Self-audit: our usage pattern is not vulnerable to CVE-2020-26244

CVE-2020-26244 does not yet have detail info, but its fix on another library is available here
CZ-NIC/pyoidc@62f8d75

More background info is available here:
https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/

Author: rayluo

oauth2cli/oidc.py

@@ -60,7 +60,7 @@ def decode_id_token(id_token, client_id=None, issuer=None, nonce=None, now=None)
             err = "3. The aud (audience) Claim must contain this client's client_id."
     # Per specs:
     # 6. If the ID Token is received via direct communication between
-    # the Client and the Token Endpoint (which it is in this flow),
+    # the Client and the Token Endpoint (which it is during _obtain_token()),
     # the TLS server validation MAY be used to validate the issuer
     # in place of checking the token signature.
     if _now > decoded["exp"]: