...
Finally, the app is able to sign assertions using the private key associated with it's public key, using the JWT Bearer Grant Type (urn:ietf:params:oauth:grant-type:jwt-bearer). If the app has done it's part to bind the private key to the device, the app is able to safely request persistent API access. Since the dynamic client ID is associated with a specific authorization event, the app can use it's own client ID as the "sub" parameter rather than providing a user specific value.
A Critical Analysis of Refresh Token Rotation in Single-page Applications
...