feat: validate OAuth authorization response issuer

[michaelneale]

Summary

Implements SEP-2468 issuer (iss) validation for OAuth authorization responses.

• records the expected issuer from authorization server metadata in the persisted PKCE/CSRF authorization state
• validates the optional RFC 9207 iss callback parameter before exchanging the authorization code
• rejects mismatched issuers, and rejects missing iss when the authorization server advertises authorization_response_iss_parameter_supported: true
• adds issuer-aware callback helpers plus redirect URL parsing
• updates the OAuth client example to pass through the callback iss parameter

Closes #876.

Testing

cargo test -p rmcp --lib transport::auth --features auth,client,transport-streamable-http-client-reqwest
cargo check --manifest-path examples/clients/Cargo.toml --example clients_oauth_client --all-features
git diff --check

[jamadeo]

This appears to do the right thing, but I can't find a remote MCP server that's adding iss to the callback to test with. Do you have one @michaelneale ?