Security: Add optional client_id attribute to OAuth2

[hfhbd]

If you use a 3rd party OAuth2 provider (like Google, Facebook, Microsoft), it is quite common to require the token needs to be created by your OAuth2 client, because your OAuth2 client requires specific scopes/permissions.

AFAIK it is not possible to specify the client_id in oauth-flow-object, is it?

Use-case: We don't want to implement the redirecting flows in our api provider but require the api consumer to proactively fetch an token first (using Resource Owner Password Flow with required mTLS) but this requires passing the client_id.