OAuth device code grant – JWT

I am looking at implementing an API Gateway for a system using WS02 as the IdP. Users will be signing in using OAuth via federated SSO with social providers (initially Google). The users will also need to pass access to a device with limited input, so I was looking to implement the OAuth device_code grant (WS02 is the only open source IdP that supports this grant, as far as I can see, please correct me if you know I am wrong). This will pass a JWT to the device which it should be able to use to access the API Gateway.

  1. Is it acceptable for a JWT to be used by a device in this way? I have been reading that using ‘opaque tokens’ is preferable but I don’t know how these could be assigned to a device using open standards. What are the risks of this approach and how can they be mitigated?
  2. The JWT would pass from ‘client device’ -> ‘API Gateway’ -> ‘service’. Is this delegation accpetable – is the Gateway impersonating the client?
  3. There will also be some JavaScript (React) web apps to use in browser, could these use the JWT also? Again what are the risks and how could they be mitigated?