Validate OAuth authorization response issuers per SEP-2468

[nbifrye]

Closes #386

Implement RFC 9207 iss validation for OAuth authorization callbacks. The provider callback remains backward-compatible with [code, state] and may return a URL-form-decoded iss value as a third element.

Per SEP-2468's RFC 9207 local-policy decision, an advertised authorization_response_iss_parameter_supported flag makes iss mandatory, while any returned iss is compared to the validated authorization server metadata issuer before token exchange.

Motivation and Context

SEP-2468 adds MCP guidance for RFC 9207 issuer binding in OAuth authorization responses to mitigate mix-up attacks. This SDK already validates the authorization server metadata issuer per RFC 8414 before redirecting; this change also binds the authorization callback response to that validated issuer before exchanging an authorization code.

The provider callback remains backward-compatible with [code, state] and may return [code, state, iss]. Because the SDK callback contract delegates redirect parsing to the caller, the returned iss is expected to be the URL-form-decoded RFC 9207 query value.

Implementation decisions:

• A returned iss is always compared to the validated authorization server metadata issuer using simple string comparison, with no URI normalization.
• Missing iss is rejected only when authorization server metadata advertises authorization_response_iss_parameter_supported: true.
• When that flag is absent or false, a missing iss preserves existing behavior; a present iss is still compared per SEP-2468's RFC 9207 local-policy decision.

This also adds a self-contained WebMock example that exercises the advertised, unadvertised, missing, and mismatched iss cases without contacting real servers.

Refs #386

How Has This Been Tested?

• rake test
• rake rubocop

Breaking Changes

None for authorization servers that do not advertise RFC 9207 authorization response issuer support and do not return iss.

For servers that advertise authorization_response_iss_parameter_supported: true, host applications must pass the callback's decoded iss query value through the provider callback. Missing or mismatched issuers are rejected before token exchange.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

[koic]

As part of the work on the new MCP specification, I've been designing the implementation with both backward compatibility and consistency across SDKs in mind. For this change, I'm going to go with #431 instead, as it preserves compatibility with existing callback implementations in applications. Thanks for the contribution.