Closed maarten-litmaath closed 4 months ago
If a client is suspended then which operations, done by the client, do we need to stop? For example,
Is there anything else we need to take care of?
Our conclusion after last IAM community meeting was that:
If there is a security leak, we think the client should be deleted (with the consequence of all AT/RT being deleted as well). Likely, the reason for disabling a client could be a temporary misbehavior, and we can leave the RT valid for instance to not force a user to set up oidc-agent again once the client will be re-enabled -- also, we do not see the difference between removing and disabling a client, otherwise.
What do you @giacomini and @maarten-litmaath think about it?
Should we also record the date of the suspension and show it in the dashboard and/or make it available in a search?
It would be good to have the date shown indeed. What about who did it?
PR #747
This is an example of the new Disable Client button inside Client Edit page:
The confirmation dialog:
How the client is shown into client list:
IAM admins should be able to suspend clients:
If nobody complains about a particular client being suspended, it probably can be manually deleted as part of a cleanup operation.