It is probably worth pointing out on this thread that there is a brand new draft (not yet on the working group) attempting to combine extensions and the best practices of OAuth (including these security practices) into a new "2.1" version.

https://tools.ietf.org/html/draft-parecki-oauth-v2-1-02