oauth2: clarify comment about tokenRefresher's thread safety

Change-Id: I9a3faedb8faf7701be7c82c7fff964b56d7c96c8
Reviewed-on: https://go-review.googlesource.com/4116
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

oauth2.go

@@ -250,6 +250,10 @@ type tokenRefresher struct {
 	refreshToken string
 }
 
+// WARNING: Token is not safe for concurrent access, as it
+// updates the tokenRefresher's refreshToken field.
+// Within this package, it is used by reuseTokenSource which
+// synchronizes calls to this method with its own mutex.
 func (tf *tokenRefresher) Token() (*Token, error) {
 	if tf.refreshToken == "" {
 		return nil, errors.New("oauth2: token expired and refresh token is not set")
@@ -263,9 +267,7 @@ func (tf *tokenRefresher) Token() (*Token, error) {
 	if err != nil {
 		return nil, err
 	}
-	if tk.RefreshToken != tf.refreshToken {
+	if tf.refreshToken != tk.RefreshToken {
-		// possible race condition avoided because tokenRefresher
-		// should be protected by reuseTokenSource.mu
 		tf.refreshToken = tk.RefreshToken
 	}
 	return tk, err