feat(oauth-server): store and enforce token_endpoint_auth_method

[dulacp]

Problem

I noticed there was a TODO for storing the token_endpoint_auth_method value. While integrating with Claude.ai's OAuth flow, we discovered that returning client_secret_basic for all clients (regardless of their actual registration) was breaking the authentication flow. Claude.ai strictly validates the auth method returned during client registration, so it was critical for us to return the correct value.

Per RFC 7591 Section 2:

If unspecified or omitted, the default is "client_secret_basic"

For public clients, the default is none since they don't have a client secret.

Solution

Added proper storage and enforcement of token_endpoint_auth_method:

Database Changes

• Added token_endpoint_auth_method TEXT column (NOT NULL) to oauth_clients table
• Migration sets default values for existing clients based on their client_type:
  • confidential → client_secret_basic
  • public → none

Behavior

• New clients get token_endpoint_auth_method persisted during registration
• Token endpoint validates that the authentication method used matches the registered method
• Returns the correct token_endpoint_auth_method in client registration responses