MCP: Relax redirectUri validation to allow any URI scheme

[Floriferous]

Cursor is not able to use oauth DCR to connect to the MCP server because they want to redirect to cursor://anysphere.cursor-mcp/oauth/callback, which is currently not allowed and results in the following error: Redirect URIs must be localhost or HTTPS. This PR relaxes redirectUri validation to allow for any URI scheme, except for http to external URIs.

Seems like cursor is a bit ahead of the spec here, though the python SDK has also gone this path: https://github.com/modelcontextprotocol/python-sdk/pull/895

Closes #652