Add "owner" to AuthorizationCredential

[llorllale]

We're recently dones some changes:

• Renamed ConsentCredential -> AuthorizationCredential (ref: Should use authorization terminology adapter#188).
• Renamed userDID -> subjectDID (ref: PR feat: AuthorizationCredential Context #20 (comment)).

The first change moves us in the more direction of authorization to a generic resource, not just simply authenticating the user. The second change furthers this by distinguishing the resource owner from the subject of the resource.

We're missing a way to express who authorized this access. We should add an ownerDID claim.

ownerDID != subjectDID when the resource is NOT a set of claims about the party that authorized access. Eg. Acme Bank authorizes IRS access to credit card statements about Eve.

[troyronda]

Which term from UMA do you feel is closest to the above?

[llorllale]

@troyronda UMA defines the term "resource owner":

resource owner
An OAuth resource owner that is the "user" in User-Managed Access. This is typically an end-user (a natural person) but it can also be a corporation or other legal person.

We could use "resourceOwner", but I'd be fine with "owner" as well.