My understanding is that the matching rules are Authorization Server
specific, and clients using a specific server must play by those
rules. If that's the case, maybe the spec should make it explicit.
As a side question, why not require strict equality when matching,
clients can always use wrap_client_state?
Marius