`OAuth2Session.request()` does not allow custom auth specific to refresh requests

[kiaradlf]

OAuth2Session.request() now has the refresh request's authentication method reuse its regular auth parameter (not specific to refresh), falling back to HTTP Basic Auth only if the former is missing.

This becomes a problem for e.g. the CommerceTools API, which uses bearer authentication for regular requests, yet basic auth for its refresh process.

c.f. #264, which touches on some issues in this code snippet as well.