Feedback from review of remote app authentication design

[mjrousos]

• Update docs to cover best practices regarding verification of the back-end (ASP.NET app). It is strongly recommended that HTTPS be used in production scenarios to verify that the identity responses are coming from a trusted source.
• Consider updating the security key used for remote app auth to have requirements like being a 128-bit hex string or being a guid or something like that so that it's harder for users to accidentally use weak keys.