Allow device flow access tokens to be bound to the identity of the device and not the user that activated it.
The functionality would mean that the access token does not reference a user identity but to a device identity. Probably leveraging a different
**sub** claim on the access token, referencing a device identifier.
This would cover the scenario when the user is only in charge of activating the device, but the device is not owned by the user, the device is owned by a different entity (an organization).
The device has its own identity, it does not impersonate the user activating it. We need to identify what device is making the request.
We then will need to link that device identity to an organization to access the organization resources.
If the user that activated the device is removed or revoked from accessing the system, the device must remain connected.
A similar use case was described in a different topic OAuth Device Flow with tokens bound to the device itself - #7 by konrad.sopala