]
+
+
+def test_validate_scope_raises_for_unregistered_scope():
+    client = _make_client("read")
+    with pytest.raises(InvalidScopeError):
+        client.validate_scope("read admin")
+
+
+def test_validate_scope_allows_any_scope_when_client_has_no_scope_restriction():
+    """When client.scope is None, any requested scope should be allowed (issue #2216)."""
+    client = _make_client(None)
+    assert client.validate_scope("read") == ["read"]
+    assert client.validate_scope("read write admin") == ["read", "write", "admin"]
 
 
 def test_oauth():