fix(auth): discover path-appended OAuth metadata

[jstar0]

Fixes #878.

Summary

• add the OAuth path-appended discovery URL for issuers with path components
• keep OAuth authorization-server metadata discovery ahead of OpenID Connect fallback candidates
• add regression coverage for both the candidate ordering and a real client credentials discovery flow

Changes

For a resource URL such as https://example.com/mcp, the direct authorization-server discovery list already included:

• https://example.com/.well-known/oauth-authorization-server/mcp
• https://example.com/.well-known/openid-configuration/mcp
• https://example.com/mcp/.well-known/openid-configuration
• https://example.com/.well-known/oauth-authorization-server

It did not try:

• https://example.com/mcp/.well-known/oauth-authorization-server

This updates the candidate builder to include that OAuth path-appended URL before the OpenID Connect fallback variants. The canonical OAuth fallback remains last.

Verification

cargo test -p rmcp --features auth generate_discovery_urls
cargo test -p rmcp --features auth --test test_client_credentials test_client_credentials_discovers_path_append_oauth_metadata
cargo test -p rmcp --features auth
cargo test --all-features