Fix OAuth refresh resource handling

[FU-max-boop]

Summary

• Strip the trailing slash that Pydantic AnyHttpUrl adds to bare-domain protected resource metadata before choosing the RFC 8707 resource URL.
• Stop sending resource on refresh_token grants while keeping it on authorization-code token exchanges.
• Add regression coverage for recent protocol versions, PRM-backed requests, and bare-domain PRM resources.

Fixes #2578

Validation

• uv run pytest tests/client/test_auth.py -q
• uv run ruff check src/mcp/client/auth/oauth2.py tests/client/test_auth.py
• uv run ruff format --check src/mcp/client/auth/oauth2.py tests/client/test_auth.py
• git diff --check

[maxisbey]

Thanks for the PR. Closing in favor of #2590, which was opened first (May 13) and covers the same two fixes — dropping resource from the refresh_token grant and undoing Pydantic's trailing-slash normalization on the PRM resource URL — with equivalent test coverage.

One substantive difference worth noting: this PR strips the slash with .rstrip("/"), which also removes intentional trailing slashes from non-root paths (e.g. https://api.example.com/mcp/ → …/mcp). RFC 9728 requires exact-string identity on the resource identifier, so #2590's narrower approach (only strip when the path is exactly / with no query or fragment) is the safer one.

If you spot anything #2590 misses, a review there would be welcome.

_{AI Disclaimer}