fix: add auth_methods client_secret_basic for refresh token and revok…

[kufd]

I have an authentication provider that only accepts client secrets from the request headers.

Because of this, the refresh token and revoke token requests fail — the Authorization header is missing.

This PR adds the Authorization header with the client credentials to those requests. Additionally, I’ve updated how the header is added in other requests to follow the same approach.

I’d appreciate any feedback and am happy to adjust the PR as needed.

[rajatcing]

cc @elinashoko

[elinashoko]

heya @kufd thank you for your contribution, we'll review as soon as we can!

[kufd]

@muhlemmer Could you please take a look at the PR description? I’ve updated it — I hope it looks better now.