README: Point out some subtleties around client auth methods

With commit ad28b94f "Validate client_id and client_secret values"
the mediator started paying attention to client authentication.

Since our integration test cargo-culted some configuration parameter
straight from the GitLab configuration examples the mediator ended up
implementing what the OpenID-Connect spec calls the `client_secret_post`
authentication method, see
https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication



Unfortunately, the spec also says that the actual default is
`client_secret_basic`, so any real world usage is bound to fail unless
some specific configuration is applied.

To minimize confusion, let's drop the cargo-culted option from the
example and add a note pointing to the spec and to the upstream
GitLab documentation, while still keeping the `client_secret_post` usage
in the GitLab integration test to exercise the codepath.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>