We should add some kind of verbiage similar to RFC 9470 Section 9 regarding authentication/sessions.
We should probably add some recommendation about the lifetime of the jag token to the effect of that the token should only live as long as necessary to exchange. This is reinforced by the idea that an oauth id-token refresh token can be used to get an unexpired id token to exchange for another id jag.
6