authorization: Separate authorization server and resource server

In the initial specification of authorization in MCP, the MCP server
acted as both the authorization server (AS) and reseource server (RS).
This makes enterprise deployments difficult where the AS is often a
separate entity such as Auth0/Entra ID or others.

The specification reworks the separation between AS/RS, making
the MCP server an RS server only. This adds the complication
that the MCP server must inform the client about the AS. We are
using the Protected Resource Metadata OAuth specification for this.

This is a first step into the right direction.

Co-authored-by: Den Delimarsky 🌺 <[email protected]>
Co-authored-by: Aaron Parecki <[email protected]>
Co-authored-by: Paul Carleton <[email protected]>

Author: 4 people