I think, you might be wrong here. The RFC you mentioned is a specific one for ... defines a protocol for an HTTP- and JSON-based Security Token Service (STS) and not OIDC/OAuth which do not require this claim to be present in the token. OIDC defines a list of standard claims in https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims and OAuth don’t even require access token to be in JWT format