fix(python): Use HTTPBasicAuth for refresh_token request

[sinofseven]

Since I'm not good at English, I had AI write the descriptions, etc.

---

Problem

refresh_token() fails with oauthlib.oauth2.rfc6749.errors.UnauthorizedClientError: (unauthorized_client) Missing valid authorization header.

This is because OAuth2Session.refresh_token() does not automatically construct a Basic Auth header from client_id and client_secret keyword arguments, so the required Authorization header is missing from the token refresh request.

Root Cause

exchange_code() correctly uses HTTPBasicAuth for the token request:

auth = HTTPBasicAuth(self.client_id, self.client_secret)
response = requests.post(..., auth=auth)

However, refresh_token() was passing credentials as keyword arguments instead:

self.token = self.oauth2_session.refresh_token(
    refresh_url, client_id=self.client_id, client_secret=self.client_secret
)

Fix

Pass HTTPBasicAuth via the auth parameter, consistent with exchange_code(). Also raises ValueError explicitly when client_secret is not set, since confidential clients are required for token refresh.

if self.client_secret:
    auth = HTTPBasicAuth(self.client_id, self.client_secret)
else:
    raise ValueError("No client secret")

self.token = self.oauth2_session.refresh_token(
    refresh_url, auth=auth
)

---

[CLAassistant]

All committers have signed the CLA.