Using Authorization Code Flow, how to can token be issued for user's Organization/Employer, not for user

Assume we’re implementing “Make me Rich Bank”'s systems using Keycloak for IAM.

Using Authorized Code Flow out-of-the-box, offline tokens get issued to clients on behalf of the user that is logged in.

That is fine if e.g. Alice as a private person want to allow some imaginary “Cool Financial Services” app to access her bank accounts.

But if John is employed at, then when John causes offline tokens to be issued to clients, they should be on to be behalf of the organization and not on behalf of the person John (who could leave the and be replaced by another human). The trust is between “Cool Financial Services” and John is just the person that is authorized to approve the Consent. Here is a screenshot of what that looks like in Azure:

How would I do that with Keycloak?

I’m not even sure how to represent It isn’t a user, because will never log directly; only employees of will ever log in. But (I think) tokens and therefore offline tokens as well, are issued to users, right? (At least the offline tokens I’ve seen are issued to users). Does that mean that should be a user? It has a smell…

Has any of you done anything like this? How?

Since I’ve gotten no answers here, I’ve asked a more detailed, SPI focused question on stackoverflow