Address Issuer restrection in data grants, plus RO Client constraints

[elf-pavlik]

We had a very interesting talk with @matthieubosquet during AuthZ panel meeting.

While I was pointing out that as long as End-user chooses the Issuer (OP) they have control over Client identifiers. He brought to my attention that ACP allows constraining the Issuer by RO which in turn can enforce RO's Client restrictions.

I believe that Data Grant can address that scenario and actually, we would take advantage of it to communicate that restriction to the End-user.

1. If Resource Owner restricts Issuer, Client (application) End-user operates needs to know that they need Id Token from that OP. Data Grant seems like the perfect place to provide this prior knowledge to the Client.

2. If Resource Owner also restricts the Client, only enforceable if also restricts the Issuer, the Authorization Agent of the End-user would use that information from source Data Grant on the consent screen. This way End-user would not try to grant access to clients not allowed by the Resource Owner. Last but not least based on Data Grant End-user would have knowledge of what clients they need to use to access that data. Authorization Agent could take care of informing End-user that they have access to data that requires specific clients, show which of those clients they have already created Application Registration for, and if none to select one and create Application Registration for it.