...
The Authorization Server must respond with an HTTP 400 (Bad Request) response on authentication or authorization error and include a status as defined in the original OAuth spec section 5.2. Error Response
7 Security
1. The Authentication Information Endpoint may be part of an existing API.
2. The Authorization Server must provide a Scope that provides an Identity Assertion to the Client with only the elements from 2.
3. The Authorization Server must provide a way during registration for Clients to register the following:
a. Authentication time claim in the id_token is REQUIRED: (require_auth_time) True/False
b. Maximum Authentication Age: (default_max_age) Specifies that the End-User MUST be actively authenticated if the End-User was authenticated longer ago than the specified number of seconds. The max_age request parameter overrides this default value. If omitted, no default Maximum Authentication Age is specified.
c. A grant_type of refresh_token is prohibited in this profile. (This was in the GSA profile but, I can't think of a good reason to prohibit it.)