README: Point out some subtleties around client auth methods

With commit ad28b94f "Validate client_id and client_secret values" the mediator started paying attention to client authentication.

Since our integration test cargo-culted some configuration parameter straight from the GitLab configuration examples the mediator ended up implementing what the OpenID-Connect spec calls the client_secret_post authentication method, see https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

Unfortunately, the spec also says that the actual default is client_secret_basic, so any real world usage is bound to fail unless some specific configuration is applied.

To minimize confusion, let's drop the cargo-culted option from the example and add a note pointing to the spec and to the upstream GitLab documentation, while still keeping the client_secret_post usage in the GitLab integration test to exercise the codepath.

Task: https://phabricator.apertis.org/T10554

README.md

@@ -120,7 +120,6 @@ GITLAB_OMNIBUS_CONFIG: |
                 'scope' => ['openid', 'profile', 'email'],
                 'response_type' => 'code',
                 'issuer' => 'http://${oidc-provider}:${oidc-provider-port:-5556}/dex',
-                'client_auth_method' => 'query',
                 'discovery' => false, # GitLab discovery expects HTTPS
                 'uid_field' => 'preferred_username',
                 'client_options' => {
@@ -137,6 +136,21 @@ GITLAB_OMNIBUS_CONFIG: |
     ]
 ```
 
+Note that for the [OpenID-Connect spec](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication)
+`basic` is the default client auth method if no different mechanism is
+configured at the client registration time.
+
+Quoting the [GitLab documentation](https://docs.gitlab.com/ee/administration/auth/oidc.html):
+
+> - `client_auth_method` (optional) specifies the method used for authenticating
+>   the client with the OpenID Connect provider.
+>   - Supported values are:
+>     - `basic` - HTTP Basic Authentication.
+>     - `jwt_bearer` - JWT-based authentication (private key and client secret signing).
+>     - `mtls` - Mutual TLS or X.509 certificate validation.
+>     - Any other value posts the client ID and secret in the request body.
+>   - If not specified, this value defaults to `basic`.
+
 Remember to open `80` port and [create API token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#create-a-personal-access-token-programmatically) for later use by the AuthZ mediator.
 
 ### AuthZ mediator