Prohibition of using OAuth for user authentication

[ritou]

Despite the specification explicitly stating "This is an Authorization Framework" as of OAuth 2.0, some Authorization Server/Resource Server and many Client developers have been using this for the purpose of user authentication. In order to avoid the occurrence of vulnerabilities and the lack of interoperability, I hope to include the following sentences:

• Clients should not (or must not) implement user authentication functionality using this framework.
• If an Authorization server wants to provide user authentication functionality to a Client, it should refer to the expanded OIDC specification for that purpose.

[aaronpk]

This paragraph is new in OAuth 2.1 which clarifies the details https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-12.html#section-1-7