As descibed in client-to-server-interactions
…
clients posting Activities to an actor’s outbox
…
The request MUST be authenticated with the credentials of the user to whom the outbox belongs
This is how I interpret it: Each actor has exactly one identity (user) on the OAuth server. It follows that sending an activity to the outbox of a group, organization,… can only ever be sent by one user (from the point of view of the OAuth server). Then certain actors should actually have the owner property? Unfortunately, it makes no sense to me why there should only be one user in an organization who can send activities. This would mean that the people in an organization would have to share an OAuth server account. Everybody uses the same username/password.
Do I understand something wrong?