I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

The summary of the review is the document has issues.

1.  (Editorial) What is the relationship between this document and RFC 7523.  They are using JWT for different purposes, but I think it would be useful to clarify this in the introduction.  

2.  (Issue) The specification does not specify any mandatory to implement for the recommended asymmetric algorithms.  This will not help interop.  Perhaps specify one or both of  "RS256" and "ES256". 

3. (Question) Is it currently possible to use the JWT access token in a mode other than a bearer token?  For example is there a way to bind the JWT to a verifiable key or identifier.  If there is, there should be some discussion of this in the security considerations.  If not, do the authors know if there is any work planned in this area?

4. Genart review pointed out a nit that should be fixed.