auth: support well-known paths at domain root, with prefix path, and with suffix path

[zhaohuabing]

According to the RFC 8414, if the issuer identifier value contains a path component, the well-known URI must include that path as a suffix.
For example, if the issuer identifier is https://example.com/issuer1, then the OAuth 2.0 Authorization Server Metadata URL should be:

https://example.com/.well-known/oauth-authorization-server/issuer1

In practice, however, some implementations diverge from the spec and either:

• place the discovery document directly at the domain root, or
• use a suffixed form of the well-known URI.

This PR updates the agent to try all three variants in the following order, improving interoperability across different authorization server implementations:

1. Suffixed well-known URI (https://example.com/.well-known/oauth-authorization-server/issuer1)
2. Prefixed/custom-path well-known URI (https://example.com/issuer1/.well-known/oauth-authorization-server)
3. Domain root well-known URI (https://example.com/.well-known/oauth-authorization-server)

Implements: #403

Motivation and Context

How Has This Been Tested?

Breaking Changes

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines - not sure about this - happy to make any updates as needed.
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed - not sure about this - happy to make any updates as needed.

Additional context

Caveat: I'm new to Rust development. If this PR is missing something or doesn't follow best practices, please let me know. I'm happy to make any updates.

[jokemanfire]

Thanks, LGTM