The read-only spec section 6.2.1 says a resource server "shall identify the associated user to the access token;". But what if the subject isn't a user? What if this particular request is from a legitimate non-human subject?, such as a client application making a B2B call? It is perfectly valid for API security regimes to use 2-legged schemes to access financial APIs, is this simply considered out of scope?
Issue #81 resolved