- Not defined outside of http protocol (isn’t meant to be used outside https protocol)
- Not an authentication protocol
- Doesn’t define a mechanism for user to user delegation
- Doesn’t define authorization processing mechanism
- Doesn’t define a token format (token content is opaque to the client application)
- Defines no cryptographic methods
- Not a single protocol (split in to multiple definitions and flows)