[Client][Auth] SEP-2207: Request offline_access scope against OIDC-flavored AS for refresh tokens

[chr-hertel]

Implements the client-side portion of SEP-2207 for the MCP Spec 2026-07-28 release.

Tracked by umbrella #338.

Spec summary

Clients SHOULD request the offline_access scope when needing refresh tokens from OIDC-style servers. Additive, non-breaking.

PHP SDK changes

• When initiating the auth-code flow, detect OIDC-flavored AS (e.g., presence of openid in scopes_supported, or userinfo_endpoint in AS metadata) and conditionally add offline_access.
• Tie into [Client] Implement OAuth 2.0 Authorization Code flow with PKCE (RFC 6749 + RFC 7636) #319 (Auth Code + PKCE) and [Client] Implement refresh_token grant + offline_access scope #323 (refresh_token grant) — without it, the refresh-token grant is moot against OIDC servers.

Related

• Umbrella [2026-07-28] Authorization hardening (OAuth/OIDC) #338
• Server-side PRM audit in companion sub-issue
• Extends [Client] Implement OAuth 2.0 Authorization Code flow with PKCE (RFC 6749 + RFC 7636) #319 and [Client] Implement refresh_token grant + offline_access scope #323