Support "client_secret_basic" in token exchange

[SightStudio]

Support client_secret_basic authentication method during token exchange

Motivation and Context

Some authorization servers (e.g. Auth0, internal OIDC providers) only support client_secret_basic authentication,
as required by RFC 6749 §2.3.1.

Previously, the SDK always used client_secret_post,
which caused 401 errors when servers rejected credentials in the request body.

This change adds support for client_secret_basic when it is declared in
token_endpoint_auth_methods_supported in the OAuth metadata.

How Has This Been Tested?

• Unit test added to validate Authorization header is set correctly
• Tested against a real OAuth 2.0 server that only accepts client_secret_basic

Breaking Changes

No breaking changes — default behavior remains the same (client_secret_post is used unless metadata says otherwise)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

This should improve compatibility with OAuth providers that strictly follow the spec.
Let me know if you'd like this logic extracted into a utility function for reuse in refreshAuthorization or token_exchange.

[SightStudio]

PR #531 is trying to fix a similar issue to mine:

If that one gets merged, or if my changes aren’t needed anymore, feel free to close this PR.
(I kept my fix simple, but their PR seems to handle the problem in a more general way.)