To read relevant links and commentary, please see these two OAuth and OpenID Connect email threads:

https://mailarchive.ietf.org/arch/msg/oauth/JIVxFBGsJBVtm7ljwJhPUm3Fr-w
http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20160104/005911.html

If anyone thinks we need to add something beyond our current security considerations, it would be good to open a new issue and propose a severity level.

Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl