Issue #172 resolved
Payments are interesting from an OAuth perspective and there are many mistakes that implementers may make, for example:
- Executing the payment immediately after user authorisation rather than waiting for the RP to exchange the auth code for a token and hit a "confirm" or "complete" endpoint
- Using a scope value to represent a staged payment resource, but not adequately protecting that scope value
I suggest that we add some guidance around these issues.