Bug: validate_scope rejects client scopes when required scopes in None

[nik1097]

Initial Checks

• I confirm that I'm using the latest version of MCP Python SDK
• I confirm that I searched for my issue in https://github.com/modelcontextprotocol/python-sdk/issues before opening this issue

Description

The validate_scope() function in the Python SDK incorrectly handles cases where there are no required scopes from the client. Instead of treating None as no restrictions, it interprets it as an empty list of allowed scopes. This causes scopes in the token to be rejected with InvalidScopeError, even if the client should be allowed to request them.

Example Code

Python & MCP Python SDK

1.26.0

[shivama205]

I'll take this. The bug is in OAuthClientMetadata.validate_scope() — when self.scope is None (no scopes registered), it converts to an empty list, rejecting all requested scopes. The fix is to treat None as "no restrictions" and allow any scope through.

@nik1097 thanks for reporting, will have a PR up shortly.