Describe the bug
When going through the auth flow, the .well-known/oauth-authorization-server contains all scopes that the authorization server supports, which might be much more than the MCP requires. (Assumption is the auth server is already up & running and serving more than just the MCP.). The .well-known/oauth-protected-resource defines the scopes of the protected resource server.

Currently, the Dynamic Client Registration request going out is containing the scopes found in oauth-protected-resource, however the authorization URL built on the next step contains all the scopes listed in the oauth-authorization-server.

To Reproduce
Steps to reproduce the behavior:

1. Start the Guided OAuth Flow
2. Debug the Client Registration step - observe it sends out scopes read from oauth-protected-resource
3. Generate the Authorization URL - observe it contains ALL scopes read from oauth-authorization-server

Expected behavior
It should use the scopes from the protected resource to build the Authorization URL, just like it does on the Client Registration step.