`OAuth2Session.request()` does not allow custom auth specific to refresh requests

[kiaradlf]

OAuth2Session.request() now has the refresh request's authentication method reuse its regular auth parameter (not specific to refresh), falling back to HTTP Basic Auth only if the former is missing.

This becomes a problem for e.g. the CommerceTools API, which uses bearer authentication for regular requests, yet basic auth for its refresh process.

c.f. #264, which touches on some issues in this code snippet as well.

[pursual]

Same. There is a chunk of code trying to do basic auth for refresh, but it looks for client id and secret in the params of the current request() call. No idea why anyone would pass them in to every request.

in request():

           except TokenExpiredError:
                if self.auto_refresh_url:
                    log.debug(
                        "Auto refresh is set, attempting to refresh at %s.",
                        self.auto_refresh_url,
                    )

                    # We mustn't pass auth twice.
                    auth = kwargs.pop("auth", None)
                    if client_id and client_secret and (auth is None):
                        log.debug(
                            'Encoding client_id "%s" with client_secret as Basic auth credentials.',
                            client_id,
                        )
                        auth = requests.auth.HTTPBasicAuth(client_id, client_secret)
                    token = self.refresh_token(
                        self.auto_refresh_url, auth=auth, **kwargs
                    )