feat: include granted scopes in OAuth refresh token request

[DaleSeo]

Fixes #624

Motivation and Context

RFC 6749 allows sending a scope parameter with refresh token requests, and some providers, especially Azure AD v2, actually require it. If you don't include it, the refresh might succeed quietly, but it will return a token without any scopes, or the server might reject the request altogether.

This fix keeps the full StoredCredentials, allowing us to add the previously granted scopes to the outgoing refresh request using .add_scope(). This follows the same pattern we already use in the authorization code and client credentials flows. If granted_scopes is empty, we won't send a scope parameter, which maintains the current behavior for providers that don't need it.

rust-sdk/crates/rmcp/src/transport/auth.rs

Line 913 in 5c5a2e7

auth_request = auth_request.add_scope(Scope::new(scope.to_string()));

rust-sdk/crates/rmcp/src/transport/auth.rs

Line 1766 in 5c5a2e7

request = request.add_scope(Scope::new(scope.clone()));

How Has This Been Tested?

Added unit tests

Breaking Changes

None. Providers that don't accept a scope parameter on refresh requests will continue to work as before, since the parameter is only added when scopes were previously granted.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

[alexhancock]

we should #[cfg(test)] this yeah?

[DaleSeo]

This is a private helper inside the #[cfg(test)] mod tests block, so it should be already gated.