It might help to remind the reader here that extensions to the core spec might specify or further specialize circumstances in which the errors mentioned here are returned (for example, see the validation errors in the JWT AT profile). There’s a mention of that in §7.3.1 but that’s pretty far, and having even brief language here might be handy for people reading the spec for reference rather than cover to cover.
tlodderstedt
commented
3 years ago
Section 5.2
from Vittorio: