DB authz for client authentication & token records #1255
Description
PR #1194 adds support for the OAuth 2.0 Device Authorization Grant for client authentication (token granting). However, it does not include datastore-level authorization checks (e.g., authz::ClientAuthentication, etc.) because the current data model does not make that easy (e.g., non-primary-key lookup, etc.). That data model should also be adjusted so that client authentication records can be short-lived, which may (or may not) involve making user_code the primary key; there are various trade-offs involved in that decision that should be carefully weighed.
The datastore-level authorization currently implemented for console sessions and global images share some common concerns with this issue, and it might be worth refactoring those together with this.