Implement SEP-1046: Support OAuth client credentials flow in authorization

[devcrocod]

This is a tracking issue for implementation of SEP-1046.

Summary

This SEP adds support for the OAuth client credentials flow to enable machine-to-machine scenarios where an end-user is unavailable for interactive authorization. The specification recommends using asymmetric methods defined in RFC 7523 (JWT Assertions) but also allows client secrets via HTTP Basic authentication for maximum compatibility. This addresses a gap in the current authorization spec which is silent on how to handle non-interactive authorization scenarios.

The Kotlin SDK currently does not provide built-in OAuth or authorization functionality - it focuses on the core MCP protocol. OAuth implementation is typically handled at the application level or through integration with external OAuth libraries. This implementation will require adding support for OAuth client credentials flow, including: utilities for JWT Assertion creation and validation per RFC 7523, support for client secret authentication via HTTP Basic, client-side token acquisition and management, server-side token validation, and integration with the existing SDK architecture. This may be implemented as an optional OAuth extension module for the SDK to maintain separation of concerns between core protocol and authorization mechanisms.