refactor: extract OAuth helper functions and simplify provider state

[maxisbey]

Refactors OAuth 2.0 authentication implementation to expose reusable utilities.

Motivation and Context

The OAuth authentication logic was tightly coupled to the httpx auth provider, making it difficult for external tools (like MCP proxies or custom clients) to reuse core OAuth functionality. This refactor extracts the OAuth primitives into standalone utilities that can be used independently.

Key improvements:

• Core OAuth utilities (discovery URL generation, PKCE, token handling) are now accessible without the full auth provider
• Simplified the main OAuth2Auth class by removing internal state management
• Better separation of concerns between protocol logic and HTTP transport

How Has This Been Tested?

Existing test suite updated to reflect new structure. All tests pass.

Breaking Changes

None - this is a pure refactor with no API changes.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

New utilities added:

• client/auth/utils.py: OAuth protocol helpers (discovery URLs, WWW-Authenticate parsing, scope selection, response handlers)
• shared/auth_utils.py: PKCE generation and token expiry calculation

The main OAuth2Auth provider (client/auth/oauth2.py) now delegates to these utilities, reducing from 221 lines to 93 lines of core logic.

[shao-anthropic]

based on the discussion, we’ll want to remove that check from the SDK