kbsthe one practical thought that strikes me, is that underneath all this is still just two things, which is proving that a user foo is really foo, and that client-app-bar is really client-app-bar - things that are to some extent "put-under-the-rug" by the authorization endpoint
