Add rfc8707 resource parameter refresh token

[rodrigo1208]

Add RFC 8707 resource parameter support for OAuth token refresh

Summary

Fixes token refresh to include the RFC 8707 resource parameter when connecting to remote OAuth-protected MCP servers. Initial
authentication (authorization + token exchange) already includes the resource parameter, but token refresh was missing it because the
standard golang.org/x/oauth2 library doesn't support custom parameters during refresh.

Problem

Before this PR:
✅ Authorization request: includes resource parameter
✅ Token exchange: includes resource parameter
❌ Token refresh: missing resource parameter

When access tokens expire, the refresh request didn't include the resource parameter, breaking RFC 8707 compliance and causing issues
with authorization servers that require it.

Solution

Implemented resourceTokenSource - a custom oauth2.TokenSource that wraps the standard token source and adds the resource parameter to
refresh requests.

Changes

New: pkg/auth/oauth/resource_token_source.go (118 lines)

• Custom token source that includes resource parameter in refresh requests
• Maintains standard behavior (caching, automatic refresh)

Modified: pkg/auth/oauth/flow.go (+7 lines)

• Uses resourceTokenSource when resource is configured
• Falls back to standard token source when no resource specified

Tests: 23 new tests (600 lines)

• Token refresh includes resource parameter (core functionality)
• RFC 8707 compliance verification
• Error handling and backward compatibility

Example

Before:
POST /oauth/token
grant_type=refresh_token&refresh_token=xyz

After:
POST /oauth/token
grant_type=refresh_token&refresh_token=xyz&resource=https://api.example.com

Testing

✅ All tests pass: task test-all
✅ Linting clean: task lint-fix
✅ Backward compatible: works with or without resource parameter

Files Changed

pkg/auth/oauth/resource_token_source.go | 118 lines (new)
pkg/auth/oauth/resource_token_source_test.go | 600 lines (new)
pkg/auth/oauth/flow.go | 7 lines (modified)
pkg/auth/oauth/flow_test.go | 218 lines (modified)

[jhrozek]

I think this is a nice addition, thank you for the PR! I have some comments, I mostly think the one about ExpiresIn/Expiry is important.

I also wonder if ResourceTokenSource should rather be a reusable component in pkg/oauth rather than pkg/auth/oauth? But that's a nit and the code can be moved whenever

[codecov]

Codecov Report

❌ Patch coverage is 95.00000% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.37%. Comparing base (bc5082f) to head (5d5a883).
⚠️ Report is 32 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/auth/oauth/resource_token_source.go	94.28%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3713      +/-   ##
==========================================
+ Coverage   66.27%   66.37%   +0.10%     
==========================================
  Files         425      428       +3     
  Lines       41647    41846     +199     
==========================================
+ Hits        27600    27775     +175     
- Misses      11938    11956      +18     
- Partials     2109     2115       +6     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jhrozek]

looking great, I think we can remove one more piece. Thank you for the quick turnaround!