fix(oauth): omit resource param on token refresh

[Epochex]

Fixes #2578.

Entra ID v2.0 rejects RFC 8707
esource on refresh token requests, and Pydantic AnyHttpUrl normalizes bare-domain URLs with a trailing slash.

Changes:

• Strip the trailing slash when deriving the RFC8707 resource from PRM metadata.
• Do not include
  esource in
  efresh_token grant requests.

Tests:

• uv run --frozen pytest tests/client/test_auth.py -k get_resource_url_strips_trailing_slash_from_bare_domain_prm
• uv run --frozen pytest tests/client/test_auth.py -k refresh_token_request_omits_resource_even_when_required_by_protocol
• uv run --frozen python -m ruff check src/mcp/client/auth/oauth2.py tests/client/test_auth.py
• uv run --frozen python -m ruff format src/mcp/client/auth/oauth2.py tests/client/test_auth.py

[maxisbey]

Thanks for the PR. Closing in favor of #2590, which was opened first (May 13) and covers the same two fixes — dropping resource from the refresh_token grant and undoing Pydantic's trailing-slash normalization on the PRM resource URL — with equivalent test coverage.

One substantive difference worth noting: this PR strips the slash with .rstrip("/"), which also removes intentional trailing slashes from non-root paths (e.g. https://api.example.com/mcp/ → …/mcp). RFC 9728 requires exact-string identity on the resource identifier, so #2590's narrower approach (only strip when the path is exactly / with no query or fragment) is the safer one.

If you spot anything #2590 misses, a review there would be welcome.

_{AI Disclaimer}

[Epochex]

Thanks, that makes sense. I checked #2590 and it covers both changes; its root-only normalization is the better behavior for exact resource identifiers. I don't see anything from this PR to carry over.