What scopes should the client ask for, and why? (E.g., least-privilege rationale.) What should the mechanism be for asking for scopes for specific protected resources?
What permissions should the RS request on behalf of the client, and why?
pat_grant_types_supported: My proposal was to remove it. Any further discussion?
claim_token_profiles_supported: My proposal was to keep this profiling mechanism, but clean it up and provide two actual profiles or at least credible examples, say, for OIDC ID tokens and SAML assertions. Discussion?
uma_profiles_supported: My proposal was to keep this profiling mechanism, but figure out seriously if the extensibility profiles are doing the right job, and include credible examples of extensions and not just extensibility profiles. Discussion?
Is step-up auth the way it was conceived in UMA1 hunky dory according to the claims collection mechanism in UMA2?
Is the (client) registration endpoint's name correct according to the naming pattern used in UMA, and also OAuth and OIDC?