[auth] Add resource compatibility to debugger (RFC 8707)

[pcarleton]

• pass resource in auth debugger, reusing server url
• throw error on resource url mismatch to match regular auth flow

Motivation and Context

We've added RFC 8707 Resource Indicators as part of the MCP spec. There is an inflight change to add this to the Typescript SDK.

This change adds the similar behavior to the inspector in order to facilitate debugging.

This depends on: modelcontextprotocol/typescript-sdk#638

How Has This Been Tested?

Tested against the typescript SDK example server, and also tested against a few live servers (sentry, jira) to make sure it doesn't break.

Breaking Changes

Previously, we didn't care about the resource parameter returned in the Protected Resource Metadata. Now, in the debugger (and in the regular flow), we'll throw an exception if the resource does not match the provided server url.

Another potential breakage is if an AS rejects the resource parameter as invalid, we won't progress through the authorization flow, but we think this is unlikely.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

[ochafik]

lg, just tinits :-)

[pcarleton]

ptal? @ochafik

once we bump the typescript version for modelcontextprotocol/typescript-sdk#664 we can merge in https://github.com/modelcontextprotocol/inspector/pull/537/files to use the SDK function rather than having slightly bespoke logic here.

[ihrpr]

Typescript SDK is on 1.13.1 now