OAuth2 client list service is maybe ambiguous

[margaretha]

The parameter authorized_only in the OAuth2 Client list service is possibly ambiguous.

Only OAuth2 clients registered by a user is listed when authorized_only=false (default).

When authorized_only=true, Kustvakt does not really filter the user-registered clients, but lists all authorized clients, including those not registered by the user himself.

Kustvakt should probably include all authorized clients when authorized_only=false. We need to show which clients owned/have been registered by the users.

Maybe registered_by should be removed from the response for data security because it would show usernames of other users.

[hebasta]

registered_by:
I agree that it is a data security sensible subject. On the other side it might be for some users a helpful information, for example, if you want to install only clients of a certain institution, etc.
All in all we probably should delete it, but keep that in mind.

[margaretha]

registered_by has been omitted as also discussed in #572.

[margaretha]

We agreed to keep the existing behavior of the web-service, and deprecate the parameter authorized_only. It should then be removed from the system in the next versions.

Another more appropriate parameter filter_by should be introduced with two possible string value authorized_only or owned_only. The parameter is optional, when it is not set, it should list all clients. But as long as authorized_only exists, it has a higher priority, so the web-service will behave according to the value of authorized_only.