auth: improve ClientAuthenticator error messaging

[haoxuw]

Summary

Aligns the ClientAuthenticator with RFC 6749 and RFC 7591 by explicitly preventing confidential clients from bypassing authentication using token_endpoint_auth_method="none".

Note: NO changes to the current behavior, only change error message and code maintainability

Closes #1842

Spec Definition:

• RFC 7591 (Section 2): Defines the "none" method specifically for clients that "do not have a client secret."
• RFC 6749 (Section 3.2.1): Mandates that the server MUST require authentication for any client issued credentials.

The authenticator now explicitly rejects requests where a client has a registered secret but attempts to use token_endpoint_auth_method="none". This prevents credential
downgrade attacks and clarifies configuration errors.

Changes

• Logic: Added a check in client_auth.py to raise an AuthenticationError if a secret exists but the "none" method is requested.
• Messaging: Updated the error to "Require valid auth method, with client secret" for better developer clarity.

Verification

Validated via tests/server/mcpserver/auth/test_auth_integration.py:

• New Test: test_none_auth_method_fails_for_confidential_client confirms that clients with secrets are rejected when using method "none".
• Regression: test_none_auth_method_public_client confirms that true public clients (no secret) still authenticate successfully.
• Result: All 43 integration tests passed.

[haoxuw]

Even with out this if client.client_secret check, the current logic would still gives AuthenticationError, at L105

No behavior changes