Use StringSplitOptions.RemoveEmptyEntries in scope splitting

Agent-Logs-Url: https://github.com/modelcontextprotocol/csharp-sdk/sessions/cf7499bb-4f2e-430c-82c1-e160d5c12b25

Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>

Author: Copilot

src/ModelContextProtocol.Core/Authentication/ClientOAuthProvider.cs

@@ -736,8 +736,8 @@ private async Task PerformDynamicClientRegistrationAsync(
         // all previously requested scopes to prevent losing previously granted permissions.
         if (_lastRequestedScopes is not null && newScopes is not null)
         {
-            var combined = new HashSet<string>(_lastRequestedScopes.Split(' '), StringComparer.Ordinal);
-            foreach (var scope in newScopes.Split(' '))
+            var combined = new HashSet<string>(_lastRequestedScopes.Split(' ', StringSplitOptions.RemoveEmptyEntries), StringComparer.Ordinal);
+            foreach (var scope in newScopes.Split(' ', StringSplitOptions.RemoveEmptyEntries))
             {
                 combined.Add(scope);
             }

tests/ModelContextProtocol.AspNetCore.Tests/OAuth/AuthTests.cs

@@ -477,8 +477,8 @@ public async Task AuthorizationFlow_UsesScopeFromForbiddenHeader()
                     // If they don't, it shouldn't get here due to middleware
                     // The token scope may include accumulated scopes, so check for containment
                     var scopeClaim = user.FindFirst("scope")?.Value ?? "";
-                    var userScopes = new HashSet<string>(scopeClaim.Split(' '), StringComparer.Ordinal);
-                    Assert.True(adminScopes.Split(' ').All(s => userScopes.Contains(s)), "User should have admin scopes when tool executes");
+                    var userScopes = new HashSet<string>(scopeClaim.Split(' ', StringSplitOptions.RemoveEmptyEntries), StringComparer.Ordinal);
+                    Assert.True(adminScopes.Split(' ', StringSplitOptions.RemoveEmptyEntries).All(s => userScopes.Contains(s)), "User should have admin scopes when tool executes");
                     return "Admin tool executed.";
                 }),
             ]);
@@ -516,8 +516,8 @@ public async Task AuthorizationFlow_UsesScopeFromForbiddenHeader()
                             // Check if user has all required scopes (token may include accumulated scopes)
                             var user = context.User;
                             var scopeClaim = user.FindFirst("scope")?.Value ?? "";
-                            var userScopes = new HashSet<string>(scopeClaim.Split(' '), StringComparer.Ordinal);
-                            if (!adminScopes.Split(' ').All(s => userScopes.Contains(s)))
+                            var userScopes = new HashSet<string>(scopeClaim.Split(' ', StringSplitOptions.RemoveEmptyEntries), StringComparer.Ordinal);
+                            if (!adminScopes.Split(' ', StringSplitOptions.RemoveEmptyEntries).All(s => userScopes.Contains(s)))
                             {
                                 // User lacks required scopes, return 403 before MapMcp processes the request
                                 context.Response.StatusCode = StatusCodes.Status403Forbidden;