feat(auth): implement SEP-2207 OIDC-flavored refresh token guidance

[wdawson]

Implements SEP-2207 refresh token guidance for the Rust SDK.

1. Confidentiality: removed debug log that leaked the raw refresh token
2. Handle missing/invalid refresh tokens: get_access_token() returns AuthorizationRequired when expired without a refresh token (or when refresh fails), instead of attempting a doomed refresh
3. OIDC claim: appends offline_access to requested scopes when the AS advertises it in scopes_supported, so OIDC-flavored servers issue refresh tokens

No server-side changes needed — the SDK already conforms to server guidance, and register_client() already includes refresh_token in grant_types.

Motivation and Context

OIDC Authorization Servers require the offline_access scope to issue refresh tokens. Without this, MCP clients connecting through OIDC servers get frequent re-authentication. SEP-2207 adds explicit guidance; this PR brings the Rust SDK into conformance.

How Has This Been Tested?

• 13 new unit tests covering all changed code paths (60 auth tests total, 207 across the crate)

Breaking Changes

None. get_access_token() now returns AuthorizationRequired instead of TokenRefreshFailed on refresh failure, but no caller matches on TokenRefreshFailed. offline_access is only added when the AS explicitly advertises support.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

Spec PR: SEP-2207
Companion PRs: Python SDK#2039 · TypeScript SDK#1523

AI Disclosure: AI assisted with implementation and test authoring. All changes were reviewed and guided by hand.