Audit and fix HTTP handlers against RFC 6749 (OAuth 2.0), RFC 7636 (PKCE),
RFC 7009 (Token Revocation), RFC 6750 (Bearer Token), and OpenID Connect
Core/Discovery specs.

Critical bugs fixed:
- Missing return after error in token.go, oauth_callback.go (3 locations)
- Index out of bounds panic in oauth_callback.go state parsing

Token endpoint (RFC 6749):
- Add required token_type:"Bearer" to response
- Fix error codes to standard values (unsupported_grant_type, invalid_client, etc)
- Return 401 with WWW-Authenticate for Basic Auth client failures
- Make authorization code deletion synchronous to prevent reuse race condition

Revocation endpoint (RFC 7009):
- Return HTTP 200 for invalid tokens (prevents token scanning)
- Accept application/x-www-form-urlencoded (standard) and JSON (backward compat)
- Support standard "token" field name and token_type_hint

UserInfo endpoint (RFC 6750):
- Add WWW-Authenticate: Bearer header on 401 responses
- Use standard error codes (invalid_token, invalid_request)

Discovery endpoint (OIDC Discovery 1.0):
- Ensure RS256 always in id_token_signing_alg_values_supported
- Add grant_types_supported, token_endpoint_auth_methods_supported,
  code_challenge_methods_supported, revocation_endpoint, end_session_endpoint

Authorize endpoint (RFC 7636):
- Add code_challenge_method parameter support (S256 only)
- Remove non-standard nonce from authorization code response