Hi folks-- Please take a look at the latest comment in this issue, which highlights what started as an editorial issue but discovered a (potentially minor) decision point around how the client pushes claims to the AS's token endpoint.

Because we've gone from UMA1's custom RPT endpoint which takes JSON payloads to UMA2's regular OAuth token endpoint which takes form-urlencoded payloads, our carried-over spec text talking about a JSON-formatted claim_tokens structure -- combined with an old example -- needed an update.

The proposal: An update that changes the actual structure of claim pushing slightly, so that:

• It's a truly native and streamlined form-urlencoded format.
  
• The client pushes a single claim token (say, one ID token) and can't push a bunch of them.