I could have sworn I have seen this in the past, but I am not sure exactly where. Thinking about it; it probably would have been part of OIDC and not directly addressed by OAuth... maybe someone can find it for me, or maybe I misspoke when I said it was part of the spec.

I could believe that being in 2.1 as a BCP,but if it's not it's a good idea to add it.

I've checked 2.0 Security BCP, 2.1 draft and OIDC and none of them seemed to cover that. Perhaps I could be in ongoing discussion in the mailing list of 2.1? I only checked their GitHub issues and found nothing relevant.