%% You should probably cite draft-ietf-oauth-mix-up-mitigation instead of this I-D.
@techreport{jones-oauth-mix-up-mitigation-00,
    number =    {draft-jones-oauth-mix-up-mitigation-00},
    type =      {Internet-Draft},
    institution =   {Internet Engineering Task Force},
    publisher = {Internet Engineering Task Force},
    note =      {Work in Progress},
    url =       {https://datatracker.ietf.org/doc/draft-jones-oauth-mix-up-mitigation/00/},
    author =    {Michael B. Jones},
    title =     {{OAuth 2.0 Mix-Up Mitigation}},
    pagetotal = 15,
    year =      2016,
    month =     jan,
    day =       11,
    abstract =  {This specification defines an extension to The OAuth 2.0 Authorization Framework that enables an authorization server to provide a client using it with a consistent set of metadata about itself. This information is returned in the authorization response. It can be used by the client to prevent classes of attacks in which the client might otherwise be tricked into using inconsistent sets of metadata from multiple authorization servers, including potentially using a token endpoint that does not belong to the same authorization server as the authorization endpoint used. Recent research publications refer to these as "IdP Mix-Up" and "Malicious Endpoint" attacks.},
}