fix(auth): omit scope from OAuth2 token requests

- Stop setting scope on the shared create_oauth2_session helper
- Drops scope from both token exchange and refresh requests
- Neither needs scope (RFC 6749 4.1.3, 6); some providers reject it
- Auth URL construction in auth_handler.py keeps scope, unchanged
- Add body-level tests asserting refresh and exchange omit scope

Merge https://github.com/google/adk-python/pull/5874

Change-Id: I78e7e1e69076afcc13460b7965ca05cae734814e