This is the Security Directorate review for draft-ietf-oauth-rfc7523bis. The authors know what this kind of thing is. The Security ADs should treat this as any other last-call comments.

Not surprisingly, I found the document pretty clear. I had to read a bunch of OAUTH RFCs to catch the context; as I'm mostly ignorant about it..

The only issue I found was that there discussion of backward compatibility other than Section 3, where it's kinda weakly stated. The identifier isn't changing, so at least a statement that it is backward compatible would be helpful I think.