“the RS determines if the token is sufficient for the request by examining the token.
The means of the RS determining this access are out of scope of this specification”.
This means that checks that would be able to defeat a user collaborative attack are out of the scope of the document.
The controls able to defeat such an attack mandate the presence of one or more attributes chosen by the client into an access token.
If such attributes cannot be incorporated into an access token, the inability to defeat user collaborative attacks should be advertised in the security considerations section.
On page 11, in step (7) the text states:
This means that checks that would be able to defeat a user collaborative attack are out of the scope of the document. The controls able to defeat such an attack mandate the presence of one or more attributes chosen by the client into an access token.
If such attributes cannot be incorporated into an access token, the inability to defeat user collaborative attacks should be advertised in the security considerations section.