OAuth2 has proven to be a broadly successful tool for authorizing access to web resources from a variety of browser and non-browser web clients. With such wide applicability came an incredibly broad set of security scenarios that OAuth2 needed to cover. It is testimony to the working group that this was achievable while maintaining the simplicity of the original OAuth specification.
The contents of this specification originally formed the security considerations for RFC 6749, but after some good working group discussion the working group decided to break the considerations in two parts: RFC6749 would contain considerations of interest to implementers, while the Threat Model would be of broader interest to deployers. That document is now published as RFC 6819.
I and my fellow co-editors would like to thank the members of the working group and the extended IETF community for their efforts in capturing this valuable knowledge.