This draft was previously reviewed by Steve Kent for the -27 version. My review therefore mostly consists of checking that the changes recommended have been made and that no new issues have arisen. Note that contrary to the data in the tracker, I was not given the assignment in 2019.

If you decide that you want to use OAUTH for authorization security for Internet of Things, this is a reasonable approach to take. This is not a simple proposition or for the fainthearted. OAuth is built around the various constraints of the browser world to which the constraints of being a constrained device are added.

The issues raised by Steve have all been addressed as far as I can see. It looks good to go but since it is a security spec, ADs should still take note.