Admin-level setting to enable/disable refreshable tokens

[joeh90]

Is your feature request related to a problem? Please describe. The plugin can be used to issue a refreshable token to a user even if refreshable tokens are supposed to be disabled in Access settings (via token.allow-refreshable: false), thereby circumventing security of the system. This is of particular concern for Artifactory instances not using SCIM.

Describe the solution you'd like Make allowRefreshable an admin-level setting in the plugin, to align with the Artifactory Access YAML setting. If false, users should not be able to be issued refreshable tokens via the plugin.

Describe alternatives you've considered I've also raised a support ticket with JFrog seeking clarity on whether admin should be prevented from creating a refreshable token if the Access YAML prevents it. It's possible this should be considered a bug in Artifactory.

Additional context N/A

[joeh90]

We'll just configure Vault policies to deny these parameters.