fix: require client_id for client_secret_post auth method

RFC 6749 §2.3.1 requires both client_id and client_secret in the
request body for client_secret_post. Raise OAuthFlowError when
client_id is missing instead of silently skipping it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: g97iulio1609

src/mcp/client/auth/oauth2.py

@@ -207,8 +207,9 @@ def prepare_token_auth(
             data = {k: v for k, v in data.items() if k != "client_secret"}
         elif auth_method == "client_secret_post" and self.client_info.client_secret:
             # Include client_id and client_secret in request body (RFC 6749 §2.3.1)
-            if self.client_info.client_id is not None:
-                data["client_id"] = self.client_info.client_id
+            if not self.client_info.client_id:
+                raise OAuthFlowError("client_id is required for client_secret_post authentication")
+            data["client_id"] = self.client_info.client_id
             data["client_secret"] = self.client_info.client_secret
         # For auth_method == "none", don't add any client_secret