fix: expand OAuth metadata validation to support compliant servers

The OAuthMetadata validation was too restrictive, rejecting valid OAuth 2.0
server configurations that advertise additional authentication methods beyond
the minimum required set.

Changes:
- Allow 'client_secret_basic' in token_endpoint_auth_methods_supported
- Allow 'plain' in code_challenge_methods_supported

This fixes compatibility with MCP servers like Asana (mcp.asana.com) that
advertise support for multiple OAuth authentication methods as allowed by
the OAuth 2.0 specification and MCP specification.

The MCP specification does not restrict which authentication methods servers
can support, only requiring that PKCE is used. These changes ensure the
client can connect to any compliant MCP server regardless of which optional
authentication methods they also support.

Author: jalehman

src/mcp/shared/auth.py

@@ -117,7 +117,7 @@ class OAuthMetadata(BaseModel):
         list[Literal["authorization_code", "refresh_token"]] | None
     ) = None
     token_endpoint_auth_methods_supported: (
-        list[Literal["none", "client_secret_post"]] | None
+        list[Literal["none", "client_secret_post", "client_secret_basic"]] | None
     ) = None
     token_endpoint_auth_signing_alg_values_supported: None = None
     service_documentation: AnyHttpUrl | None = None
@@ -134,4 +134,4 @@ class OAuthMetadata(BaseModel):
         list[Literal["client_secret_post"]] | None
     ) = None
     introspection_endpoint_auth_signing_alg_values_supported: None = None
-    code_challenge_methods_supported: list[Literal["S256"]] | None = None
+    code_challenge_methods_supported: list[Literal["S256", "plain"]] | None = None