WWW-Authenticate header is not respected by Client SDK

### Initial Checks

- [x] I confirm that I'm using the latest version of MCP Python SDK
- [x] I confirm that I searched for my issue in https://github.com/modelcontextprotocol/python-sdk/issues before opening this issue

### Description

As per MCP specification:

> MCP clients MUST be able to parse WWW-Authenticate headers and respond appropriately to HTTP 401 Unauthorized responses from the MCP server.

Link: https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization

At the same time, the Client SDK calculates the protected resource metadata URL and ignores the header:

```
    async def _discover_protected_resource(self) -> httpx.Request:
        """Build discovery request for protected resource metadata."""
        auth_base_url = self.context.get_authorization_base_url(self.context.server_url)
        url = urljoin(auth_base_url, "/.well-known/oauth-protected-resource")
        return httpx.Request("GET", url, headers={MCP_PROTOCOL_VERSION: LATEST_PROTOCOL_VERSION})
```
Link to the source code: https://github.com/modelcontextprotocol/python-sdk/blob/794218433656554deff37477c0bef8cb7deb40f6/src/mcp/client/auth.py#L206C5-L211C1

### Example Code

```Python

```

### Python & MCP Python SDK

```Text
Letest
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

WWW-Authenticate header is not respected by Client SDK #1054

Initial Checks

Description

Example Code

Python & MCP Python SDK

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

WWW-Authenticate header is not respected by Client SDK #1054

Description

Initial Checks

Description

Example Code

Python & MCP Python SDK

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions