Added configurable token endpoint auth method selection

The OAuth client currently selects the first token endpoint authentication
method advertised by the authorization server. That can fail when servers
expose multiple supported methods and the caller needs to prefer a different
option based on client type or credentials.

Added TokenEndpointAuthMethodSelector to ClientOAuthOptions and use it in
ClientOAuthProvider when resolving the token endpoint auth method. Preserve
the existing behavior by defaulting to the first advertised method when no
selector is provided.

Author: RobotechUSA

src/ModelContextProtocol.Core/Authentication/ClientOAuthOptions.cs

@@ -63,6 +63,20 @@ public sealed class ClientOAuthOptions
     /// </remarks>
     public AuthorizationRedirectDelegate? AuthorizationRedirectDelegate { get; set; }
 
+    /// <summary>
+    /// Gets or sets the token endpoint authentication method selector function.
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// This function is used to select which token endpoint authentication method to use when multiple methods are available.
+    /// If not specified, the first available method will be selected.
+    /// </para>
+    /// <para>
+    /// The function receives a list of supported authentication methods from the authorization server metadata and should return the selected method, or null if no suitable method is found.
+    /// </para>
+    /// </remarks>
+    public Func<IReadOnlyList<string>?, string?>? TokenEndpointAuthMethodSelector { get; set; }
+
     /// <summary>
     /// Gets or sets the authorization server selector function.
     /// </summary>

src/ModelContextProtocol.Core/Authentication/ClientOAuthProvider.cs

@@ -29,6 +29,7 @@ internal sealed partial class ClientOAuthProvider : McpHttpClient
     private readonly Uri _redirectUri;
     private readonly string? _configuredScopes;
     private readonly IDictionary<string, string> _additionalAuthorizationParameters;
+    private readonly Func<IReadOnlyList<string>?, string?> _tokenEndpointAuthMethodSelector;
     private readonly Func<IReadOnlyList<Uri>, Uri?> _authServerSelector;
     private readonly AuthorizationRedirectDelegate _authorizationRedirectDelegate;
     private readonly Uri? _clientMetadataDocumentUri;
@@ -79,6 +80,9 @@ public ClientOAuthProvider(
         _additionalAuthorizationParameters = options.AdditionalAuthorizationParameters;
         _clientMetadataDocumentUri = options.ClientMetadataDocumentUri;
 
+        // Set up token endpoint authentication method selector (use default if not provided)
+        _tokenEndpointAuthMethodSelector = options.TokenEndpointAuthMethodSelector ?? DefaultTokenEndpointAuthMethodSelector;
+
         // Set up authorization server selection strategy
         _authServerSelector = options.AuthServerSelector ?? DefaultAuthServerSelector;
 
@@ -92,6 +96,13 @@ public ClientOAuthProvider(
         _tokenCache = options.TokenCache ?? new InMemoryTokenCache();
     }
 
+    /// <summary>
+    /// Default token endpoint authentication method selector that selects the first supported method from the authorization server metadata.
+    /// </summary>
+    /// <param name="tokenEndpointAuthMethodsSupported">The list of supported token endpoint authentication methods.</param>
+    /// <returns>The selected token endpoint authentication method, or null if none are available.</returns>
+    private static string? DefaultTokenEndpointAuthMethodSelector(IReadOnlyList<string>? tokenEndpointAuthMethodsSupported) => tokenEndpointAuthMethodsSupported?.FirstOrDefault();
+
     /// <summary>
     /// Default authorization server selection strategy that selects the first available server.
     /// </summary>
@@ -306,7 +317,7 @@ await _tokenCache.GetTokensAsync(cancellationToken).ConfigureAwait(false) is { R
         }
 
         // Determine the token endpoint auth method from server metadata if not already set by DCR.
-        _tokenEndpointAuthMethod ??= authServerMetadata.TokenEndpointAuthMethodsSupported?.FirstOrDefault();
+        _tokenEndpointAuthMethod ??= _tokenEndpointAuthMethodSelector(authServerMetadata.TokenEndpointAuthMethodsSupported);
 
         // Store auth server metadata for future refresh operations
         _authServerMetadata = authServerMetadata;