When using RemoteOAuth2Mixin, all /token calls are delegated to another process or server. Thus:

• The client_id and client_secret shouldn't be required. In fact, they perhaps shouldn't even be allowed to be passed. Clients that need to do remote auth should be discouraged from having any of their credentials hard-coded, especially since they aren't even needed.
• store_tokens should perhaps be disallowed. Since the tokens are owned by the remote process, it should be in control of where its tokens go. If a client needs to restart, it should get its tokens from the remote process/server, not from its own token store.
• box_device_id and box_device_name are useless if we're not making /token calls.
• refresh_token should never be available to the client, so it shouldn't be possible to pass this.

Also, since the remote process/server owns the tokens, we should possibly disable revoke(). If we do that, then:

• We definitely don't need client_id and client_secret anymore, since they would never be used.
• For the same reason, we also don't need network_layer anymore.
• We might not need refresh_lock anymore. Presumably, the remote server can handle its own locking, without the clients needing to coordinate.

revoke could be made to pass (DeveloperTokenAuth does this) or raise, and the unneeded constructor arguments can be passed as None to the super-class, so that TypeError is raised if a user tries passing any of them.

Alternatively, factor this into #173, and create a common base-class that doesn't have any of these functionalities.

This would be a breaking change, so consider this for 2.0.0.