Draft 10

• Clarify that the client id is an opaque string
• Extensions may define additional error codes on a resource request
• Improved formatting for error field definitions
• Moved and expanded "scope" definition to introduction section
• Split access token section into structure and request
• Renamed b64token to token68 for consistency with RFC7235
• Restored content from old appendix B about application/x-www-form-urlencoded
• Clarified that clients must not parse access tokens
• Expanded text around when redirect_uri parameter is required in the authorization request
• Changed "permissions" to "privileges" in refresh token section for consistency
• Consolidated authorization code flow security considerations
• Clarified authorization code reuse - an authorization code can only obtain an access token once