Dont include client secret in URL

[dendle]

Authenticate using HTTP BASIC auth instead

Xamarin.Auth Pull Request

Fixes #261 (At least for people using identity server 4)

Checklist

• [ ] I have included examples or tests - Cannot find a test project covering this
• [ ] I have updated the change log - cannot find a changelog file
• [ ] I am listed in the CONTRIBUTORS file - cannot find CONTRIBUTORS file
• [ ] I have cleaned up the commit history (use rebase and squash)

Changes proposed in this pull request:

• In code flow, when exchanging the code for a token at the token endoint, correctly authenticate to the IdP using HTTP BASIC auth, and do not send the client_secret as plaintext in the URL. (Follows RFC)

[dendle]

Here's the relevant RFC section that this fix implements: https://tools.ietf.org/html/rfc6749#section-4.1.3