Hi Brian,
I'd definitely be happy to get the nonce and client considerations changes
in, and I'm happy to propose more text tweaks if there's still any
ambiguity there. Those were some of my largest concerns as a potential
server or client implementer of this spec.
With respect to # PR Fully
It might be interesting to point out that there is actually an OAuth token
exchange paradigm that already exists. It could be valuable, if for some
reason it doesn't support what you are trying to do, to either piecemeal
add RFCs for additional claims or update the RFC to include additional use
