Perhaps JWTAuth, DeveloperTokenAuth should not be subclasses of OAuth2

[jmoldow]

JWTAuth is currently a subclass of OAuth2. For some of the low-level architecture this makes sense, but for other functionalities this doesn't make sense. get_authorization_url, authenticate, and _get_state_csrf_token have no meaning on JWTAuth.

This is also the case for DeveloperTokenAuth.

Normally this wouldn't be worth fixing, since it is a backwards-incompatable change to branch the class hierarchy. However, since we are preparing a major version bump, perhaps we should go ahead and do this.