Since its publication in RFC 6749 and RFC 6750, OAuth 2.0 has gotten massive traction in the market.
It became the standard for API protection and its usage has been expanded to use-cases and environments than originally considered and anticipated including the financial industry, health care, e-commerce, and e-government. It also became the foundation for OpenID Connect—which is now the most popular authentication protocol for modern applications.
These environments need more security features than originally specified in OAuth. That’s the reason both the IETF (BCPs) and the OpenID Foundation (FAPI) started working on a number of documents which update the original specs and threat models and give more prescriptive guidance. The discussion during creation of those documents led to the conclusion that OAuth itself needs updates to provide a better security baseline for the things to come.