changes after changes from one morning in Bangkok

[bc-pi]

Thanks for doing this @selfissued! I'm "approving" because it's a major step forward. I created issues #12 and #13 based on things @arndt-s noted (and personal opinion too!). Also had these notes while reviewing, which we can follow up on after "landing" this PR:

• the Abstract and intro could use some updates/clarifications based on the more targeted scope
• I think we could/should update to existing registry entries to add this doc as an additional reference so folks that might come from there will more easily find it
  • auth methods update IANA OAuth Token Endpoint Authentication Methods #17
  • uris
• not sure an update from https://saml-sp.example.net/ to https://authz.example.net/ in the SAML is needed.
• not sure an update to the whole SAML 2.0 Assertion example is needed
• Using JWTs for Client Authentication - the example is replaced - I'm not sure what changed to be honest and if we're gonna update/replace it, maybe we should fill it out then rather than then the [...omitted...]?
• MUST be a JSON string, and not a single-valued JSON array is noted in aud w/ a single-valued JSON array is semantically equivalent to a JSON string #12
• "client-authentication+jwt another more specific explicit type value defined by a" looks like a typo missing word, "or"
• example claims set {}'s could be rationalized
• "sub":"mailto:mike@example.com" in the client auth example is maybe misleading/confusing - let's revisit the details here

Originally posted by @bc-pi in #10 (review)