IAM admins should be able to suspend clients

[maarten-litmaath]

IAM admins should be able to suspend clients:

• that are suspicious in some way, or
• that have unknown owners (cf. #595, #652), or
• that are misbehaving (cf. #386), or
• for some other reason.

If nobody complains about a particular client being suspended, it probably can be manually deleted as part of a cleanup operation.

[garaimanoj]

If a client is suspended then which operations, done by the client, do we need to stop? For example,

• New action token request
• Invalid refresh token issued by the client

Is there anything else we need to take care of?

[federicaagostini]

Our conclusion after last IAM community meeting was that:

• in case of suspended client, new access tokens cannot be issued anymore
• RT may be still valid, but one cannot use the RT flow to get tokens.

If there is a security leak, we think the client should be deleted (with the consequence of all AT/RT being deleted as well). Likely, the reason for disabling a client could be a temporary misbehavior, and we can leave the RT valid for instance to not force a user to set up oidc-agent again once the client will be re-enabled -- also, we do not see the difference between removing and disabling a client, otherwise.

What do you @giacomini and @maarten-litmaath think about it?

[giacomini]

Should we also record the date of the suspension and show it in the dashboard and/or make it available in a search?

[maarten-litmaath]

It would be good to have the date shown indeed. What about who did it?

[federicaagostini]

PR #747

[enricovianello]

This is an example of the new Disable Client button inside Client Edit page:

The confirmation dialog:

How the client is shown into client list: