feat: Add scope parameter to startAuthorization function

- Add optional scope parameter to startAuthorization function signature
- Include scope in authorization URL query parameters when provided
- Update auth function to pass through scope from provider.clientMetadata
- Add tests to verify scope is correctly included/excluded from auth URL

This enhancement allows clients to specify authorization scopes during the OAuth flow.

Author: pcarleton

src/client/auth.test.ts

@@ -177,6 +177,31 @@ describe("OAuth Authorization", () => {
       expect(codeVerifier).toBe("test_verifier");
     });
 
+    it("includes scope parameter when provided", async () => {
+      const { authorizationUrl } = await startAuthorization(
+        "https://auth.example.com",
+        {
+          clientInformation: validClientInfo,
+          redirectUrl: "http://localhost:3000/callback",
+          scope: "read write profile",
+        }
+      );
+
+      expect(authorizationUrl.searchParams.get("scope")).toBe("read write profile");
+    });
+
+    it("excludes scope parameter when not provided", async () => {
+      const { authorizationUrl } = await startAuthorization(
+        "https://auth.example.com",
+        {
+          clientInformation: validClientInfo,
+          redirectUrl: "http://localhost:3000/callback",
+        }
+      );
+
+      expect(authorizationUrl.searchParams.has("scope")).toBe(false);
+    });
+
     it("uses metadata authorization_endpoint when provided", async () => {
       const { authorizationUrl } = await startAuthorization(
         "https://auth.example.com",

src/client/auth.ts

@@ -145,7 +145,8 @@ export async function auth(
   const { authorizationUrl, codeVerifier } = await startAuthorization(serverUrl, {
     metadata,
     clientInformation,
-    redirectUrl: provider.redirectUrl
+    redirectUrl: provider.redirectUrl,
+    scope: provider.clientMetadata.scope
   });
 
   await provider.saveCodeVerifier(codeVerifier);
@@ -202,10 +203,12 @@ export async function startAuthorization(
     metadata,
     clientInformation,
     redirectUrl,
+    scope,
   }: {
     metadata?: OAuthMetadata;
     clientInformation: OAuthClientInformation;
     redirectUrl: string | URL;
+    scope?: string;
   },
 ): Promise<{ authorizationUrl: URL; codeVerifier: string }> {
   const responseType = "code";
@@ -246,6 +249,10 @@ export async function startAuthorization(
     codeChallengeMethod,
   );
   authorizationUrl.searchParams.set("redirect_uri", String(redirectUrl));
+  
+  if (scope) {
+    authorizationUrl.searchParams.set("scope", scope);
+  }
 
   return { authorizationUrl, codeVerifier };
 }