OPSDIR Review : 5.2.1 URL Referencing the Request Object - 'that is' => 'that are'

The Client stores the Request Object resource either locally or remotely at a URL the Authorization Server can access. The URL MUST be HTTPS URL. This URL is the Request Object URI, "request_uri".

It is possible for the Request Object to include values that is to be [O] values that is [P] values that are [R] grammar

revealed only to the Authorization Server. As such, the "request_uri" MUST have appropriate entropy for its lifetime. It is RECOMMENDED that it be removed if it is known that it will not be used again or after a reasonable timeout unless access control measures are taken.