(I have reviewed this with zero knowledge of OAuth, so additional review probably would be good) Major issues: 2.4 "Clients MUST compare the extracted and URL-decoded value to the issuer identifier of the authorization server where the authorization request was sent to." I'm not sure that "URL-decoded" is correct with respect to decoding query parameters. Consider URLs containing "+" or "=". You probably need the encoding rules for application/x-www-form-urlencoded instead. Minor issues: References to registries should not be listed as normative. Nits: Section links to external documents do not appear to be marked up as such (and use a trailing dot in the section number which they should not) There are no Acks; so section 6 should be deleted (if there were acksm they should go into an unnumbered section at the end of the document)