From 9451f09724f89a99e5287581940e9408e0a41ce9 Mon Sep 17 00:00:00 2001
From: Manoj Garai <manoj.garai@stfc.ac.uk>
Date: Mon, 26 Feb 2024 16:21:27 +0000
Subject: [PATCH 01/12] Add ability to disable client

* Add API and service methods to change client status
* Add new columns for client status
* Set status as active for new client
* Add suspended label next to client name
* Add column status_changed_by to client_details
* Make client suspension details available to client owner
---
 .../find/DefaultFindAccountService.java       |   5 +-
 .../account/find/FindAccountController.java   |  43 +-
 .../api/account/find/FindAccountService.java  |   6 +-
 .../ClientManagementAPIController.java        |  13 +
 .../service/ClientManagementService.java      |   2 +
 .../DefaultClientManagementService.java       |  13 +
 .../DefaultClientRegistrationService.java     |   2 +
 .../api/client/service/ClientConverter.java   | 484 +++++-----
 .../iam/api/client/service/ClientService.java |   2 +
 .../client/service/DefaultClientService.java  |  19 +-
 .../common/client/RegisteredClientDTO.java    | 111 ++-
 .../client/ClientStatusChangedEvent.java      |  28 +
 .../main/webapp/WEB-INF/tags/iamHeader.tag    |   4 +
 .../webapp/WEB-INF/views/iam/dashboard.jsp    |   2 +-
 .../clients/client/client.component.html      | 183 ++--
 .../clients/client/client.component.js        |  21 +-
 .../status/client.status.component.html       |  34 +
 .../client/status/client.status.component.js  | 117 +++
 .../clientslist/clientslist.component.html    |   4 +
 .../clientslist/clientslist.component.js      |  21 +-
 .../user/myclients/myclients.component.html   |  13 +-
 .../user/myclients/myclients.component.js     |  21 +-
 .../dashboard-app/services/clients.service.js |  11 +-
 .../dashboard-app/services/find.service.js    |  13 +-
 .../main/webapp/resources/iam/css/tooltip.css |  49 +
 .../find/FindAccountIntegrationTests.java     |  30 +
 .../ClientManagementAPIIntegrationTests.java  |  18 +
 .../ClientRegistrationAPIControllerTests.java |   1 +
 .../client/ClientManagementServiceTests.java  |  16 +
 ...nd_status_changed_on_to_client_details.sql |   2 +
 ...nd_status_changed_on_to_client_details.sql |   3 +
 .../db/migration/test/V100000___test_data.sql |  42 +-
 pom.xml                                       | 850 +++++++++---------
 33 files changed, 1350 insertions(+), 833 deletions(-)
 create mode 100644 iam-login-service/src/main/java/it/infn/mw/iam/audit/events/client/ClientStatusChangedEvent.java
 create mode 100644 iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/status/client.status.component.html
 create mode 100644 iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/status/client.status.component.js
 create mode 100644 iam-login-service/src/main/webapp/resources/iam/css/tooltip.css
 create mode 100644 iam-persistence/src/main/resources/db/migration/h2/V103__add_active_and_status_changed_on_to_client_details.sql
 create mode 100644 iam-persistence/src/main/resources/db/migration/mysql/V103__add_active_and_status_changed_on_to_client_details.sql

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/DefaultFindAccountService.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/DefaultFindAccountService.java
index 3553dbeda..db350a3c5 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/DefaultFindAccountService.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/DefaultFindAccountService.java
@@ -25,7 +25,6 @@
 import org.springframework.data.domain.Pageable;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
-
 import it.infn.mw.iam.api.scim.converter.UserConverter;
 import it.infn.mw.iam.api.scim.exception.IllegalArgumentException;
 import it.infn.mw.iam.api.scim.model.ScimListResponse;
@@ -143,4 +142,8 @@ public ScimListResponse<ScimUser> findAccountByGroupUuidWithFilter(String groupU
     Page<IamAccount> results = repo.findByGroupUuidWithFilter(group.getUuid(), filter, pageable);
     return responseFromPage(results, converter, pageable);
   }
+
+  public Optional<IamAccount> findAccountByUuid(String uuid) {
+    return repo.findByUuid(uuid);
+  }
 }
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java
index 2356b93ee..0e27d2b1e 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java
@@ -20,20 +20,27 @@
 import static java.util.Objects.isNull;
 import static org.springframework.web.bind.annotation.RequestMethod.GET;
 
+import java.util.Optional;
+
+import javax.servlet.http.HttpServletRequest;
+
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.domain.Pageable;
+import org.springframework.http.HttpStatus;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.validation.BindingResult;
 import org.springframework.validation.annotation.Validated;
-import org.springframework.web.bind.annotation.PathVariable;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.bind.annotation.*;
 
+import com.nimbusds.jose.shaded.json.JSONObject;
+
+import it.infn.mw.iam.api.common.ErrorDTO;
 import it.infn.mw.iam.api.common.ListResponseDTO;
+import it.infn.mw.iam.api.common.error.NoSuchAccountError;
 import it.infn.mw.iam.api.common.form.PaginatedRequestWithFilterForm;
 import it.infn.mw.iam.api.scim.model.ScimConstants;
 import it.infn.mw.iam.api.scim.model.ScimUser;
+import it.infn.mw.iam.persistence.model.IamAccount;
 
 @RestController
 @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
@@ -44,6 +51,7 @@ public class FindAccountController {
   public static final String FIND_BY_LABEL_RESOURCE = "/iam/account/find/bylabel";
   public static final String FIND_BY_EMAIL_RESOURCE = "/iam/account/find/byemail";
   public static final String FIND_BY_USERNAME_RESOURCE = "/iam/account/find/byusername";
+  public static final String FIND_BY_UUID_RESOURCE = "/iam/account/find/byuuid/{accountUuid}";
   public static final String FIND_BY_CERT_SUBJECT_RESOURCE = "/iam/account/find/bycertsubject";
   public static final String FIND_BY_GROUP_RESOURCE = "/iam/account/find/bygroup/{groupUuid}";
   public static final String FIND_NOT_IN_GROUP_RESOURCE =
@@ -121,4 +129,31 @@ public ListResponseDTO<ScimUser> findNotInGroup(@PathVariable String groupUuid,
     }
   }
 
+  @GetMapping(FIND_BY_UUID_RESOURCE)
+  @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or hasRole('USER')")
+  public JSONObject findByUuid(@PathVariable String accountUuid) {
+    Optional<IamAccount> iamAccount = service.findAccountByUuid(accountUuid);
+    if(iamAccount.isPresent()){
+      return getIamAccountJson(iamAccount.get());
+    } else{
+      throw NoSuchAccountError.forUuid(accountUuid);
+    }    
+  }
+
+  @ResponseStatus(value = HttpStatus.NOT_FOUND)
+  @ExceptionHandler(NoSuchAccountError.class)
+  @ResponseBody
+  @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or hasRole('USER')")
+  public ErrorDTO accountNotFoundError(HttpServletRequest req, Exception ex) {
+    return ErrorDTO.fromString(ex.getMessage());
+  }
+
+  private JSONObject getIamAccountJson(IamAccount iamAccount) {
+    JSONObject iamAccountJson = new JSONObject();
+    iamAccountJson.put("id", iamAccount.getId());
+    iamAccountJson.put("accountUuid", iamAccount.getUuid());
+    iamAccountJson.put("username", iamAccount.getUsername());
+    iamAccountJson.put("active", iamAccount.isActive());
+    return iamAccountJson;
+  }
 }
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountService.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountService.java
index 24314cca9..aca1e154b 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountService.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountService.java
@@ -15,10 +15,13 @@
  */
 package it.infn.mw.iam.api.account.find;
 
+import java.util.Optional;
+
 import org.springframework.data.domain.Pageable;
 
 import it.infn.mw.iam.api.scim.model.ScimListResponse;
 import it.infn.mw.iam.api.scim.model.ScimUser;
+import it.infn.mw.iam.persistence.model.IamAccount;
 
 public interface FindAccountService {
 
@@ -45,5 +48,6 @@ ScimListResponse<ScimUser> findAccountByGroupUuidWithFilter(String groupUuid, St
 
   ScimListResponse<ScimUser> findAccountNotInGroupWithFilter(String groupUuid, String filter,
       Pageable pageable);
-
+      
+  Optional<IamAccount> findAccountByUuid(String uuid);
 }
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java
index a761d86df..2c377ef43 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java
@@ -33,6 +33,7 @@
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PatchMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.PutMapping;
@@ -43,6 +44,8 @@
 import org.springframework.web.bind.annotation.RestController;
 
 import com.fasterxml.jackson.annotation.JsonView;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonParser;
 
 import it.infn.mw.iam.api.client.error.InvalidPaginationRequest;
 import it.infn.mw.iam.api.client.error.NoSuchClient;
@@ -140,6 +143,16 @@ public RegisteredClientDTO updateClient(@PathVariable String clientId,
     return managementService.updateClient(clientId, client);
   }
 
+  @PatchMapping("/{clientId}/status")
+  @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  public void updateClientStatus(@PathVariable String clientId,
+      @RequestBody String body) {  
+    JsonObject jsonObject = JsonParser.parseString(body).getAsJsonObject();
+    boolean status = jsonObject.get("status").getAsBoolean();
+    String userId = jsonObject.get("userId").getAsString();      
+    managementService.updateClientStatus(clientId, status, userId);
+  }
+
   @PostMapping("/{clientId}/secret")
   @ResponseStatus(CREATED)
   @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/service/ClientManagementService.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/service/ClientManagementService.java
index 9e9531b88..ccfa02d64 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/service/ClientManagementService.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/service/ClientManagementService.java
@@ -50,6 +50,8 @@ RegisteredClientDTO updateClient(@NotBlank String clientId,
 
   void deleteClientByClientId(@NotBlank String clientId);
 
+  void updateClientStatus(String clientId, boolean status, String userId);
+
   ListResponseDTO<ScimUser> getClientOwners(@NotBlank String clientId, @NotNull Pageable pageable);
 
   void assignClientOwner(@NotBlank String clientId, @IamAccountId String accountId);
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/service/DefaultClientManagementService.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/service/DefaultClientManagementService.java
index 2298908e9..25c12c870 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/service/DefaultClientManagementService.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/service/DefaultClientManagementService.java
@@ -52,6 +52,7 @@
 import it.infn.mw.iam.audit.events.client.ClientRegistrationAccessTokenRotatedEvent;
 import it.infn.mw.iam.audit.events.client.ClientRemovedEvent;
 import it.infn.mw.iam.audit.events.client.ClientSecretUpdatedEvent;
+import it.infn.mw.iam.audit.events.client.ClientStatusChangedEvent;
 import it.infn.mw.iam.audit.events.client.ClientUpdatedEvent;
 import it.infn.mw.iam.core.IamTokenService;
 import it.infn.mw.iam.persistence.model.IamAccount;
@@ -116,6 +117,7 @@ public RegisteredClientDTO saveNewClient(RegisteredClientDTO client) throws Pars
     ClientDetailsEntity entity = converter.entityFromClientManagementRequest(client);
     entity.setDynamicallyRegistered(false);
     entity.setCreatedAt(Date.from(clock.instant()));
+    entity.setActive(true);
 
     defaultsService.setupClientDefaults(entity);
     entity = clientService.saveNewClient(entity);
@@ -133,6 +135,16 @@ public void deleteClientByClientId(String clientId) {
     eventPublisher.publishEvent(new ClientRemovedEvent(this, client));
   }
 
+  @Override
+  public void updateClientStatus(String clientId, boolean status, String userId) {
+
+    ClientDetailsEntity client = clientService.findClientByClientId(clientId)
+        .orElseThrow(ClientSuppliers.clientNotFound(clientId));
+    client = clientService.updateClientStatus(client, status, userId);
+    String message = "Client " + (status?"enabled":"disabled");
+    eventPublisher.publishEvent(new ClientStatusChangedEvent(this, client, message));
+  }
+
   @Validated(OnClientUpdate.class)
   @Override
   public RegisteredClientDTO updateClient(String clientId, RegisteredClientDTO client)
@@ -148,6 +160,7 @@ public RegisteredClientDTO updateClient(String clientId, RegisteredClientDTO cli
     newClient.setClientId(oldClient.getClientId());
     newClient.setAuthorities(oldClient.getAuthorities());
     newClient.setDynamicallyRegistered(oldClient.isDynamicallyRegistered());
+    newClient.setActive(oldClient.isActive());
 
     if (NONE.equals(newClient.getTokenEndpointAuthMethod())) {
       newClient.setClientSecret(null);
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java
index 09bc73fb8..6ef380583 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java
@@ -330,6 +330,7 @@ public RegisteredClientDTO registerClient(RegisteredClientDTO request,
     ClientDetailsEntity client = converter.entityFromRegistrationRequest(request);
     defaultsService.setupClientDefaults(client);
     client.setDynamicallyRegistered(true);
+    client.setActive(true);
 
     checkAllowedGrantTypes(request, authentication);
     cleanupRequestedScopes(client, authentication);
@@ -410,6 +411,7 @@ public RegisteredClientDTO updateClient(String clientId, RegisteredClientDTO req
     newClient.setAuthorities(oldClient.getAuthorities());
     newClient.setCreatedAt(oldClient.getCreatedAt());
     newClient.setReuseRefreshToken(oldClient.isReuseRefreshToken());
+    newClient.setActive(oldClient.isActive());
 
     ClientDetailsEntity savedClient = clientService.updateClient(newClient);
 
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/service/ClientConverter.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/service/ClientConverter.java
index cb251e9c4..bc5040cf6 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/service/ClientConverter.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/service/ClientConverter.java
@@ -1,243 +1,247 @@
-/**
- * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package it.infn.mw.iam.api.client.service;
-
-import static java.util.Objects.isNull;
-import static java.util.stream.Collectors.toSet;
-
-import java.text.ParseException;
-import java.util.HashSet;
-import java.util.Optional;
-import java.util.Set;
-
-import org.mitre.oauth2.model.ClientDetailsEntity;
-import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
-import org.mitre.oauth2.model.PKCEAlgorithm;
-import org.springframework.stereotype.Component;
-
-import com.google.common.base.Strings;
-import com.nimbusds.jose.jwk.JWKSet;
-
-import it.infn.mw.iam.api.client.registration.ClientRegistrationApiController;
-import it.infn.mw.iam.api.common.client.AuthorizationGrantType;
-import it.infn.mw.iam.api.common.client.OAuthResponseType;
-import it.infn.mw.iam.api.common.client.RegisteredClientDTO;
-import it.infn.mw.iam.api.common.client.TokenEndpointAuthenticationMethod;
-import it.infn.mw.iam.config.IamProperties;
-import it.infn.mw.iam.config.client_registration.ClientRegistrationProperties;
-
-@Component
-public class ClientConverter {
-
-  private final IamProperties iamProperties;
-
-  private final String clientRegistrationBaseUrl;
-  private final ClientRegistrationProperties clientRegistrationProperties;
-
-  public ClientConverter(IamProperties properties,
-      ClientRegistrationProperties clientRegistrationProperties) {
-    this.iamProperties = properties;
-    this.clientRegistrationProperties = clientRegistrationProperties;
-    clientRegistrationBaseUrl =
-        String.format("%s%s", iamProperties.getBaseUrl(), ClientRegistrationApiController.ENDPOINT);
-  }
-
-  private <T> Set<T> cloneSet(Set<T> stringSet) {
-    Set<T> result = new HashSet<>();
-    if (stringSet != null) {
-      result.addAll(stringSet);
-    }
-    return result;
-  }
-
-
-  public ClientDetailsEntity entityFromClientManagementRequest(RegisteredClientDTO dto)
-      throws ParseException {
-    ClientDetailsEntity client = entityFromRegistrationRequest(dto);
-
-    if (dto.getAccessTokenValiditySeconds() != null && dto.getAccessTokenValiditySeconds() > 0) {
-      client.setAccessTokenValiditySeconds(dto.getAccessTokenValiditySeconds());
-    }
-    // Refresh Token validity seconds zero value is valid and means infinite duration
-    if (dto.getRefreshTokenValiditySeconds() != null && dto.getRefreshTokenValiditySeconds() >= 0) {
-      client.setRefreshTokenValiditySeconds(dto.getRefreshTokenValiditySeconds());
-    }
-    if (dto.getIdTokenValiditySeconds() != null && dto.getIdTokenValiditySeconds() > 0) {
-      client.setIdTokenValiditySeconds(dto.getIdTokenValiditySeconds());
-    }
-    if (dto.getDeviceCodeValiditySeconds() != null && dto.getDeviceCodeValiditySeconds() > 0) {
-      client.setDeviceCodeValiditySeconds(dto.getDeviceCodeValiditySeconds());
-    }
-
-    client.setAllowIntrospection(dto.isAllowIntrospection());
-    client.setReuseRefreshToken(dto.isReuseRefreshToken());
-    client.setClearAccessTokensOnRefresh(dto.isClearAccessTokensOnRefresh());
-
-    if (dto.getCodeChallengeMethod() != null) {
-      PKCEAlgorithm pkceAlgo = PKCEAlgorithm.parse(dto.getCodeChallengeMethod());
-      client.setCodeChallengeMethod(pkceAlgo);
-    }
-
-    if (dto.getTokenEndpointAuthMethod() != null) {
-      client
-        .setTokenEndpointAuthMethod(AuthMethod.getByValue(dto.getTokenEndpointAuthMethod().name()));
-    }
-
-    client.setRequireAuthTime(Boolean.valueOf(dto.isRequireAuthTime()));
-
-    return client;
-  }
-
-
-
-  public RegisteredClientDTO registeredClientDtoFromEntity(ClientDetailsEntity entity) {
-    RegisteredClientDTO clientDTO = new RegisteredClientDTO();
-    
-    clientDTO.setClientId(entity.getClientId());
-    clientDTO.setClientSecret(entity.getClientSecret());
-    clientDTO.setClientName(entity.getClientName());
-    clientDTO.setContacts(entity.getContacts());
-    clientDTO.setGrantTypes(entity.getGrantTypes()
-      .stream()
-      .map(AuthorizationGrantType::fromGrantType)
-      .collect(toSet()));
-
-    clientDTO.setJwksUri(entity.getJwksUri());
-    clientDTO.setRedirectUris(cloneSet(entity.getRedirectUris()));
-
-    clientDTO.setTokenEndpointAuthMethod(TokenEndpointAuthenticationMethod
-      .valueOf(Optional.ofNullable(entity.getTokenEndpointAuthMethod())
-        .orElse(AuthMethod.NONE)
-        .getValue()));
-
-    clientDTO.setScope(cloneSet(entity.getScope()));
-    clientDTO.setTosUri(entity.getTosUri());
-
+/**
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package it.infn.mw.iam.api.client.service;
+
+import static java.util.Objects.isNull;
+import static java.util.stream.Collectors.toSet;
+
+import java.text.ParseException;
+import java.util.HashSet;
+import java.util.Optional;
+import java.util.Set;
+
+import org.mitre.oauth2.model.ClientDetailsEntity;
+import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
+import org.mitre.oauth2.model.PKCEAlgorithm;
+import org.springframework.stereotype.Component;
+
+import com.google.common.base.Strings;
+import com.nimbusds.jose.jwk.JWKSet;
+
+import it.infn.mw.iam.api.client.registration.ClientRegistrationApiController;
+import it.infn.mw.iam.api.common.client.AuthorizationGrantType;
+import it.infn.mw.iam.api.common.client.OAuthResponseType;
+import it.infn.mw.iam.api.common.client.RegisteredClientDTO;
+import it.infn.mw.iam.api.common.client.TokenEndpointAuthenticationMethod;
+import it.infn.mw.iam.config.IamProperties;
+import it.infn.mw.iam.config.client_registration.ClientRegistrationProperties;
+
+@Component
+public class ClientConverter {
+
+  private final IamProperties iamProperties;
+
+  private final String clientRegistrationBaseUrl;
+  private final ClientRegistrationProperties clientRegistrationProperties;
+
+  public ClientConverter(IamProperties properties,
+      ClientRegistrationProperties clientRegistrationProperties) {
+    this.iamProperties = properties;
+    this.clientRegistrationProperties = clientRegistrationProperties;
+    clientRegistrationBaseUrl =
+        String.format("%s%s", iamProperties.getBaseUrl(), ClientRegistrationApiController.ENDPOINT);
+  }
+
+  private <T> Set<T> cloneSet(Set<T> stringSet) {
+    Set<T> result = new HashSet<>();
+    if (stringSet != null) {
+      result.addAll(stringSet);
+    }
+    return result;
+  }
+
+
+  public ClientDetailsEntity entityFromClientManagementRequest(RegisteredClientDTO dto)
+      throws ParseException {
+    ClientDetailsEntity client = entityFromRegistrationRequest(dto);
+
+    if (dto.getAccessTokenValiditySeconds() != null && dto.getAccessTokenValiditySeconds() > 0) {
+      client.setAccessTokenValiditySeconds(dto.getAccessTokenValiditySeconds());
+    }
+    // Refresh Token validity seconds zero value is valid and means infinite duration
+    if (dto.getRefreshTokenValiditySeconds() != null && dto.getRefreshTokenValiditySeconds() >= 0) {
+      client.setRefreshTokenValiditySeconds(dto.getRefreshTokenValiditySeconds());
+    }
+    if (dto.getIdTokenValiditySeconds() != null && dto.getIdTokenValiditySeconds() > 0) {
+      client.setIdTokenValiditySeconds(dto.getIdTokenValiditySeconds());
+    }
+    if (dto.getDeviceCodeValiditySeconds() != null && dto.getDeviceCodeValiditySeconds() > 0) {
+      client.setDeviceCodeValiditySeconds(dto.getDeviceCodeValiditySeconds());
+    }
+
+    client.setAllowIntrospection(dto.isAllowIntrospection());
+    client.setReuseRefreshToken(dto.isReuseRefreshToken());
+    client.setClearAccessTokensOnRefresh(dto.isClearAccessTokensOnRefresh());
+
+    if (dto.getCodeChallengeMethod() != null) {
+      PKCEAlgorithm pkceAlgo = PKCEAlgorithm.parse(dto.getCodeChallengeMethod());
+      client.setCodeChallengeMethod(pkceAlgo);
+    }
+
+    if (dto.getTokenEndpointAuthMethod() != null) {
+      client
+        .setTokenEndpointAuthMethod(AuthMethod.getByValue(dto.getTokenEndpointAuthMethod().name()));
+    }
+
+    client.setRequireAuthTime(Boolean.valueOf(dto.isRequireAuthTime()));
+
+    return client;
+  }
+
+
+
+  public RegisteredClientDTO registeredClientDtoFromEntity(ClientDetailsEntity entity) {
+    RegisteredClientDTO clientDTO = new RegisteredClientDTO();
+
+    clientDTO.setClientId(entity.getClientId());
+    clientDTO.setClientSecret(entity.getClientSecret());
+    clientDTO.setClientName(entity.getClientName());
+    clientDTO.setContacts(entity.getContacts());
+    clientDTO.setGrantTypes(entity.getGrantTypes()
+      .stream()
+      .map(AuthorizationGrantType::fromGrantType)
+      .collect(toSet()));
+
+    clientDTO.setJwksUri(entity.getJwksUri());
+    clientDTO.setRedirectUris(cloneSet(entity.getRedirectUris()));
+
+    clientDTO.setTokenEndpointAuthMethod(TokenEndpointAuthenticationMethod
+      .valueOf(Optional.ofNullable(entity.getTokenEndpointAuthMethod())
+        .orElse(AuthMethod.NONE)
+        .getValue()));
+
+    clientDTO.setScope(cloneSet(entity.getScope()));
+    clientDTO.setTosUri(entity.getTosUri());
+
     clientDTO.setCreatedAt(entity.getCreatedAt());
     if (entity.getClientLastUsed() != null) {
       clientDTO.setLastUsed(entity.getClientLastUsed().getLastUsed());
-    }
-    clientDTO.setAccessTokenValiditySeconds(entity.getAccessTokenValiditySeconds());
-    clientDTO.setAllowIntrospection(entity.isAllowIntrospection());
-    clientDTO.setClearAccessTokensOnRefresh(entity.isClearAccessTokensOnRefresh());
-    clientDTO.setClientDescription(entity.getClientDescription());
-    clientDTO.setClientUri(entity.getClientUri());
-    clientDTO.setDeviceCodeValiditySeconds(entity.getDeviceCodeValiditySeconds());
-    clientDTO.setDynamicallyRegistered(entity.isDynamicallyRegistered());
-    clientDTO.setIdTokenValiditySeconds(entity.getIdTokenValiditySeconds());
-    clientDTO.setJwksUri(entity.getJwksUri());
-
-    Optional.ofNullable(entity.getJwks()).ifPresent(k -> clientDTO.setJwk(k.toString()));
-    clientDTO.setPolicyUri(entity.getPolicyUri());
-    clientDTO.setRefreshTokenValiditySeconds(entity.getRefreshTokenValiditySeconds());
-
-    Optional.ofNullable(entity.getResponseTypes())
-      .ifPresent(rts -> clientDTO
-        .setResponseTypes(rts.stream().map(OAuthResponseType::fromResponseType).collect(toSet())));
-
-    clientDTO.setReuseRefreshToken(entity.isReuseRefreshToken());
-
-    if (entity.isDynamicallyRegistered()) {
-      clientDTO.setRegistrationClientUri(
-          String.format("%s/%s", clientRegistrationBaseUrl, entity.getClientId()));
-    }
-
-    if (entity.getCodeChallengeMethod() != null) {
-      clientDTO.setCodeChallengeMethod(entity.getCodeChallengeMethod().getName());
-    }
-
-    if (entity.getRequireAuthTime() != null) {
-      clientDTO.setRequireAuthTime(entity.getRequireAuthTime());
-    } else {
-      clientDTO.setRequireAuthTime(false);
-    }
-
-    return clientDTO;
-  }
-
-  public ClientDetailsEntity entityFromRegistrationRequest(RegisteredClientDTO dto)
-      throws ParseException {
-
-    ClientDetailsEntity client = new ClientDetailsEntity();
-
-    client.setClientId(dto.getClientId());
-    client.setClientDescription(dto.getClientDescription());
-    client.setClientName(dto.getClientName());
-    client.setClientSecret(dto.getClientSecret());
-
-    client.setClientUri(dto.getClientUri());
-
-    if (!Strings.isNullOrEmpty(dto.getJwksUri())) {
-      client.setJwksUri(dto.getJwksUri());
-    } else if (!Strings.isNullOrEmpty(dto.getJwk())) {
-      client.setJwks(JWKSet.parse(dto.getJwk()));
-    }
-
-    client.setPolicyUri(dto.getPolicyUri());
-    
-    client.setRedirectUris(cloneSet(dto.getRedirectUris()));
-
-    client.setScope(cloneSet(dto.getScope()));
-    
-    client.setGrantTypes(new HashSet<>());   
-
-    if (!isNull(dto.getGrantTypes())) {
-      client.setGrantTypes(
-          dto.getGrantTypes()
-          .stream()
-          .map(AuthorizationGrantType::getGrantType)
-          .collect(toSet()));
-    }
-
-    if (dto.getScope().contains("offline_access")) {
-      client.getGrantTypes().add(AuthorizationGrantType.REFRESH_TOKEN.getGrantType());
-    }
-
-    if (!isNull(dto.getResponseTypes())) {
-      client.setResponseTypes(
-          dto.getResponseTypes().stream().map(OAuthResponseType::getResponseType).collect(toSet()));
-    }
-
-    client.setContacts(cloneSet(dto.getContacts()));
-
-    if (!isNull(dto.getTokenEndpointAuthMethod())) {
-      client
-        .setTokenEndpointAuthMethod(AuthMethod.getByValue(dto.getTokenEndpointAuthMethod().name()));
-    }
-
-    if (dto.getCodeChallengeMethod() != null) {
-      PKCEAlgorithm pkceAlgo = PKCEAlgorithm.parse(dto.getCodeChallengeMethod());
-      client.setCodeChallengeMethod(pkceAlgo);
-    }
-
-    // bypasses MitreID default setting to zero inside client's entity
-    client.setAccessTokenValiditySeconds(clientRegistrationProperties.getClientDefaults().getDefaultAccessTokenValiditySeconds());
-    client.setRefreshTokenValiditySeconds(clientRegistrationProperties.getClientDefaults().getDefaultRefreshTokenValiditySeconds());
-    client.setIdTokenValiditySeconds(clientRegistrationProperties.getClientDefaults().getDefaultIdTokenValiditySeconds());
-    client.setDeviceCodeValiditySeconds(clientRegistrationProperties.getClientDefaults().getDefaultDeviceCodeValiditySeconds());
-
-    return client;
-  }
-
-  public RegisteredClientDTO registrationResponseFromClient(ClientDetailsEntity entity) {
-    RegisteredClientDTO response = registeredClientDtoFromEntity(entity);
-    response.setRegistrationClientUri(
-        String.format("%s/%s", clientRegistrationBaseUrl, entity.getClientId()));
-
-    return response;
-  }
-
-}
+    }
+    clientDTO.setAccessTokenValiditySeconds(entity.getAccessTokenValiditySeconds());
+    clientDTO.setAllowIntrospection(entity.isAllowIntrospection());
+    clientDTO.setClearAccessTokensOnRefresh(entity.isClearAccessTokensOnRefresh());
+    clientDTO.setClientDescription(entity.getClientDescription());
+    clientDTO.setClientUri(entity.getClientUri());
+    clientDTO.setDeviceCodeValiditySeconds(entity.getDeviceCodeValiditySeconds());
+    clientDTO.setDynamicallyRegistered(entity.isDynamicallyRegistered());
+    clientDTO.setIdTokenValiditySeconds(entity.getIdTokenValiditySeconds());
+    clientDTO.setJwksUri(entity.getJwksUri());
+
+    Optional.ofNullable(entity.getJwks()).ifPresent(k -> clientDTO.setJwk(k.toString()));
+    clientDTO.setPolicyUri(entity.getPolicyUri());
+    clientDTO.setRefreshTokenValiditySeconds(entity.getRefreshTokenValiditySeconds());
+
+    Optional.ofNullable(entity.getResponseTypes())
+      .ifPresent(rts -> clientDTO
+        .setResponseTypes(rts.stream().map(OAuthResponseType::fromResponseType).collect(toSet())));
+
+    clientDTO.setReuseRefreshToken(entity.isReuseRefreshToken());
+
+    if (entity.isDynamicallyRegistered()) {
+      clientDTO.setRegistrationClientUri(
+          String.format("%s/%s", clientRegistrationBaseUrl, entity.getClientId()));
+    }
+
+    if (entity.getCodeChallengeMethod() != null) {
+      clientDTO.setCodeChallengeMethod(entity.getCodeChallengeMethod().getName());
+    }
+
+    if (entity.getRequireAuthTime() != null) {
+      clientDTO.setRequireAuthTime(entity.getRequireAuthTime());
+    } else {
+      clientDTO.setRequireAuthTime(false);
+    }
+
+    clientDTO.setActive(entity.isActive());
+    clientDTO.setStatusChangedOn(entity.getStatusChangedOn());
+    clientDTO.setStatusChangedBy(entity.getStatusChangedBy());
+
+    return clientDTO;
+  }
+
+  public ClientDetailsEntity entityFromRegistrationRequest(RegisteredClientDTO dto)
+      throws ParseException {
+
+    ClientDetailsEntity client = new ClientDetailsEntity();
+
+    client.setClientId(dto.getClientId());
+    client.setClientDescription(dto.getClientDescription());
+    client.setClientName(dto.getClientName());
+    client.setClientSecret(dto.getClientSecret());
+
+    client.setClientUri(dto.getClientUri());
+
+    if (!Strings.isNullOrEmpty(dto.getJwksUri())) {
+      client.setJwksUri(dto.getJwksUri());
+    } else if (!Strings.isNullOrEmpty(dto.getJwk())) {
+      client.setJwks(JWKSet.parse(dto.getJwk()));
+    }
+
+    client.setPolicyUri(dto.getPolicyUri());
+    
+    client.setRedirectUris(cloneSet(dto.getRedirectUris()));
+
+    client.setScope(cloneSet(dto.getScope()));
+    
+    client.setGrantTypes(new HashSet<>());   
+
+    if (!isNull(dto.getGrantTypes())) {
+      client.setGrantTypes(
+          dto.getGrantTypes()
+          .stream()
+          .map(AuthorizationGrantType::getGrantType)
+          .collect(toSet()));
+    }
+
+    if (dto.getScope().contains("offline_access")) {
+      client.getGrantTypes().add(AuthorizationGrantType.REFRESH_TOKEN.getGrantType());
+    }
+
+    if (!isNull(dto.getResponseTypes())) {
+      client.setResponseTypes(
+          dto.getResponseTypes().stream().map(OAuthResponseType::getResponseType).collect(toSet()));
+    }
+
+    client.setContacts(cloneSet(dto.getContacts()));
+
+    if (!isNull(dto.getTokenEndpointAuthMethod())) {
+      client
+        .setTokenEndpointAuthMethod(AuthMethod.getByValue(dto.getTokenEndpointAuthMethod().name()));
+    }
+
+    if (dto.getCodeChallengeMethod() != null) {
+      PKCEAlgorithm pkceAlgo = PKCEAlgorithm.parse(dto.getCodeChallengeMethod());
+      client.setCodeChallengeMethod(pkceAlgo);
+    }
+
+    // bypasses MitreID default setting to zero inside client's entity
+    client.setAccessTokenValiditySeconds(clientRegistrationProperties.getClientDefaults().getDefaultAccessTokenValiditySeconds());
+    client.setRefreshTokenValiditySeconds(clientRegistrationProperties.getClientDefaults().getDefaultRefreshTokenValiditySeconds());
+    client.setIdTokenValiditySeconds(clientRegistrationProperties.getClientDefaults().getDefaultIdTokenValiditySeconds());
+    client.setDeviceCodeValiditySeconds(clientRegistrationProperties.getClientDefaults().getDefaultDeviceCodeValiditySeconds());
+
+    return client;
+  }
+
+  public RegisteredClientDTO registrationResponseFromClient(ClientDetailsEntity entity) {
+    RegisteredClientDTO response = registeredClientDtoFromEntity(entity);
+    response.setRegistrationClientUri(
+        String.format("%s/%s", clientRegistrationBaseUrl, entity.getClientId()));
+
+    return response;
+  }
+
+}
\ No newline at end of file
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/service/ClientService.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/service/ClientService.java
index 421439303..2c7accb0d 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/service/ClientService.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/service/ClientService.java
@@ -45,5 +45,7 @@ Optional<ClientDetailsEntity> findClientByClientIdAndAccount(String clientId,
 
   ClientDetailsEntity updateClient(ClientDetailsEntity client);
 
+  ClientDetailsEntity updateClientStatus(ClientDetailsEntity client, boolean status, String userId);
+
   void deleteClient(ClientDetailsEntity client);
 }
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/service/DefaultClientService.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/service/DefaultClientService.java
index 48de8fd4c..1f6383cb0 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/service/DefaultClientService.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/service/DefaultClientService.java
@@ -88,7 +88,7 @@ private Supplier<IamAccountClient> newAccountClient(IamAccount owner,
   @Override
   public ClientDetailsEntity linkClientToAccount(ClientDetailsEntity client, IamAccount owner) {
     IamAccountClient ac = accountClientRepo.findByAccountAndClient(owner, client)
-      .orElseGet(newAccountClient(owner, client));
+        .orElseGet(newAccountClient(owner, client));
     return ac.getClient();
   }
 
@@ -107,6 +107,13 @@ public ClientDetailsEntity updateClient(ClientDetailsEntity client) {
     return clientRepo.save(client);
   }
 
+  @Override
+  public ClientDetailsEntity updateClientStatus(ClientDetailsEntity client, boolean status, String userId) {
+    client.setActive(status);
+    client.setStatusChangedBy(userId);
+    client.setStatusChangedOn(Date.from(clock.instant()));
+    return clientRepo.save(client);
+  }
 
   @Override
   public Optional<ClientDetailsEntity> findClientByClientId(String clientId) {
@@ -122,7 +129,7 @@ public Optional<ClientDetailsEntity> findClientByClientIdAndAccount(String clien
 
     if (maybeClient.isPresent()) {
       return accountClientRepo.findByAccountAndClientId(account, maybeClient.get().getId())
-        .map(IamAccountClient::getClient);
+          .map(IamAccountClient::getClient);
     }
 
     return Optional.empty();
@@ -144,12 +151,12 @@ private boolean isValidAccessToken(OAuth2AccessTokenEntity a) {
   private void deleteTokensByClient(ClientDetailsEntity client) {
     // delete all valid access tokens (exclude registration and resource tokens)
     tokenService.getAccessTokensForClient(client)
-      .stream()
-      .filter(this::isValidAccessToken)
-      .forEach(at -> tokenService.revokeAccessToken(at));
+        .stream()
+        .filter(this::isValidAccessToken)
+        .forEach(at -> tokenService.revokeAccessToken(at));
     // delete all valid refresh tokens
     tokenService.getRefreshTokensForClient(client)
-      .forEach(rt -> tokenService.revokeRefreshToken(rt));
+        .forEach(rt -> tokenService.revokeRefreshToken(rt));
   }
 
   @Override
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/common/client/RegisteredClientDTO.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/common/client/RegisteredClientDTO.java
index 2125fa4d5..79c267a0f 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/common/client/RegisteredClientDTO.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/common/client/RegisteredClientDTO.java
@@ -1,21 +1,21 @@
-/**
- * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
+/**
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package it.infn.mw.iam.api.common.client;
 
-import java.time.LocalDate;
+import java.time.LocalDate;
 import java.util.Date;
 import java.util.Set;
 
@@ -28,9 +28,9 @@
 import javax.validation.constraints.Pattern;
 import javax.validation.constraints.Size;
 
-import org.hibernate.validator.constraints.URL;
-
-import com.fasterxml.jackson.annotation.JsonFormat;
+import org.hibernate.validator.constraints.URL;
+
+import com.fasterxml.jackson.annotation.JsonFormat;
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonView;
 import com.fasterxml.jackson.databind.PropertyNamingStrategies;
@@ -50,6 +50,7 @@
 import it.infn.mw.iam.api.client.registration.validation.ValidTokenEndpointAuthMethod;
 import it.infn.mw.iam.api.common.ClientViews;
 
+
 @JsonNaming(PropertyNamingStrategies.SnakeCaseStrategy.class)
 @JsonInclude(JsonInclude.Include.NON_EMPTY)
 @ValidGrantType(groups = {OnClientCreation.class, OnClientUpdate.class,
@@ -83,7 +84,8 @@ public class RegisteredClientDTO {
   private String clientSecret;
 
   @Size(min = 4, max = 256,
-      groups = {OnDynamicClientRegistration.class, OnClientCreation.class, OnClientUpdate.class, OnDynamicClientUpdate.class},
+      groups = {OnDynamicClientRegistration.class, OnClientCreation.class, OnClientUpdate.class,
+          OnDynamicClientUpdate.class},
       message = "Invalid length: must be between 4 and 256 characters")
   @NotBlank(groups = {OnDynamicClientRegistration.class, OnClientCreation.class},
       message = "should not be blank")
@@ -161,20 +163,20 @@ public class RegisteredClientDTO {
       ClientViews.DynamicRegistration.class})
   private TokenEndpointAuthenticationMethod tokenEndpointAuthMethod;
 
-  @Valid
-  @Size(max = 512,
-      groups = {OnDynamicClientRegistration.class, OnDynamicClientUpdate.class,
-          OnClientCreation.class, OnClientUpdate.class})
-  @JsonSerialize(using = CollectionAsStringSerializer.class)
-  @JsonDeserialize(using = StringAsSetOfStringsDeserializer.class)
-  @JsonView({ClientViews.Limited.class, ClientViews.Full.class, ClientViews.ClientManagement.class,
-      ClientViews.DynamicRegistration.class})
-  private Set<@NotBlank(groups = {OnDynamicClientRegistration.class, OnDynamicClientUpdate.class,
-      OnClientCreation.class, OnClientUpdate.class},
-      message = "must not include blank strings") @Size(min = 1, max = 2048,
-          message = "string size must be between 1 and 2048",
-          groups = {OnDynamicClientRegistration.class, OnDynamicClientUpdate.class,
-              OnClientCreation.class, OnClientUpdate.class}) String> scope =
+  @Valid
+  @Size(max = 512,
+      groups = {OnDynamicClientRegistration.class, OnDynamicClientUpdate.class,
+          OnClientCreation.class, OnClientUpdate.class})
+  @JsonSerialize(using = CollectionAsStringSerializer.class)
+  @JsonDeserialize(using = StringAsSetOfStringsDeserializer.class)
+  @JsonView({ClientViews.Limited.class, ClientViews.Full.class, ClientViews.ClientManagement.class,
+      ClientViews.DynamicRegistration.class})
+  private Set<@NotBlank(groups = {OnDynamicClientRegistration.class, OnDynamicClientUpdate.class,
+      OnClientCreation.class, OnClientUpdate.class},
+      message = "must not include blank strings") @Size(min = 1, max = 2048,
+          message = "string size must be between 1 and 2048",
+          groups = {OnDynamicClientRegistration.class, OnDynamicClientUpdate.class,
+              OnClientCreation.class, OnClientUpdate.class}) String> scope =
           Sets.newHashSet();
 
   @Min(value = 0, groups = OnClientCreation.class)
@@ -250,10 +252,22 @@ public class RegisteredClientDTO {
       ClientViews.DynamicRegistration.class})
   @Pattern(regexp = "^$|none|plain|S256",
       message = "must be either an empty string, none, plain or S256",
-      groups = {OnClientCreation.class,
-      OnClientUpdate.class, OnDynamicClientRegistration.class, OnDynamicClientUpdate.class})
+      groups = {OnClientCreation.class, OnClientUpdate.class, OnDynamicClientRegistration.class,
+          OnDynamicClientUpdate.class})
   private String codeChallengeMethod;
 
+  @JsonView({ClientViews.Full.class, ClientViews.ClientManagement.class,
+      ClientViews.DynamicRegistration.class})
+  private boolean active;
+
+  @JsonView({ClientViews.Full.class, ClientViews.ClientManagement.class,
+      ClientViews.DynamicRegistration.class})
+  private Date statusChangedOn;
+
+  @JsonView({ClientViews.Limited.class, ClientViews.Full.class, ClientViews.ClientManagement.class,
+    ClientViews.DynamicRegistration.class})
+  private String statusChangedBy;
+
   public String getClientId() {
     return clientId;
   }
@@ -511,4 +525,27 @@ public void setDefaultMaxAge(Integer defaultMaxAge) {
     this.defaultMaxAge = defaultMaxAge;
   }
 
-}
+  public boolean isActive() {
+    return active;
+  }
+
+  public void setActive(boolean active) {
+    this.active = active;
+  }
+
+  public Date getStatusChangedOn() {
+    return statusChangedOn;
+  }
+
+  public void setStatusChangedOn(Date statusChangedOn) {
+    this.statusChangedOn = statusChangedOn;
+  }
+
+  public void setStatusChangedBy(String statusChangedBy) {
+    this.statusChangedBy = statusChangedBy;
+  }
+
+  public String getStatusChangedBy() {
+    return statusChangedBy;
+  }
+}
\ No newline at end of file
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/client/ClientStatusChangedEvent.java b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/client/ClientStatusChangedEvent.java
new file mode 100644
index 000000000..c48243d50
--- /dev/null
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/audit/events/client/ClientStatusChangedEvent.java
@@ -0,0 +1,28 @@
+/**
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package it.infn.mw.iam.audit.events.client;
+
+import org.mitre.oauth2.model.ClientDetailsEntity;
+
+public class ClientStatusChangedEvent extends ClientEvent {
+
+  private static final long serialVersionUID = 1L;
+
+  public ClientStatusChangedEvent(Object source, ClientDetailsEntity client, String message) {
+    super(source, client, message);
+  }
+
+}
diff --git a/iam-login-service/src/main/webapp/WEB-INF/tags/iamHeader.tag b/iam-login-service/src/main/webapp/WEB-INF/tags/iamHeader.tag
index 61b29fce3..076c9dfd6 100644
--- a/iam-login-service/src/main/webapp/WEB-INF/tags/iamHeader.tag
+++ b/iam-login-service/src/main/webapp/WEB-INF/tags/iamHeader.tag
@@ -43,6 +43,10 @@
   rel="stylesheet"
   href="${resourcesPrefix}/iam/css/iam.css"></link>
 
+<link
+  rel="stylesheet"
+  href="${resourcesPrefix}/iam/css/tooltip.css"></link>  
+
 </head>
 
 <script>
diff --git a/iam-login-service/src/main/webapp/WEB-INF/views/iam/dashboard.jsp b/iam-login-service/src/main/webapp/WEB-INF/views/iam/dashboard.jsp
index 57ef2e3e1..1ef1459d3 100644
--- a/iam-login-service/src/main/webapp/WEB-INF/views/iam/dashboard.jsp
+++ b/iam-login-service/src/main/webapp/WEB-INF/views/iam/dashboard.jsp
@@ -199,7 +199,7 @@
   <script type="text/javascript" src="${resourcesPrefix}/iam/apps/dashboard-app/components/clients/client/othersettings/othersettings.component.js"></script>
   <script type="text/javascript" src="${resourcesPrefix}/iam/apps/dashboard-app/components/clients/client/clientowners/clientowners.component.js"></script>
   <script type="text/javascript" src="${resourcesPrefix}/iam/apps/dashboard-app/components/clients/client/confirmclientremoval/confirmclientremoval.component.js"></script>
-  
+  <script type="text/javascript" src="${resourcesPrefix}/iam/apps/dashboard-app/components/clients/client/status/client.status.component.js"></script>
   
   <script type="text/javascript" src="${resourcesPrefix}/iam/apps/dashboard-app/components/common/inputlist/inputlist.component.js"></script>
   <script type="text/javascript" src="${resourcesPrefix}/iam/apps/dashboard-app/components/common/finduserdialog/finduserdialog.component.js"></script>
diff --git a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/client.component.html b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/client.component.html
index 84bd1a220..c03f21c5c 100644
--- a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/client.component.html
+++ b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/client.component.html
@@ -1,90 +1,95 @@
-<!--
-
-    Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
-
-    Licensed under the Apache License, Version 2.0 (the "License");
-    you may not use this file except in compliance with the License.
-    You may obtain a copy of the License at
-
-        http://www.apache.org/licenses/LICENSE-2.0
-
-    Unless required by applicable law or agreed to in writing, software
-    distributed under the License is distributed on an "AS IS" BASIS,
-    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-    See the License for the specific language governing permissions and
-    limitations under the License.
-
--->
-<div>
-    <section class="content-header" ng-cloak>
-        <h1>
-            <i class="fa fa-rocket"></i>&nbsp;&nbsp; <span
-                ng-if="!$ctrl.newClient">{{$ctrl.clientVal.client_name}}</span>
-            <span ng-if="$ctrl.newClient">Create a new client</span>
-        </h1>
-        <ol class="breadcrumb hidden-xs" ng-if="!$ctrl.newClient">
-            <li><a ui-sref="clients" ui-sref-opts="{reload:true}"><i class="fa fa-rocket"></i> Clients</a> &gt;
-                {{$ctrl.client.client_name}}</li>
-        </ol>
-    </section>
-
-    <section class="content" ng-cloak>
-        <div class="row">
-            <section class="col-xs-12" ng-cloak>
-                <form name="clientForm" novalidate>
-                    <uib-tabset active="$ctrl.activeTab" class="nav-tabs-custom">
-                        <uib-tab index="1">
-                            <uib-tab-heading>Main</uib-tab-heading>
-                            <clientsettings client="$ctrl.clientVal"></clientsettings>
-                        </uib-tab>
-
-                        <uib-tab index="2">
-                            <uib-tab-heading>Credentials</uib-tab-heading>
-                            <clientauth client="$ctrl.clientVal" new-client="$ctrl.newClient" limited="false">
-                            </clientauth>
-                        </uib-tab>
-
-                        <uib-tab index="3">
-                            <uib-tab-heading>Scopes</uib-tab-heading>
-                            <scopelist client="$ctrl.clientVal" system-scopes="$ctrl.systemScopes" limited="false" />
-                        </uib-tab>
-
-                        <uib-tab index="4">
-                            <uib-tab-heading>Grant types</uib-tab-heading>
-                            <granttypelist client="$ctrl.clientVal" limited="false" />
-                        </uib-tab>
-
-                        <uib-tab index="5">
-                            <uib-tab-heading>Tokens</uib-tab-heading>
-                            <tokensettings client="$ctrl.clientVal"></tokensettings>
-                        </uib-tab>
-
-                        <uib-tab index="6">
-                            <uib-tab-heading>Crypto</uib-tab-heading>
-                            <clientcryptosettings client="$ctrl.clientVal"></clientcryptosettings>
-                        </uib-tab>
-
-                        <uib-tab index="7">
-                            <uib-tab-heading>Other info</uib-tab-heading>
-                            <othersettings client="$ctrl.clientVal"></othersettings>
-                        </uib-tab>
-
-                        <uib-tab index="8" ng-hide="$ctrl.newClient">
-                            <uib-tab-heading>Owners</uib-tab-heading>
-                            <client-owners client="$ctrl.clientVal" client-owners="$ctrl.clientOwners"></client-owners>
-                        </uib-tab>
-                    </uib-tabset>
-                </form>
-                <div class="form-group">
-                    <button class="btn btn-success" ng-click="$ctrl.saveClient()">Save client</button>
-                    <button class="btn btn-danger" ng-click="$ctrl.deleteClient()" ng-if="!$ctrl.newClient">Delete
-                        client</button>
-                    <button class="btn btn-default" ng-click="$ctrl.resetVal()" ng-if="!$ctrl.newClient">Reset</button>
-                    <button class="btn btn-default" ng-click="$ctrl.cancel()">Cancel</button>
-                </div>
-            </section>
-        </div>
-    </section>
-
-
+<!--
+
+    Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+<div>
+    <section class="content-header" ng-cloak>
+        <h1 style="display: inline;">
+            <i class="fa fa-rocket"></i>&nbsp;&nbsp; <span
+                ng-if="!$ctrl.newClient">{{$ctrl.clientVal.client_name}}</span>    
+            <span ng-if="$ctrl.newClient">Create a new client</span>
+        </h1>
+        <div class="label-danger label tool-tip" ng-mouseover="$ctrl.getClientStatusMessage()" 
+            style="vertical-align: text-top;" ng-if="!$ctrl.newClient && !$ctrl.clientVal.active">Suspended
+                <span class="tooltiptext">{{$ctrl.clientStatusMessage}}</span>
+        </div>
+        <ol class="breadcrumb hidden-xs" ng-if="!$ctrl.newClient">
+            <li><a ui-sref="clients" ui-sref-opts="{reload:true}"><i class="fa fa-rocket"></i> Clients</a> &gt;
+                {{$ctrl.client.client_name}}</li>
+        </ol>
+    </section>
+
+    <section class="content" ng-cloak>
+        <div class="row">
+            <section class="col-xs-12" ng-cloak>
+                <form name="clientForm" novalidate>
+                    <uib-tabset active="$ctrl.activeTab" class="nav-tabs-custom">
+                        <uib-tab index="1">
+                            <uib-tab-heading>Main</uib-tab-heading>
+                            <clientsettings client="$ctrl.clientVal"></clientsettings>
+                        </uib-tab>
+
+                        <uib-tab index="2">
+                            <uib-tab-heading>Credentials</uib-tab-heading>
+                            <clientauth client="$ctrl.clientVal" new-client="$ctrl.newClient" limited="false">
+                            </clientauth>
+                        </uib-tab>
+
+                        <uib-tab index="3">
+                            <uib-tab-heading>Scopes</uib-tab-heading>
+                            <scopelist client="$ctrl.clientVal" system-scopes="$ctrl.systemScopes" limited="false" />
+                        </uib-tab>
+
+                        <uib-tab index="4">
+                            <uib-tab-heading>Grant types</uib-tab-heading>
+                            <granttypelist client="$ctrl.clientVal" limited="false" />
+                        </uib-tab>
+
+                        <uib-tab index="5">
+                            <uib-tab-heading>Tokens</uib-tab-heading>
+                            <tokensettings client="$ctrl.clientVal"></tokensettings>
+                        </uib-tab>
+
+                        <uib-tab index="6">
+                            <uib-tab-heading>Crypto</uib-tab-heading>
+                            <clientcryptosettings client="$ctrl.clientVal"></clientcryptosettings>
+                        </uib-tab>
+
+                        <uib-tab index="7">
+                            <uib-tab-heading>Other info</uib-tab-heading>
+                            <othersettings client="$ctrl.clientVal"></othersettings>
+                        </uib-tab>
+
+                        <uib-tab index="8" ng-hide="$ctrl.newClient">
+                            <uib-tab-heading>Owners</uib-tab-heading>
+                            <client-owners client="$ctrl.clientVal" client-owners="$ctrl.clientOwners"></client-owners>
+                        </uib-tab>
+                    </uib-tabset>
+                </form>
+                <div class="form-group">
+                    <button class="btn btn-success" ng-click="$ctrl.saveClient()">Save client</button>
+                    <button class="btn btn-danger" ng-click="$ctrl.deleteClient()" ng-if="!$ctrl.newClient">Delete
+                        client</button>
+					<client-status client="$ctrl.clientVal" ng-if="!$ctrl.newClient"></client-status>	
+                    <button class="btn btn-default" ng-click="$ctrl.resetVal()" ng-if="!$ctrl.newClient">Reset</button>
+                    <button class="btn btn-default" ng-click="$ctrl.cancel()">Cancel</button>
+                </div>
+            </section>
+        </div>
+    </section>
+
+
 </div>
\ No newline at end of file
diff --git a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/client.component.js b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/client.component.js
index 468092385..2084a890c 100644
--- a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/client.component.js
+++ b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/client.component.js
@@ -17,7 +17,7 @@
     'use strict';
 
 
-    function ClientController(ClientsService, toaster, $uibModal, $location) {
+    function ClientController(ClientsService, FindService, toaster, $uibModal, $location) {
         var self = this;
 
         self.resetVal = resetVal;
@@ -25,6 +25,7 @@
         self.loadClient = loadClient;
         self.deleteClient = deleteClient;
         self.cancel = cancel;
+        self.getClientStatusMessage = getClientStatusMessage;
 
         self.$onInit = function () {
             if (self.newClient) {
@@ -131,6 +132,22 @@
                 }
             });
         }
+
+        function getClientStatusMessage(){
+            FindService.findAccountByUuid(self.clientVal.status_changed_by).then(function(res){
+                self.clientStatusMessage = "Suspended by " + res.username + " on " + getFormatedDate(self.clientVal.status_changed_on);                                            
+            }).catch(function (res) {
+                console.debug("Error retrieving user account!", res);
+            });           
+        }
+
+        function getFormatedDate(dateToFormat){
+            var dateISOString = new Date(dateToFormat).toISOString();
+            var ymd = dateISOString.split('T')[0];
+            //Remove milliseconds
+            var time = dateISOString.split('T')[1].slice(0, -5);
+            return ymd + " " + time;
+        }
     }
 
     angular
@@ -147,7 +164,7 @@
                 newClient: '<',
                 clientOwners: '<'
             },
-            controller: ['ClientsService', 'toaster', '$uibModal', '$location', ClientController],
+            controller: ['ClientsService', 'FindService', 'toaster', '$uibModal', '$location', ClientController],
             controllerAs: '$ctrl'
         };
     }
diff --git a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/status/client.status.component.html b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/status/client.status.component.html
new file mode 100644
index 000000000..f74d56e6d
--- /dev/null
+++ b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/status/client.status.component.html
@@ -0,0 +1,34 @@
+<!--
+
+    Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+<!-- Disable client button -->
+<button class="btn btn-warning"
+    ng-if="$ctrl.client.active" 
+    ng-click="$ctrl.openDialog($root.loggedUser.me.id)"
+    name="disable-client-btn">
+    <i class="fa fa-ban"></i>
+    Disable Client
+</button>
+
+<!-- Enable client button -->
+<button class="btn btn-primary" 
+    ng-if="!$ctrl.client.active" 
+    ng-click="$ctrl.openDialog($root.loggedUser.me.id)"
+    name="enable-client-btn">
+    <i class="fa fa-power-off"></i>
+    Restore Client
+</button>
\ No newline at end of file
diff --git a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/status/client.status.component.js b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/status/client.status.component.js
new file mode 100644
index 000000000..6cb82457f
--- /dev/null
+++ b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/status/client.status.component.js
@@ -0,0 +1,117 @@
+/*
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+(function() {
+  'use strict';
+
+  function ClientStatusController(toaster, ModalService, ClientsService) {
+    var self = this;
+
+    self.$onInit = function() {
+      self.enabled = true;
+    };
+
+    self.handleError = function(error) {
+      console.error(error);
+      self.enabled = true;
+    };
+
+    self.handleSuccess = function() {
+      self.enabled = true;
+      ClientsService.retrieveClient(self.client.client_id).then(function (client) {
+        console.debug("Loaded client", client);
+        self.client = client;
+        self.clientVal = angular.copy(self.client);
+        if (client.active) {
+          toaster.pop({
+            type: 'success',
+            body:
+                `Client '${client.client_name}' has been restored successfully.`
+          });
+        } else {
+          toaster.pop({
+            type: 'success',
+            body: `Client '${client.client_name}' is now disabled.`
+          });
+        }
+      }).catch(function (res) {
+          console.debug("Error retrieving client!", res);
+          toaster.pop({
+              type: 'error',
+              body: 'Error retrieving client!'
+          });
+      });
+    };
+
+    self.enableClient = function() {
+      return ClientsService.setClientActiveStatus(self.client.client_id, true, self.loggedUserId)
+          .then(self.handleSuccess)
+          .catch(self.handleError);
+    };
+
+    self.disableClient = function() {
+      return ClientsService.setClientActiveStatus(self.client.client_id, false, self.loggedUserId)
+          .then(self.handleSuccess)
+          .catch(self.handleError);
+    };
+
+
+    self.openDialog = function(loggedUserId) {
+
+      var modalOptions = null;
+      var updateStatusFunc = null;
+      self.loggedUserId = loggedUserId;
+
+      if (self.client.active) {
+        modalOptions = {
+          closeButtonText: 'Cancel',
+          actionButtonText: 'Disable client',
+          headerText: 'Disable ' + self.client.client_name,
+          bodyText:
+              `Are you sure you want to disable client '${self.client.client_name}'?`
+        };
+        updateStatusFunc = self.disableClient;
+
+      } else {
+        modalOptions = {
+          closeButtonText: 'Cancel',
+          actionButtonText: 'Restore client',
+          headerText: 'Restore ' + self.client.client_name,
+          bodyText:
+              `Are you sure you want to restore client '${self.client.client_name}'?`
+        };
+        updateStatusFunc = self.enableClient;
+      }
+
+      self.enable = false;
+      ModalService.showModal({}, modalOptions)
+          .then(function() { updateStatusFunc(); })
+          .catch(function() {
+              console.debug("Error updating client status!", res);
+          });
+    };
+  }
+
+  angular.module('dashboardApp').component('clientStatus', {
+    require: {clientCtrl: '^client'},
+    bindings: {client: '='},
+    templateUrl:
+        '/resources/iam/apps/dashboard-app/components/clients/client/status/client.status.component.html',
+    controller: [
+      'toaster', 'ModalService', 'ClientsService', ClientStatusController
+    ]
+  });
+
+})();
\ No newline at end of file
diff --git a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/clientslist/clientslist.component.html b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/clientslist/clientslist.component.html
index 83cdb6218..fb7426469 100644
--- a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/clientslist/clientslist.component.html
+++ b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/clientslist/clientslist.component.html
@@ -92,6 +92,10 @@
                                     </a>
                                 </div>
                                 <div class="text-muted">{{c.client_id}}</div>
+                                <div class="label-danger label tool-tip" ng-mouseover="$ctrl.getClientStatusMessage(c)" 
+                                    style="vertical-align: text-top;" ng-if="!c.active">Suspended
+                                        <span class="tooltiptext">{{$ctrl.clientStatusMessage}}</span>
+                                </div>
                             </td>
                             <td class="col-xs-1">
                                 <!-- Created -->
diff --git a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/clientslist/clientslist.component.js b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/clientslist/clientslist.component.js
index bf893ccb2..50ad86daf 100644
--- a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/clientslist/clientslist.component.js
+++ b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/clientslist/clientslist.component.js
@@ -16,7 +16,7 @@
 (function () {
     'use strict';
 
-    function ClientsListController($filter, $uibModal, ClientsService, toaster) {
+    function ClientsListController($filter, $uibModal, ClientsService, FindService, toaster) {
         var self = this;
 
         self.searchFilter = '';
@@ -27,6 +27,7 @@
         self.onChangePage = onChangePage;
         self.deleteClient = deleteClient;
         self.clientTrackLastUsed = getClientTrackLastUsed();
+        self.getClientStatusMessage = getClientStatusMessage;
 
         self.$onInit = function () {
             console.debug('ClientsListController.self', self);
@@ -118,6 +119,22 @@
                 }
             });
         }
+
+        function getClientStatusMessage(client){
+            FindService.findAccountByUuid(client.status_changed_by).then(function(res){
+                self.clientStatusMessage = "Suspended by " + res.username + " on " + getFormatedDate(client.status_changed_on);                                            
+            }).catch(function (res) {
+                console.debug("Error retrieving user account!", res);
+            });           
+        }
+
+        function getFormatedDate(dateToFormat){
+            var dateISOString = new Date(dateToFormat).toISOString();
+            var ymd = dateISOString.split('T')[0];
+            //Remove milliseconds
+            var time = dateISOString.split('T')[1].slice(0, -5);
+            return ymd + " " + time;
+        }
     }
 
     angular
@@ -130,7 +147,7 @@
             bindings: {
                 clients: "<"
             },
-            controller: ['$filter', '$uibModal', 'ClientsService', 'toaster', ClientsListController],
+            controller: ['$filter', '$uibModal', 'ClientsService', 'FindService', 'toaster', ClientsListController],
             controllerAs: '$ctrl'
         };
     }
diff --git a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/user/myclients/myclients.component.html b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/user/myclients/myclients.component.html
index 7bb427ae7..e2c89b4cf 100644
--- a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/user/myclients/myclients.component.html
+++ b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/user/myclients/myclients.component.html
@@ -48,19 +48,28 @@ <h1>
 							ng-repeat="client
                         in $ctrl.clients.Resources">
 							<div class="iam-detail col-xs-8 col-sm-8">
-								<a
+								<a ng-if="client.active"
 									ui-sref="myClient({id:
                                 client.client_id})">{{client.client_name}}</a>
+								<a ng-if="!client.active" style="cursor: not-allowed;">{{client.client_name}}</a>
 								<div class="text-muted">{{client.client_id}}</div>
+								<div class="label-danger label tool-tip" ng-mouseover="$ctrl.getClientStatusMessage(client)" 
+                                    style="vertical-align: text-top;" ng-if="!client.active">Suspended
+                                        <span class="tooltiptext">{{$ctrl.clientStatusMessage}}</span>
+                                </div>
 							</div>
 							<div class="iam-actions col-xs-4 col-sm-4 text-right">
-								<button class="btn btn-default btn-xs"
+								<button ng-if="client.active" class="btn btn-default btn-xs"
 									uib-tooltip="Edit client
                                 '{{client.client_name}}'"
 									ui-sref="myClient({id: client.client_id})">
 									<i class="fa
                             fa-pencil"></i>
 								</button>
+								<button ng-if="!client.active" class="btn btn-default btn-xs" 
+										style="cursor: not-allowed;">
+									<i class="fa fa-pencil"></i>
+								</button>
 								<button class="btn btn-danger btn-xs"
 									uib-tooltip="Delete client
                                 '{{client.client_name}}'"
diff --git a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/user/myclients/myclients.component.js b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/user/myclients/myclients.component.js
index 3398f5b52..0e4fbaf35 100644
--- a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/user/myclients/myclients.component.js
+++ b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/user/myclients/myclients.component.js
@@ -16,12 +16,13 @@
 (function () {
     'use strict';
 
-    function MyClientsController(ClientRegistrationService, $uibModal, toaster) {
+    function MyClientsController(ClientRegistrationService, FindService, $uibModal, toaster) {
         var self = this;
 
         self.redeemClient = redeemClient;
         self.deleteClient = deleteClient;
         self.onChangePage = onChangePage;
+        self.getClientStatusMessage = getClientStatusMessage;
 
         self.$onInit = function () {
             console.debug('MyClientsController.self', self);
@@ -118,6 +119,22 @@
                 }
             });
         }
+
+        function getClientStatusMessage(client){
+            FindService.findAccountByUuid(client.status_changed_by).then(function(res){
+                self.clientStatusMessage = "Suspended by " + res.username + " on " + getFormatedDate(client.status_changed_on);                                            
+            }).catch(function (res) {
+                console.debug("Error retrieving user account!", res);
+            });           
+        }
+
+        function getFormatedDate(dateToFormat){
+            var dateISOString = new Date(dateToFormat).toISOString();
+            var ymd = dateISOString.split('T')[0];
+            //Remove milliseconds
+            var time = dateISOString.split('T')[1].slice(0, -5);
+            return ymd + " " + time;
+        }
     }
 
     angular
@@ -132,7 +149,7 @@
             bindings: {
                 clients: '<'
             },
-            controller: ['ClientRegistrationService', '$uibModal', 'toaster', MyClientsController],
+            controller: ['ClientRegistrationService', 'FindService', '$uibModal', 'toaster', MyClientsController],
             controllerAs: '$ctrl'
         };
     }
diff --git a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/services/clients.service.js b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/services/clients.service.js
index 2511c7a91..4c02e5e8e 100644
--- a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/services/clients.service.js
+++ b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/services/clients.service.js
@@ -44,7 +44,8 @@
             assignClientOwner: assignClientOwner,
             removeClientOwner: removeClientOwner,
             newClient: newClient,
-            getClientList: getClientList
+            getClientList: getClientList,
+            setClientActiveStatus: setClientActiveStatus
         };
 
         return service;
@@ -175,5 +176,13 @@
             };
             return newClient;
         }
+
+        function setClientActiveStatus(clientId, isActive, userId){
+            return $http.patch(endpoint(clientId) + "/status", "{\"status\": "+ isActive + ",\"userId\":" + userId + "}", defaultRequestConfig).then(function (res) {
+                return res.data;
+            }).catch(function (res) {
+                return $q.reject(res);
+            });
+        }
     }
 })();
\ No newline at end of file
diff --git a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/services/find.service.js b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/services/find.service.js
index 68d38f177..df4467610 100644
--- a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/services/find.service.js
+++ b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/services/find.service.js
@@ -26,7 +26,8 @@
     function FindService($q, $http) {
 
         var service = {
-            findUnsubscribedGroupsForAccount: findUnsubscribedGroupsForAccount
+            findUnsubscribedGroupsForAccount: findUnsubscribedGroupsForAccount,
+            findAccountByUuid: findAccountByUuid
         };
 
         return service;
@@ -46,5 +47,15 @@
                 return $q.reject(error);
             });
         }
+
+        function findAccountByUuid(accountUuid) {
+            var url = "/iam/account/find/byuuid/" + accountUuid;
+            return $http.get(url).then(function (result) {
+                return result.data;
+            }).catch(function (error) {
+                console.error("Error loading account details: ", error);
+                return $q.reject(error);
+            });
+        }
     }
 }());
\ No newline at end of file
diff --git a/iam-login-service/src/main/webapp/resources/iam/css/tooltip.css b/iam-login-service/src/main/webapp/resources/iam/css/tooltip.css
new file mode 100644
index 000000000..761d27879
--- /dev/null
+++ b/iam-login-service/src/main/webapp/resources/iam/css/tooltip.css
@@ -0,0 +1,49 @@
+/**
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+.tool-tip {
+    position: relative;
+    display: inline-block;
+    border-bottom: 1px dotted black;
+  }
+  
+  .tool-tip .tooltiptext {
+    visibility: hidden;
+    background-color: black;
+    color: #fff;
+    text-align: center;
+    border-radius: 6px;
+    padding: 5px;
+    position: absolute;
+    z-index: 1;
+    top: -2px;
+    left: 110%;
+  }
+  
+  .tool-tip .tooltiptext::after {
+    content: "";
+    position: absolute;
+    top: 50%;
+    right: 100%;
+    margin-top: -5px;
+    border-width: 5px;
+    border-style: solid;
+    border-color: transparent black transparent transparent;
+  }
+  
+  .tool-tip:hover .tooltiptext {
+    visibility: visible;
+    opacity: 1;
+  }
\ No newline at end of file
diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/account/find/FindAccountIntegrationTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/account/find/FindAccountIntegrationTests.java
index f2c2982c1..c9b5fa582 100644
--- a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/account/find/FindAccountIntegrationTests.java
+++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/account/find/FindAccountIntegrationTests.java
@@ -19,14 +19,18 @@
 import static it.infn.mw.iam.api.account.find.FindAccountController.FIND_BY_GROUP_RESOURCE;
 import static it.infn.mw.iam.api.account.find.FindAccountController.FIND_BY_LABEL_RESOURCE;
 import static it.infn.mw.iam.api.account.find.FindAccountController.FIND_BY_USERNAME_RESOURCE;
+import static it.infn.mw.iam.api.account.find.FindAccountController.FIND_BY_UUID_RESOURCE;
 import static it.infn.mw.iam.api.account.find.FindAccountController.FIND_NOT_IN_GROUP_RESOURCE;
 import static org.hamcrest.CoreMatchers.allOf;
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.CoreMatchers.not;
 import static org.hamcrest.Matchers.emptyIterable;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 import java.util.function.Supplier;
 
@@ -39,6 +43,7 @@
 import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.test.web.servlet.MockMvc;
 
+import it.infn.mw.iam.api.common.error.NoSuchAccountError;
 import it.infn.mw.iam.core.group.IamGroupService;
 import it.infn.mw.iam.core.user.IamAccountService;
 import it.infn.mw.iam.persistence.model.IamAccount;
@@ -99,6 +104,7 @@ public void findingRequiresAuthenticatedUser() throws Exception {
     mvc.perform(get(FIND_BY_USERNAME_RESOURCE).param("username", "test")).andExpect(UNAUTHORIZED);
     mvc.perform(get(FIND_BY_GROUP_RESOURCE, TEST_001_GROUP_UUID)).andExpect(UNAUTHORIZED);
     mvc.perform(get(FIND_NOT_IN_GROUP_RESOURCE, TEST_001_GROUP_UUID)).andExpect(UNAUTHORIZED);
+    mvc.perform(get(FIND_BY_UUID_RESOURCE, TEST_USER_UUID)).andExpect(UNAUTHORIZED);
 
   }
 
@@ -290,4 +296,28 @@ public void findNotInGroupWorks() throws Exception {
       .andExpect(jsonPath("$.Resources[1].id", is("bffc67b7-47fe-410c-a6a0-cf00173a8fbb")));
   }
 
+  @Test
+  @WithMockUser(username = "test", roles = "USER")
+  public void findByUUIDWorks() throws Exception {
+
+    IamAccount testAccount = accountRepo.findByUuid(TEST_USER_UUID)
+      .orElseThrow(assertionError(EXPECTED_ACCOUNT_NOT_FOUND));
+
+    mvc.perform(get(FIND_BY_UUID_RESOURCE, testAccount.getUuid()))
+      .andExpect(OK)
+      .andExpect(jsonPath("$.id", is(testAccount.getId()), Long.class))
+      .andExpect(jsonPath("$.accountUuid", is(testAccount.getUuid())))
+      .andExpect(jsonPath("$.username", is(testAccount.getUsername())))
+      .andExpect(jsonPath("$.active", is(testAccount.isActive())));
+  }
+
+  @Test
+  @WithMockUser(username = "test", roles = "USER")
+  public void findByUUIDThorowsException() throws Exception {
+    mvc.perform(get(FIND_BY_UUID_RESOURCE, "unknown_uuid"))
+       .andExpect(status().isNotFound())
+       .andExpect(result -> assertTrue(result.getResolvedException() instanceof NoSuchAccountError))
+       .andExpect(result -> assertEquals("Account not found for id 'unknown_uuid'", result.getResolvedException().getMessage()));
+  }
+
 }
diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/client/ClientManagementAPIIntegrationTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/client/ClientManagementAPIIntegrationTests.java
index dac6229bf..757f778f9 100644
--- a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/client/ClientManagementAPIIntegrationTests.java
+++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/client/ClientManagementAPIIntegrationTests.java
@@ -24,6 +24,7 @@
 import static org.springframework.http.MediaType.APPLICATION_JSON;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.patch;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.put;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
@@ -292,4 +293,21 @@ public void negativeRefreshTokenLifetimesSetToInfinite() throws Exception {
       .andExpect(BAD_REQUEST)
       .andExpect(jsonPath("$.error", containsString("must be greater than or equal to 0")));
   }
+
+  @Test
+  @WithMockUser(username = "admin", roles = {"ADMIN", "USER"})
+  public void clientStatusUpdateWorks() throws Exception {
+
+   mvc.perform(get(ClientManagementAPIController.ENDPOINT + "/client"))
+      .andExpect(OK)
+      .andExpect(jsonPath("$.active").value(true));
+
+    mvc.perform(patch(ClientManagementAPIController.ENDPOINT + "/{clientId}/status", "client")
+    .content("{\"status\": false, \"userId\": userId}")
+    ).andExpect(OK);
+
+    mvc.perform(get(ClientManagementAPIController.ENDPOINT + "/client"))
+      .andExpect(OK)
+      .andExpect(jsonPath("$.active").value(false));
+  }
 }
diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/client/registration/ClientRegistrationAPIControllerTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/client/registration/ClientRegistrationAPIControllerTests.java
index eb8ed59cd..69bcdcef5 100644
--- a/iam-login-service/src/test/java/it/infn/mw/iam/test/client/registration/ClientRegistrationAPIControllerTests.java
+++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/client/registration/ClientRegistrationAPIControllerTests.java
@@ -105,6 +105,7 @@ public void registerClientWithNullValuesAndCheckDefaultValues()
       .andExpect(jsonPath("$.grant_types", hasItem("urn:ietf:params:oauth:grant-type:device_code")))
       .andExpect(jsonPath("$.token_endpoint_auth_method", is("client_secret_basic")))
       .andExpect(jsonPath("$.dynamically_registered", is(true)))
+      .andExpect(jsonPath("$.active", is(true)))
       .andExpect(jsonPath("$.registration_access_token").exists())
       .andExpect(jsonPath("$.allow_introspection").doesNotExist())
       .andExpect(jsonPath("$.access_token_validity_seconds").doesNotExist())
diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/service/client/ClientManagementServiceTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/service/client/ClientManagementServiceTests.java
index 44b8cb335..1711e80da 100644
--- a/iam-login-service/src/test/java/it/infn/mw/iam/test/service/client/ClientManagementServiceTests.java
+++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/service/client/ClientManagementServiceTests.java
@@ -28,11 +28,15 @@
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.not;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.mockito.Mockito.when;
 
 import java.text.ParseException;
+import java.time.Clock;
+import java.util.Date;
 
 import javax.validation.ConstraintViolationException;
 
@@ -85,6 +89,9 @@ public class ClientManagementServiceTests {
   @Autowired
   private IamAccountRepository accountRepo;
 
+  @Autowired
+  private Clock clock;
+
   private Authentication userAuth;
 
   private OAuth2Authentication ratAuth;
@@ -401,4 +408,13 @@ public void testCodeChallengeValidation() {
     }
   }
 
+  @Test
+  public void testClientStatusChange() {
+    managementService.updateClientStatus("client", false, "userUUID");
+    RegisteredClientDTO client = managementService.retrieveClientByClientId("client").get();
+
+    assertFalse(client.isActive());
+    assertTrue(client.getStatusChangedOn().equals(Date.from(clock.instant())));
+    assertEquals("userUUID", client.getStatusChangedBy());
+  }
 }
diff --git a/iam-persistence/src/main/resources/db/migration/h2/V103__add_active_and_status_changed_on_to_client_details.sql b/iam-persistence/src/main/resources/db/migration/h2/V103__add_active_and_status_changed_on_to_client_details.sql
new file mode 100644
index 000000000..85bc0c60f
--- /dev/null
+++ b/iam-persistence/src/main/resources/db/migration/h2/V103__add_active_and_status_changed_on_to_client_details.sql
@@ -0,0 +1,2 @@
+
+ALTER TABLE client_details ADD COLUMN (active BOOLEAN, status_changed_on TIMESTAMP, status_changed_by VARCHAR(36));
\ No newline at end of file
diff --git a/iam-persistence/src/main/resources/db/migration/mysql/V103__add_active_and_status_changed_on_to_client_details.sql b/iam-persistence/src/main/resources/db/migration/mysql/V103__add_active_and_status_changed_on_to_client_details.sql
new file mode 100644
index 000000000..c916edaf6
--- /dev/null
+++ b/iam-persistence/src/main/resources/db/migration/mysql/V103__add_active_and_status_changed_on_to_client_details.sql
@@ -0,0 +1,3 @@
+ALTER TABLE client_details ADD COLUMN (active BOOLEAN, 
+                                        status_changed_on TIMESTAMP DEFAULT '1970-01-01 00:00:01',
+                                        status_changed_by VARCHAR(36));
\ No newline at end of file
diff --git a/iam-persistence/src/main/resources/db/migration/test/V100000___test_data.sql b/iam-persistence/src/main/resources/db/migration/test/V100000___test_data.sql
index 0a2303505..8db60917a 100644
--- a/iam-persistence/src/main/resources/db/migration/test/V100000___test_data.sql
+++ b/iam-persistence/src/main/resources/db/migration/test/V100000___test_data.sql
@@ -1,32 +1,32 @@
 INSERT INTO client_details (id, client_id, client_secret, client_name, dynamically_registered,
   refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection,
-  token_endpoint_auth_method, require_auth_time, device_code_validity_seconds, created_at) VALUES
-  (1, 'client', 'secret', 'Test Client', false, null, 3600, 600, true, 'SECRET_BASIC',false, null, CURRENT_TIMESTAMP()),
-  (2, 'tasks-app', 'secret', 'Tasks App', false, null, 0, 0, true, 'SECRET_BASIC',false, null, CURRENT_TIMESTAMP()),
-  (3, 'post-client', 'secret', 'Post client', false, null, 3600,600, true, 'SECRET_POST',false, null, CURRENT_TIMESTAMP()),
-  (4, 'client-cred', 'secret', 'Client credentials', false, null, 3600, 600, true, 'SECRET_BASIC',false, null, CURRENT_TIMESTAMP()),
-  (5, 'password-grant', 'secret', 'Password grant client', false, null, 3600, 600, true, 'SECRET_BASIC',true, null, CURRENT_TIMESTAMP()),
-  (6, 'scim-client-ro', 'secret', 'SCIM client (read-only)', false, null, 3600, 600, true, 'SECRET_POST',false, 600, CURRENT_TIMESTAMP()),
-  (7, 'scim-client-rw', 'secret', 'SCIM client (read-write)', false, null, 3600, 600, true, 'SECRET_POST',false, 600, CURRENT_TIMESTAMP()),
-  (8, 'token-exchange-actor', 'secret', 'Token Exchange grant client actor', false, null, 3600, 600, true, 'SECRET_POST',false, null, CURRENT_TIMESTAMP()),
-  (9, 'token-exchange-subject', 'secret', 'Token Exchange grant client subject', false, null, 3600, 600, true, 'SECRET_POST',false, null, CURRENT_TIMESTAMP()),
-  (10, 'registration-client', 'secret', 'Registration service test client', false, null, 3600, 600, true, 'SECRET_POST',false, null, CURRENT_TIMESTAMP()),
-  (11, 'token-lookup-client', 'secret', 'Token lookup client', false, null, 3600, 600, true, 'SECRET_BASIC', false, null, CURRENT_TIMESTAMP()),
-  (12, 'device-code-client', 'secret', 'Device code client', false, null, 3600, 600, true, 'SECRET_BASIC', false, 600, CURRENT_TIMESTAMP()),
-  (13, 'implicit-flow-client', null, 'Implicit Flow client', false, null, 3600, 600, false, null, false, 600, CURRENT_TIMESTAMP()),
-  (14, 'public-dc-client', null, 'Public Device Code client', false, null, 3600, 600, false, null, false, 600, CURRENT_TIMESTAMP()),
-  (17, 'admin-client-ro', 'secret', 'Admin client (read-only)', false, null, 3600, 600, true, 'SECRET_POST',false, null, CURRENT_TIMESTAMP()),
-  (18, 'admin-client-rw', 'secret', 'Admin client (read-write)', false, null, 3600, 600, true, 'SECRET_POST',false, null, CURRENT_TIMESTAMP()),
-  (19, 'public-client', null, 'Public client', false, 3600, 3600, 600, true, 'NONE', false, null, CURRENT_TIMESTAMP());
+  token_endpoint_auth_method, require_auth_time, device_code_validity_seconds, created_at, active) VALUES
+  (1, 'client', 'secret', 'Test Client', false, null, 3600, 600, true, 'SECRET_BASIC',false, null, CURRENT_TIMESTAMP(), true),
+  (2, 'tasks-app', 'secret', 'Tasks App', false, null, 0, 0, true, 'SECRET_BASIC',false, null, CURRENT_TIMESTAMP(), true),
+  (3, 'post-client', 'secret', 'Post client', false, null, 3600,600, true, 'SECRET_POST',false, null, CURRENT_TIMESTAMP(), true),
+  (4, 'client-cred', 'secret', 'Client credentials', false, null, 3600, 600, true, 'SECRET_BASIC',false, null, CURRENT_TIMESTAMP(), true),
+  (5, 'password-grant', 'secret', 'Password grant client', false, null, 3600, 600, true, 'SECRET_BASIC',true, null, CURRENT_TIMESTAMP(), true),
+  (6, 'scim-client-ro', 'secret', 'SCIM client (read-only)', false, null, 3600, 600, true, 'SECRET_POST',false, 600, CURRENT_TIMESTAMP(), true),
+  (7, 'scim-client-rw', 'secret', 'SCIM client (read-write)', false, null, 3600, 600, true, 'SECRET_POST',false, 600, CURRENT_TIMESTAMP(), true),
+  (8, 'token-exchange-actor', 'secret', 'Token Exchange grant client actor', false, null, 3600, 600, true, 'SECRET_POST',false, null, CURRENT_TIMESTAMP(), true),
+  (9, 'token-exchange-subject', 'secret', 'Token Exchange grant client subject', false, null, 3600, 600, true, 'SECRET_POST',false, null, CURRENT_TIMESTAMP(), true),
+  (10, 'registration-client', 'secret', 'Registration service test client', false, null, 3600, 600, true, 'SECRET_POST',false, null, CURRENT_TIMESTAMP(), true),
+  (11, 'token-lookup-client', 'secret', 'Token lookup client', false, null, 3600, 600, true, 'SECRET_BASIC', false, null, CURRENT_TIMESTAMP(), true),
+  (12, 'device-code-client', 'secret', 'Device code client', false, null, 3600, 600, true, 'SECRET_BASIC', false, 600, CURRENT_TIMESTAMP(), true),
+  (13, 'implicit-flow-client', null, 'Implicit Flow client', false, null, 3600, 600, false, null, false, 600, CURRENT_TIMESTAMP(), true),
+  (14, 'public-dc-client', null, 'Public Device Code client', false, null, 3600, 600, false, null, false, 600, CURRENT_TIMESTAMP(), true),
+  (17, 'admin-client-ro', 'secret', 'Admin client (read-only)', false, null, 3600, 600, true, 'SECRET_POST',false, null, CURRENT_TIMESTAMP(), true),
+  (18, 'admin-client-rw', 'secret', 'Admin client (read-write)', false, null, 3600, 600, true, 'SECRET_POST',false, null, CURRENT_TIMESTAMP(), true),
+  (19, 'public-client', null, 'Public client', false, 3600, 3600, 600, true, 'NONE', false, null, CURRENT_TIMESTAMP(), true);
 
 INSERT INTO client_details (id, client_id, client_secret, client_name, dynamically_registered,
   refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection,
-  token_endpoint_auth_method, require_auth_time, token_endpoint_auth_signing_alg, jwks) VALUES
+  token_endpoint_auth_method, require_auth_time, token_endpoint_auth_signing_alg, jwks, active) VALUES
   (15, 'jwt-auth-client_secret_jwt', 'c8e9eed0-e6e4-4a66-b16e-6f37096356a7', 'JWT Bearer Auth Client (client_secret_jwt)', 
-  false, null, 3600, 600, true, 'SECRET_JWT', false, 'HS256', null),
+  false, null, 3600, 600, true, 'SECRET_JWT', false, 'HS256', null, true),
   (16, 'jwt-auth-private_key_jwt', 'secret', 'JWT Bearer Auth Client (private_key_jwt)', 
   false, null, 3600, 600, true,'PRIVATE_KEY', false, 'RS256',
-  '{"keys":[{"kty":"RSA","e":"AQAB","kid":"rsa1","n":"1y1CP181zqPNPlV1JDM7Xv0QnGswhSTHe8_XPZHxDTJkykpk_1BmgA3ovP62QRE2ORgsv5oSBI_Z_RaOc4Zx2FonjEJF2oBHtBjsAiF-pxGkM5ZPjFNgFTGp1yUUBjFDcEeIGCwPEyYSt93sQIP_0DRbViMUnpyn3xgM_a1dO5brEWR2n1Uqff1yA5NXfLS03qpl2dpH4HFY5-Zs4bvtJykpAOhoHuIQbz-hmxb9MZ3uTAwsx2HiyEJtz-suyTBHO3BM2o8UcCeyfa34ShPB8i86-sf78fOk2KeRIW1Bju3ANmdV3sxL0j29cesxKCZ06u2ZiGR3Srbft8EdLPzf-w"}]}');
+  '{"keys":[{"kty":"RSA","e":"AQAB","kid":"rsa1","n":"1y1CP181zqPNPlV1JDM7Xv0QnGswhSTHe8_XPZHxDTJkykpk_1BmgA3ovP62QRE2ORgsv5oSBI_Z_RaOc4Zx2FonjEJF2oBHtBjsAiF-pxGkM5ZPjFNgFTGp1yUUBjFDcEeIGCwPEyYSt93sQIP_0DRbViMUnpyn3xgM_a1dO5brEWR2n1Uqff1yA5NXfLS03qpl2dpH4HFY5-Zs4bvtJykpAOhoHuIQbz-hmxb9MZ3uTAwsx2HiyEJtz-suyTBHO3BM2o8UcCeyfa34ShPB8i86-sf78fOk2KeRIW1Bju3ANmdV3sxL0j29cesxKCZ06u2ZiGR3Srbft8EdLPzf-w"}]}', true);
 
 INSERT INTO client_scope (owner_id, scope) VALUES
   (1, 'openid'),
diff --git a/pom.xml b/pom.xml
index 79fcb5a7d..c0b7765ff 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1,424 +1,428 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
-  <modelVersion>4.0.0</modelVersion>
-
-  <parent>
-    <groupId>org.springframework.boot</groupId>
-    <artifactId>spring-boot-starter-parent</artifactId>
-    <!-- Update this in sync with the spring-boot version below -->
-    <version>2.6.15</version>
-    <relativePath />
-    <!-- lookup parent from repository -->
-  </parent>
-
-  <groupId>it.infn.mw.iam-parent</groupId>
-  <artifactId>iam-parent</artifactId>
-  <version>1.9.0</version>
-  <packaging>pom</packaging>
-
-  <name>INDIGO Identity and Access Manager (IAM) - Parent POM</name>
-
-  <modules>
-    <module>iam-common</module>
-    <module>iam-persistence</module>
-    <module>iam-voms-aa</module>
-    <module>iam-login-service</module>
-    <module>iam-test-client</module>
-  </modules>
-
-  <distributionManagement>
-    <repository>
-      <id>cnaf-releases</id>
-      <name>CNAF releases</name>
-      <url>https://repo.cloud.cnaf.infn.it/repository/cnaf-releases/</url>
-    </repository>
-
-    <snapshotRepository>
-      <id>cnaf-snapshots</id>
-      <name>CNAF snapshots</name>
-      <url>https://repo.cloud.cnaf.infn.it/repository/cnaf-snapshots/</url>
-    </snapshotRepository>
-  </distributionManagement>
-
-  <properties>
-    <iam.image.tag>${project.version}-${git.commit.id.abbrev}</iam.image.tag>
-    
-    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-
-    <java.version>17</java.version>
-
-    <testcontainers.version>1.16.2</testcontainers.version>
-
-    <mitreid.version>1.3.6.cnaf-20240207</mitreid.version>
-    <spring-security-oauth2.version>2.5.2.RELEASE</spring-security-oauth2.version>
-
-    <voms.version>3.3.2</voms.version>
-    <spring-security-saml.version>1.0.10.RELEASE</spring-security-saml.version>
-
-    <!-- Update this in sync with the parent project version -->
-    <spring-boot.version>2.6.15</spring-boot.version>
-
-    <angularjs.version>1.6.1</angularjs.version>
-    <angular-ui-bootstrap.version>2.5.6</angular-ui-bootstrap.version>
-    <angular-ui-router.version>1.0.20</angular-ui-router.version>
-    <angular-ui-select.version>0.19.8</angular-ui-select.version>
-    <angular-sanitize.version>1.3.11</angular-sanitize.version>
-    <font-awesome.version>4.7.0</font-awesome.version>
-    <jquery.version>3.6.0</jquery.version>
-    <bootstrap.version>3.4.1</bootstrap.version>
-    <jquery-ui.version>1.13.2</jquery-ui.version>
-
-    <rest-assured.version>4.4.0</rest-assured.version>
-    <json-path.version>2.9.0</json-path.version>
-
-    <flyway.version>7.15.0</flyway.version>
-
-    <license-maven-plugin.version>3.0</license-maven-plugin.version>
-    <jacoco-plugin.version>0.8.7</jacoco-plugin.version>
-    <jib-maven-plugin.version>3.1.4</jib-maven-plugin.version>
-
-
-    <jsr250-api.version>1.0</jsr250-api.version>
-    <jakarta.xml.bind-api.version>2.3.2</jakarta.xml.bind-api.version>
-    <jaxb-runtime.version>2.3.2</jaxb-runtime.version>
-
-    <bouncycastle.version>1.58</bouncycastle.version>
-
-    <resource.delimiter>@</resource.delimiter>
-
-    <jvm.test.args>-Xmx2500m</jvm.test.args>
-    <sonar.coverage.exclusions>iam-persistence/**/*,iam-test-client/**/*,iam-test-protected-resource/**/*,iam-common/**</sonar.coverage.exclusions>
-  </properties>
-
-  <dependencyManagement>
-    <dependencies>
-
-      <dependency>
-        <groupId>org.testcontainers</groupId>
-        <artifactId>testcontainers</artifactId>
-        <version>${testcontainers.version}</version>
-        <scope>test</scope>
-      </dependency>
-
-      <dependency>
-        <groupId>org.testcontainers</groupId>
-        <artifactId>junit-jupiter</artifactId>
-        <version>${testcontainers.version}</version>
-        <scope>test</scope>
-      </dependency>
-
-      <dependency>
-        <groupId>org.testcontainers</groupId>
-        <artifactId>mysql</artifactId>
-        <version>${testcontainers.version}</version>
-        <scope>runtime</scope>
-      </dependency>
-
-      <dependency>
-        <groupId>org.testcontainers</groupId>
-        <artifactId>mariadb</artifactId>
-        <version>${testcontainers.version}</version>
-        <scope>runtime</scope>
-      </dependency>
-
-      <dependency>
-        <groupId>org.springframework.security.oauth</groupId>
-        <artifactId>spring-security-oauth2</artifactId>
-        <version>${spring-security-oauth2.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>org.webjars</groupId>
-        <artifactId>angularjs</artifactId>
-        <version>${angularjs.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>org.webjars.npm</groupId>
-        <artifactId>angular-ui-bootstrap</artifactId>
-        <version>${angular-ui-bootstrap.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>org.webjars</groupId>
-        <artifactId>angular-ui-router</artifactId>
-        <version>${angular-ui-router.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>org.webjars</groupId>
-        <artifactId>angular-sanitize</artifactId>
-        <version>${angular-sanitize.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>org.webjars</groupId>
-        <artifactId>angular-ui-select</artifactId>
-        <version>${angular-ui-select.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>org.webjars</groupId>
-        <artifactId>jquery</artifactId>
-        <version>${jquery.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>org.webjars</groupId>
-        <artifactId>jquery-ui</artifactId>
-        <version>${jquery-ui.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>org.webjars</groupId>
-        <artifactId>bootstrap</artifactId>
-        <version>${bootstrap.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>org.webjars</groupId>
-        <artifactId>font-awesome</artifactId>
-        <version>${font-awesome.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>org.italiangrid</groupId>
-        <artifactId>voms-api-java</artifactId>
-        <version>${voms.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>org.italiangrid</groupId>
-        <artifactId>voms-clients</artifactId>
-        <version>${voms.version}</version>
-      </dependency>
-
-      <!-- Mitre -->
-      <dependency>
-        <groupId>org.mitre</groupId>
-        <artifactId>openid-connect-common</artifactId>
-        <version>${mitreid.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>org.mitre</groupId>
-        <artifactId>openid-connect-server</artifactId>
-        <version>${mitreid.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>org.mitre</groupId>
-        <artifactId>openid-connect-client</artifactId>
-        <version>${mitreid.version}</version>
-      </dependency>
-
-      <!-- SAML -->
-
-      <dependency>
-        <groupId>org.bouncycastle</groupId>
-        <artifactId>bcpkix-jdk15on</artifactId>
-        <version>${bouncycastle.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>org.bouncycastle</groupId>
-        <artifactId>bcprov-jdk15on</artifactId>
-        <version>${bouncycastle.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>com.jayway.jsonpath</groupId>
-        <artifactId>json-path</artifactId>
-        <version>${json-path.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>io.rest-assured</groupId>
-        <artifactId>rest-assured</artifactId>
-        <version>${rest-assured.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>org.springframework.security.extensions</groupId>
-        <artifactId>spring-security-saml2-core</artifactId>
-        <version>${spring-security-saml.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>org.flywaydb</groupId>
-        <artifactId>flyway-core</artifactId>
-        <version>${flyway.version}</version>
-      </dependency>
-      
-      <!-- JSR APIs (for Java 11 compatibility) -->
-      <dependency>
-        <groupId>javax.annotation</groupId>
-        <artifactId>jsr250-api</artifactId>
-        <version>${jsr250-api.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>jakarta.xml.bind</groupId>
-        <artifactId>jakarta.xml.bind-api</artifactId>
-        <version>${jakarta.xml.bind-api.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>org.glassfish.jaxb</groupId>
-        <artifactId>jaxb-runtime</artifactId>
-        <version>${jaxb-runtime.version}</version>
-      </dependency>
-
-    </dependencies>
-
-  </dependencyManagement>
-
-  <repositories>
-    <repository>
-      <id>infn-cnaf</id>
-      <url>https://repo.cloud.cnaf.infn.it/repository/maven-public/</url>
-      <snapshots>
-        <enabled>true</enabled>
-      </snapshots>
-    </repository>
-  </repositories>
-
-  <build>
-    <pluginManagement>
-      <plugins>
-        <plugin>
-          <groupId>com.mycila</groupId>
-          <artifactId>license-maven-plugin</artifactId>
-          <version>${license-maven-plugin.version}</version>
-        </plugin>
-        <plugin>
-          <groupId>com.google.cloud.tools</groupId>
-          <artifactId>jib-maven-plugin</artifactId>
-          <version>${jib-maven-plugin.version}</version>
-        </plugin>
-      </plugins>
-    </pluginManagement>
-    <plugins>
-      <plugin>
-        <groupId>org.apache.maven.plugins</groupId>
-        <artifactId>maven-enforcer-plugin</artifactId>
-        <executions>
-          <execution>
-            <id>enforce-maven</id>
-            <goals>
-              <goal>enforce</goal>
-            </goals>
-            <configuration>
-              <rules>
-                <requireJavaVersion>
-                  <version>17</version>
-                </requireJavaVersion>
-                <requireMavenVersion>
-                  <version>3.6.0</version>
-                </requireMavenVersion>
-              </rules>
-            </configuration>
-          </execution>
-        </executions>
-      </plugin>
-      <plugin>
-        <groupId>org.apache.maven.plugins</groupId>
-        <artifactId>maven-source-plugin</artifactId>
-        <executions>
-          <execution>
-            <id>attach-sources</id>
-            <goals>
-              <goal>jar-no-fork</goal>
-            </goals>
-          </execution>
-        </executions>
-      </plugin>
-
-      <plugin>
-        <groupId>org.apache.maven.plugins</groupId>
-        <artifactId>maven-eclipse-plugin</artifactId>
-        <version>2.9</version>
-        <configuration>
-          <useProjectReferences>false</useProjectReferences>
-          <downloadSources>true</downloadSources>
-          <downloadJavadocs>true</downloadJavadocs>
-        </configuration>
-      </plugin>
-
-
-      <plugin>
-        <groupId>org.apache.maven.plugins</groupId>
-        <artifactId>maven-war-plugin</artifactId>
-        <configuration>
-          <failOnMissingWebXml>false</failOnMissingWebXml>
-          <archive>
-            <manifest>
-              <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
-              <addDefaultSpecificationEntries>true</addDefaultSpecificationEntries>
-            </manifest>
-          </archive>
-        </configuration>
-      </plugin>
-
-      <plugin>
-        <groupId>org.apache.maven.plugins</groupId>
-        <artifactId>maven-surefire-plugin</artifactId>
-        <configuration>
-          <runOrder>alphabetical</runOrder>
-          <useSystemClassLoader>false</useSystemClassLoader>
-          <includes>
-            <include>**/*Tests.java</include>
-          </includes>
-          <excludes>
-            <exclude>**/Abstract*.java</exclude>
-          </excludes>
-          <systemPropertyVariables>
-            <java.security.egd>file:/dev/./urandom</java.security.egd>
-            <java.awt.headless>true</java.awt.headless>
-          </systemPropertyVariables>
-          <argLine>${jvm.test.args}</argLine>
-        </configuration>
-      </plugin>
-
-      <plugin>
-        <groupId>pl.project13.maven</groupId>
-        <artifactId>git-commit-id-plugin</artifactId>
-        <executions>
-          <execution>
-            <goals>
-              <goal>revision</goal>
-            </goals>
-          </execution>
-        </executions>
-        <configuration>
-          <verbose>false</verbose>
-          <failOnNoGitDirectory>false</failOnNoGitDirectory>
-          <dateFormat>yyyy-MM-dd'T'HH:mm:ssZ</dateFormat>
-          <generateGitPropertiesFile>true</generateGitPropertiesFile>
-          <generateGitPropertiesFilename>${project.build.outputDirectory}/git.properties</generateGitPropertiesFilename>
-        </configuration>
-      </plugin>
-
-      <plugin>
-        <groupId>org.jacoco</groupId>
-        <artifactId>jacoco-maven-plugin</artifactId>
-        <version>${jacoco-plugin.version}</version>
-        <executions>
-          <execution>
-            <goals>
-              <goal>prepare-agent</goal>
-            </goals>
-          </execution>
-          <execution>
-            <id>report</id>
-            <phase>prepare-package</phase>
-            <goals>
-              <goal>report</goal>
-            </goals>
-          </execution>
-        </executions>
-      </plugin>
-    </plugins>
-  </build>
-</project>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+	<parent>
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-starter-parent</artifactId>
+		<!-- Update this in sync with the spring-boot version below -->
+		<version>2.6.15</version>
+		<relativePath />
+		<!-- lookup parent from repository -->
+	</parent>
+
+	<groupId>it.infn.mw.iam-parent</groupId>
+	<artifactId>iam-parent</artifactId>
+	<version>1.9.0</version>
+	<packaging>pom</packaging>
+
+	<name>INDIGO Identity and Access Manager (IAM) - Parent POM</name>
+
+	<modules>
+		<module>iam-common</module>
+		<module>iam-persistence</module>
+		<module>iam-voms-aa</module>
+		<module>iam-login-service</module>
+		<module>iam-test-client</module>
+	</modules>
+
+	<distributionManagement>
+		<repository>
+			<id>cnaf-releases</id>
+			<name>CNAF releases</name>
+			<url>https://repo.cloud.cnaf.infn.it/repository/cnaf-releases/</url>
+		</repository>
+
+		<snapshotRepository>
+			<id>cnaf-snapshots</id>
+			<name>CNAF snapshots</name>
+			<url>https://repo.cloud.cnaf.infn.it/repository/cnaf-snapshots/</url>
+		</snapshotRepository>
+	</distributionManagement>
+
+	<properties>
+		<iam.image.tag>${project.version}-${git.commit.id.abbrev}</iam.image.tag>
+
+		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+
+		<java.version>17</java.version>
+
+		<testcontainers.version>1.16.2</testcontainers.version>
+
+		<mitreid.version>1.3.6.cnaf-20240414</mitreid.version>
+		<spring-security-oauth2.version>2.5.2.RELEASE</spring-security-oauth2.version>
+
+		<voms.version>3.3.2</voms.version>
+		<spring-security-saml.version>1.0.10.RELEASE</spring-security-saml.version>
+
+		<!-- Update this in sync with the parent project version -->
+		<spring-boot.version>2.6.15</spring-boot.version>
+
+		<angularjs.version>1.6.1</angularjs.version>
+		<angular-ui-bootstrap.version>2.5.6</angular-ui-bootstrap.version>
+		<angular-ui-router.version>1.0.20</angular-ui-router.version>
+		<angular-ui-select.version>0.19.8</angular-ui-select.version>
+		<angular-sanitize.version>1.3.11</angular-sanitize.version>
+		<font-awesome.version>4.7.0</font-awesome.version>
+		<jquery.version>3.6.0</jquery.version>
+		<bootstrap.version>3.4.1</bootstrap.version>
+		<jquery-ui.version>1.13.2</jquery-ui.version>
+
+		<rest-assured.version>4.4.0</rest-assured.version>
+		<json-path.version>2.9.0</json-path.version>
+
+		<flyway.version>7.15.0</flyway.version>
+
+		<license-maven-plugin.version>3.0</license-maven-plugin.version>
+		<jacoco-plugin.version>0.8.7</jacoco-plugin.version>
+		<jib-maven-plugin.version>3.1.4</jib-maven-plugin.version>
+
+
+		<jsr250-api.version>1.0</jsr250-api.version>
+		<jakarta.xml.bind-api.version>2.3.2</jakarta.xml.bind-api.version>
+		<jaxb-runtime.version>2.3.2</jaxb-runtime.version>
+
+		<bouncycastle.version>1.58</bouncycastle.version>
+
+		<resource.delimiter>@</resource.delimiter>
+
+		<jvm.test.args>-Xmx2500m</jvm.test.args>
+		<sonar.coverage.exclusions>
+			iam-persistence/**/*,iam-test-client/**/*,iam-test-protected-resource/**/*,iam-common/**</sonar.coverage.exclusions>
+	</properties>
+
+	<dependencyManagement>
+		<dependencies>
+
+			<dependency>
+				<groupId>org.testcontainers</groupId>
+				<artifactId>testcontainers</artifactId>
+				<version>${testcontainers.version}</version>
+				<scope>test</scope>
+			</dependency>
+
+			<dependency>
+				<groupId>org.testcontainers</groupId>
+				<artifactId>junit-jupiter</artifactId>
+				<version>${testcontainers.version}</version>
+				<scope>test</scope>
+			</dependency>
+
+			<dependency>
+				<groupId>org.testcontainers</groupId>
+				<artifactId>mysql</artifactId>
+				<version>${testcontainers.version}</version>
+				<scope>runtime</scope>
+			</dependency>
+
+			<dependency>
+				<groupId>org.testcontainers</groupId>
+				<artifactId>mariadb</artifactId>
+				<version>${testcontainers.version}</version>
+				<scope>runtime</scope>
+			</dependency>
+
+			<dependency>
+				<groupId>org.springframework.security.oauth</groupId>
+				<artifactId>spring-security-oauth2</artifactId>
+				<version>${spring-security-oauth2.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.webjars</groupId>
+				<artifactId>angularjs</artifactId>
+				<version>${angularjs.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.webjars.npm</groupId>
+				<artifactId>angular-ui-bootstrap</artifactId>
+				<version>${angular-ui-bootstrap.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.webjars</groupId>
+				<artifactId>angular-ui-router</artifactId>
+				<version>${angular-ui-router.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.webjars</groupId>
+				<artifactId>angular-sanitize</artifactId>
+				<version>${angular-sanitize.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.webjars</groupId>
+				<artifactId>angular-ui-select</artifactId>
+				<version>${angular-ui-select.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.webjars</groupId>
+				<artifactId>jquery</artifactId>
+				<version>${jquery.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.webjars</groupId>
+				<artifactId>jquery-ui</artifactId>
+				<version>${jquery-ui.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.webjars</groupId>
+				<artifactId>bootstrap</artifactId>
+				<version>${bootstrap.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.webjars</groupId>
+				<artifactId>font-awesome</artifactId>
+				<version>${font-awesome.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.italiangrid</groupId>
+				<artifactId>voms-api-java</artifactId>
+				<version>${voms.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.italiangrid</groupId>
+				<artifactId>voms-clients</artifactId>
+				<version>${voms.version}</version>
+			</dependency>
+
+			<!-- Mitre -->
+			<dependency>
+				<groupId>org.mitre</groupId>
+				<artifactId>openid-connect-common</artifactId>
+				<version>${mitreid.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.mitre</groupId>
+				<artifactId>openid-connect-server</artifactId>
+				<version>${mitreid.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.mitre</groupId>
+				<artifactId>openid-connect-client</artifactId>
+				<version>${mitreid.version}</version>
+			</dependency>
+
+			<!-- SAML -->
+
+			<dependency>
+				<groupId>org.bouncycastle</groupId>
+				<artifactId>bcpkix-jdk15on</artifactId>
+				<version>${bouncycastle.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.bouncycastle</groupId>
+				<artifactId>bcprov-jdk15on</artifactId>
+				<version>${bouncycastle.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>com.jayway.jsonpath</groupId>
+				<artifactId>json-path</artifactId>
+				<version>${json-path.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>io.rest-assured</groupId>
+				<artifactId>rest-assured</artifactId>
+				<version>${rest-assured.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.springframework.security.extensions</groupId>
+				<artifactId>spring-security-saml2-core</artifactId>
+				<version>${spring-security-saml.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.flywaydb</groupId>
+				<artifactId>flyway-core</artifactId>
+				<version>${flyway.version}</version>
+			</dependency>
+
+			<!-- JSR APIs (for Java 11 compatibility) -->
+			<dependency>
+				<groupId>javax.annotation</groupId>
+				<artifactId>jsr250-api</artifactId>
+				<version>${jsr250-api.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>jakarta.xml.bind</groupId>
+				<artifactId>jakarta.xml.bind-api</artifactId>
+				<version>${jakarta.xml.bind-api.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.glassfish.jaxb</groupId>
+				<artifactId>jaxb-runtime</artifactId>
+				<version>${jaxb-runtime.version}</version>
+			</dependency>
+
+		</dependencies>
+
+	</dependencyManagement>
+
+	<repositories>
+		<repository>
+			<id>infn-cnaf</id>
+			<url>https://repo.cloud.cnaf.infn.it/repository/maven-public/</url>
+			<snapshots>
+				<enabled>true</enabled>
+			</snapshots>
+		</repository>
+	</repositories>
+
+	<build>
+		<pluginManagement>
+			<plugins>
+				<plugin>
+					<groupId>com.mycila</groupId>
+					<artifactId>license-maven-plugin</artifactId>
+					<version>${license-maven-plugin.version}</version>
+				</plugin>
+				<plugin>
+					<groupId>com.google.cloud.tools</groupId>
+					<artifactId>jib-maven-plugin</artifactId>
+					<version>${jib-maven-plugin.version}</version>
+				</plugin>
+			</plugins>
+		</pluginManagement>
+		<plugins>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-enforcer-plugin</artifactId>
+				<executions>
+					<execution>
+						<id>enforce-maven</id>
+						<goals>
+							<goal>enforce</goal>
+						</goals>
+						<configuration>
+							<rules>
+								<requireJavaVersion>
+									<version>17</version>
+								</requireJavaVersion>
+								<requireMavenVersion>
+									<version>3.6.0</version>
+								</requireMavenVersion>
+							</rules>
+						</configuration>
+					</execution>
+				</executions>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-source-plugin</artifactId>
+				<executions>
+					<execution>
+						<id>attach-sources</id>
+						<goals>
+							<goal>jar-no-fork</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
+
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-eclipse-plugin</artifactId>
+				<version>2.9</version>
+				<configuration>
+					<useProjectReferences>false</useProjectReferences>
+					<downloadSources>true</downloadSources>
+					<downloadJavadocs>true</downloadJavadocs>
+				</configuration>
+			</plugin>
+
+
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-war-plugin</artifactId>
+				<configuration>
+					<failOnMissingWebXml>false</failOnMissingWebXml>
+					<archive>
+						<manifest>
+							<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
+							<addDefaultSpecificationEntries>true</addDefaultSpecificationEntries>
+						</manifest>
+					</archive>
+				</configuration>
+			</plugin>
+
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-surefire-plugin</artifactId>
+				<configuration>
+					<runOrder>alphabetical</runOrder>
+					<useSystemClassLoader>false</useSystemClassLoader>
+					<includes>
+						<include>**/*Tests.java</include>
+					</includes>
+					<excludes>
+						<exclude>**/Abstract*.java</exclude>
+					</excludes>
+					<systemPropertyVariables>
+						<java.security.egd>file:/dev/./urandom</java.security.egd>
+						<java.awt.headless>true</java.awt.headless>
+					</systemPropertyVariables>
+					<argLine>${jvm.test.args}</argLine>
+				</configuration>
+			</plugin>
+
+			<plugin>
+				<groupId>pl.project13.maven</groupId>
+				<artifactId>git-commit-id-plugin</artifactId>
+				<executions>
+					<execution>
+						<goals>
+							<goal>revision</goal>
+						</goals>
+					</execution>
+				</executions>
+				<configuration>
+					<verbose>false</verbose>
+					<failOnNoGitDirectory>false</failOnNoGitDirectory>
+					<dateFormat>yyyy-MM-dd'T'HH:mm:ssZ</dateFormat>
+					<generateGitPropertiesFile>true</generateGitPropertiesFile>
+					<generateGitPropertiesFilename>
+						${project.build.outputDirectory}/git.properties</generateGitPropertiesFilename>
+				</configuration>
+			</plugin>
+
+			<plugin>
+				<groupId>org.jacoco</groupId>
+				<artifactId>jacoco-maven-plugin</artifactId>
+				<version>${jacoco-plugin.version}</version>
+				<executions>
+					<execution>
+						<goals>
+							<goal>prepare-agent</goal>
+						</goals>
+					</execution>
+					<execution>
+						<id>report</id>
+						<phase>prepare-package</phase>
+						<goals>
+							<goal>report</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
+		</plugins>
+	</build>
+</project>
\ No newline at end of file

From 95a8c19dd2032e3424139ff6670de3c30d112206 Mon Sep 17 00:00:00 2001
From: Manoj Garai <manoj.garai@stfc.ac.uk>
Date: Mon, 15 Apr 2024 13:38:58 +0100
Subject: [PATCH 02/12] Make fields available for limited client view

---
 .../common/client/RegisteredClientDTO.java    | 92 +++++++++----------
 1 file changed, 46 insertions(+), 46 deletions(-)

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/common/client/RegisteredClientDTO.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/common/client/RegisteredClientDTO.java
index 79c267a0f..be2a5fb9f 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/common/client/RegisteredClientDTO.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/common/client/RegisteredClientDTO.java
@@ -1,21 +1,21 @@
-/**
- * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
+/**
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package it.infn.mw.iam.api.common.client;
 
-import java.time.LocalDate;
+import java.time.LocalDate;
 import java.util.Date;
 import java.util.Set;
 
@@ -28,9 +28,9 @@
 import javax.validation.constraints.Pattern;
 import javax.validation.constraints.Size;
 
-import org.hibernate.validator.constraints.URL;
-
-import com.fasterxml.jackson.annotation.JsonFormat;
+import org.hibernate.validator.constraints.URL;
+
+import com.fasterxml.jackson.annotation.JsonFormat;
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonView;
 import com.fasterxml.jackson.databind.PropertyNamingStrategies;
@@ -163,20 +163,20 @@ public class RegisteredClientDTO {
       ClientViews.DynamicRegistration.class})
   private TokenEndpointAuthenticationMethod tokenEndpointAuthMethod;
 
-  @Valid
-  @Size(max = 512,
-      groups = {OnDynamicClientRegistration.class, OnDynamicClientUpdate.class,
-          OnClientCreation.class, OnClientUpdate.class})
-  @JsonSerialize(using = CollectionAsStringSerializer.class)
-  @JsonDeserialize(using = StringAsSetOfStringsDeserializer.class)
-  @JsonView({ClientViews.Limited.class, ClientViews.Full.class, ClientViews.ClientManagement.class,
-      ClientViews.DynamicRegistration.class})
-  private Set<@NotBlank(groups = {OnDynamicClientRegistration.class, OnDynamicClientUpdate.class,
-      OnClientCreation.class, OnClientUpdate.class},
-      message = "must not include blank strings") @Size(min = 1, max = 2048,
-          message = "string size must be between 1 and 2048",
-          groups = {OnDynamicClientRegistration.class, OnDynamicClientUpdate.class,
-              OnClientCreation.class, OnClientUpdate.class}) String> scope =
+  @Valid
+  @Size(max = 512,
+      groups = {OnDynamicClientRegistration.class, OnDynamicClientUpdate.class,
+          OnClientCreation.class, OnClientUpdate.class})
+  @JsonSerialize(using = CollectionAsStringSerializer.class)
+  @JsonDeserialize(using = StringAsSetOfStringsDeserializer.class)
+  @JsonView({ClientViews.Limited.class, ClientViews.Full.class, ClientViews.ClientManagement.class,
+      ClientViews.DynamicRegistration.class})
+  private Set<@NotBlank(groups = {OnDynamicClientRegistration.class, OnDynamicClientUpdate.class,
+      OnClientCreation.class, OnClientUpdate.class},
+      message = "must not include blank strings") @Size(min = 1, max = 2048,
+          message = "string size must be between 1 and 2048",
+          groups = {OnDynamicClientRegistration.class, OnDynamicClientUpdate.class,
+              OnClientCreation.class, OnClientUpdate.class}) String> scope =
           Sets.newHashSet();
 
   @Min(value = 0, groups = OnClientCreation.class)
@@ -256,17 +256,17 @@ public class RegisteredClientDTO {
           OnDynamicClientUpdate.class})
   private String codeChallengeMethod;
 
-  @JsonView({ClientViews.Full.class, ClientViews.ClientManagement.class,
+  @JsonView({ClientViews.Limited.class, ClientViews.Full.class, ClientViews.ClientManagement.class,
       ClientViews.DynamicRegistration.class})
   private boolean active;
 
-  @JsonView({ClientViews.Full.class, ClientViews.ClientManagement.class,
+  @JsonView({ClientViews.Limited.class, ClientViews.Full.class, ClientViews.ClientManagement.class,
       ClientViews.DynamicRegistration.class})
   private Date statusChangedOn;
-
-  @JsonView({ClientViews.Limited.class, ClientViews.Full.class, ClientViews.ClientManagement.class,
-    ClientViews.DynamicRegistration.class})
-  private String statusChangedBy;
+
+  @JsonView({ClientViews.Limited.class, ClientViews.Full.class, ClientViews.ClientManagement.class,
+    ClientViews.DynamicRegistration.class})
+  private String statusChangedBy;
 
   public String getClientId() {
     return clientId;
@@ -540,12 +540,12 @@ public Date getStatusChangedOn() {
   public void setStatusChangedOn(Date statusChangedOn) {
     this.statusChangedOn = statusChangedOn;
   }
-
-  public void setStatusChangedBy(String statusChangedBy) {
-    this.statusChangedBy = statusChangedBy;
-  }
-
-  public String getStatusChangedBy() {
-    return statusChangedBy;
+
+  public void setStatusChangedBy(String statusChangedBy) {
+    this.statusChangedBy = statusChangedBy;
+  }
+
+  public String getStatusChangedBy() {
+    return statusChangedBy;
   }
 }
\ No newline at end of file

From ba51133ac1b082db066a0c289e5ecf9cb8c88c20 Mon Sep 17 00:00:00 2001
From: Manoj Garai <manoj.garai@stfc.ac.uk>
Date: Mon, 22 Apr 2024 12:27:01 +0100
Subject: [PATCH 03/12] Throw exception on update of suspended client

---
 .../iam/api/client/error/ClientSuspended.java | 26 +++++++++
 .../DefaultClientRegistrationService.java     | 58 ++++++++++---------
 2 files changed, 57 insertions(+), 27 deletions(-)
 create mode 100644 iam-login-service/src/main/java/it/infn/mw/iam/api/client/error/ClientSuspended.java

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/error/ClientSuspended.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/error/ClientSuspended.java
new file mode 100644
index 000000000..283e41d28
--- /dev/null
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/error/ClientSuspended.java
@@ -0,0 +1,26 @@
+/**
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package it.infn.mw.iam.api.client.error;
+
+public class ClientSuspended extends RuntimeException {
+
+  private static final long serialVersionUID = 1L;
+
+  public ClientSuspended(String message) {
+    super(message);
+  }
+
+}
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java
index 6ef380583..a79ab9af2 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java
@@ -48,6 +48,7 @@
 
 import it.infn.mw.iam.api.account.AccountUtils;
 import it.infn.mw.iam.api.client.error.InvalidClientRegistrationRequest;
+import it.infn.mw.iam.api.client.error.ClientSuspended;
 import it.infn.mw.iam.api.client.registration.validation.OnDynamicClientRegistration;
 import it.infn.mw.iam.api.client.registration.validation.OnDynamicClientUpdate;
 import it.infn.mw.iam.api.client.service.ClientConverter;
@@ -398,33 +399,36 @@ public RegisteredClientDTO updateClient(String clientId, RegisteredClientDTO req
 
     checkAllowedGrantTypesOnUpdate(request, authentication, oldClient);
     cleanupRequestedScopesOnUpdate(request, authentication, oldClient);
-
-    ClientDetailsEntity newClient = converter.entityFromRegistrationRequest(request);
-    newClient.setId(oldClient.getId());
-    newClient.setClientSecret(oldClient.getClientSecret());
-    newClient.setAccessTokenValiditySeconds(oldClient.getAccessTokenValiditySeconds());
-    newClient.setIdTokenValiditySeconds(oldClient.getIdTokenValiditySeconds());
-    newClient.setRefreshTokenValiditySeconds(oldClient.getRefreshTokenValiditySeconds());
-    newClient.setDeviceCodeValiditySeconds(oldClient.getDeviceCodeValiditySeconds());
-    newClient.setDynamicallyRegistered(true);
-    newClient.setAllowIntrospection(oldClient.isAllowIntrospection());
-    newClient.setAuthorities(oldClient.getAuthorities());
-    newClient.setCreatedAt(oldClient.getCreatedAt());
-    newClient.setReuseRefreshToken(oldClient.isReuseRefreshToken());
-    newClient.setActive(oldClient.isActive());
-
-    ClientDetailsEntity savedClient = clientService.updateClient(newClient);
-
-    eventPublisher.publishEvent(new ClientUpdatedEvent(this, savedClient));
-
-    RegisteredClientDTO response = converter.registrationResponseFromClient(savedClient);
-
-    maybeUpdateRegistrationAccessToken(savedClient, authentication).ifPresent(t -> {
-      eventPublisher.publishEvent(new ClientRegistrationAccessTokenRotatedEvent(this, savedClient));
-      response.setRegistrationAccessToken(t);
-    });
-
-    return response;
+    if(oldClient.isActive()){    
+      ClientDetailsEntity newClient = converter.entityFromRegistrationRequest(request);
+      newClient.setId(oldClient.getId());
+      newClient.setClientSecret(oldClient.getClientSecret());
+      newClient.setAccessTokenValiditySeconds(oldClient.getAccessTokenValiditySeconds());
+      newClient.setIdTokenValiditySeconds(oldClient.getIdTokenValiditySeconds());
+      newClient.setRefreshTokenValiditySeconds(oldClient.getRefreshTokenValiditySeconds());
+      newClient.setDeviceCodeValiditySeconds(oldClient.getDeviceCodeValiditySeconds());
+      newClient.setDynamicallyRegistered(true);
+      newClient.setAllowIntrospection(oldClient.isAllowIntrospection());
+      newClient.setAuthorities(oldClient.getAuthorities());
+      newClient.setCreatedAt(oldClient.getCreatedAt());
+      newClient.setReuseRefreshToken(oldClient.isReuseRefreshToken());
+      newClient.setActive(oldClient.isActive());
+
+      ClientDetailsEntity savedClient = clientService.updateClient(newClient);
+
+      eventPublisher.publishEvent(new ClientUpdatedEvent(this, savedClient));
+
+      RegisteredClientDTO response = converter.registrationResponseFromClient(savedClient);
+
+      maybeUpdateRegistrationAccessToken(savedClient, authentication).ifPresent(t -> {
+        eventPublisher.publishEvent(new ClientRegistrationAccessTokenRotatedEvent(this, savedClient));
+        response.setRegistrationAccessToken(t);
+      });
+      return response;
+  } else {
+    throw new ClientSuspended("Client " + clientId + " is suspended!");
+  }
+    
   }
 
   @Override

From 50627021b9731cad107a53afadb45a088a9f606e Mon Sep 17 00:00:00 2001
From: Manoj Garai <manoj.garai@stfc.ac.uk>
Date: Mon, 22 Apr 2024 16:38:14 +0100
Subject: [PATCH 04/12] Handle client suspended exception

---
 .../registration/ClientRegistrationApiController.java      | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/ClientRegistrationApiController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/ClientRegistrationApiController.java
index aaece937b..5f1b1e210 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/ClientRegistrationApiController.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/ClientRegistrationApiController.java
@@ -40,6 +40,7 @@
 
 import com.fasterxml.jackson.annotation.JsonView;
 
+import it.infn.mw.iam.api.client.error.ClientSuspended;
 import it.infn.mw.iam.api.client.error.InvalidClientRegistrationRequest;
 import it.infn.mw.iam.api.client.error.NoSuchClient;
 import it.infn.mw.iam.api.client.registration.service.ClientRegistrationService;
@@ -119,6 +120,12 @@ public ErrorDTO noSuchClient(HttpServletRequest req, Exception ex) {
     return ErrorDTO.fromString(ex.getMessage());
   }
 
+  @ResponseStatus(value = HttpStatus.BAD_REQUEST)
+  @ExceptionHandler(ClientSuspended.class)
+  public ErrorDTO clientSuspended(HttpServletRequest req, Exception ex) {
+    return ErrorDTO.fromString(ex.getMessage());
+  }
+
   @ResponseStatus(value = HttpStatus.BAD_REQUEST)
   @ExceptionHandler(InvalidClientRegistrationRequest.class)
   public ErrorDTO invalidRequest(HttpServletRequest req, Exception ex) {

From 2f730247ca651e91e349a9677be2797490c3e448 Mon Sep 17 00:00:00 2001
From: Manoj Garai <manoj.garai@stfc.ac.uk>
Date: Fri, 10 May 2024 09:44:19 +0100
Subject: [PATCH 05/12] Remove duplicate code using responseFromOptional method

---
 .../find/DefaultFindAccountService.java       | 20 +++++++------------
 .../api/account/find/FindAccountService.java  |  5 +----
 .../it/infn/mw/iam/api/utils/FindUtils.java   |  8 ++++++--
 3 files changed, 14 insertions(+), 19 deletions(-)

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/DefaultFindAccountService.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/DefaultFindAccountService.java
index db350a3c5..e2b4fde80 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/DefaultFindAccountService.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/DefaultFindAccountService.java
@@ -16,6 +16,7 @@
 package it.infn.mw.iam.api.account.find;
 
 import static it.infn.mw.iam.api.utils.FindUtils.responseFromPage;
+import static it.infn.mw.iam.api.utils.FindUtils.responseFromOptional;
 
 import java.util.Optional;
 import java.util.function.Supplier;
@@ -28,7 +29,6 @@
 import it.infn.mw.iam.api.scim.converter.UserConverter;
 import it.infn.mw.iam.api.scim.exception.IllegalArgumentException;
 import it.infn.mw.iam.api.scim.model.ScimListResponse;
-import it.infn.mw.iam.api.scim.model.ScimListResponse.ScimListResponseBuilder;
 import it.infn.mw.iam.api.scim.model.ScimUser;
 import it.infn.mw.iam.persistence.model.IamAccount;
 import it.infn.mw.iam.persistence.model.IamGroup;
@@ -64,18 +64,13 @@ public ScimListResponse<ScimUser> findAccountByLabel(String labelName, String la
   @Override
   public ScimListResponse<ScimUser> findAccountByEmail(String emailAddress) {
     Optional<IamAccount> account = repo.findByEmail(emailAddress);
-
-    ScimListResponseBuilder<ScimUser> builder = ScimListResponse.builder();
-    account.ifPresent(a -> builder.singleResource(converter.dtoFromEntity(a)));
-    return builder.build();
+    return responseFromOptional(account, converter);
   }
 
   @Override
   public ScimListResponse<ScimUser> findAccountByUsername(String username) {
     Optional<IamAccount> account = repo.findByUsername(username);
-    ScimListResponseBuilder<ScimUser> builder = ScimListResponse.builder();
-    account.ifPresent(a -> builder.singleResource(converter.dtoFromEntity(a)));
-    return builder.build();
+    return responseFromOptional(account, converter);
   }
 
   @Override
@@ -114,9 +109,7 @@ private Supplier<IllegalArgumentException> groupNotFoundError(String groupNameOr
   @Override
   public ScimListResponse<ScimUser> findAccountByCertificateSubject(String certSubject) {
     Optional<IamAccount> account = repo.findByCertificateSubject(certSubject);
-    ScimListResponseBuilder<ScimUser> builder = ScimListResponse.builder();
-    account.ifPresent(a -> builder.singleResource(converter.dtoFromEntity(a)));
-    return builder.build();
+    return responseFromOptional(account, converter);
   }
 
   @Override
@@ -143,7 +136,8 @@ public ScimListResponse<ScimUser> findAccountByGroupUuidWithFilter(String groupU
     return responseFromPage(results, converter, pageable);
   }
 
-  public Optional<IamAccount> findAccountByUuid(String uuid) {
-    return repo.findByUuid(uuid);
+  public ScimListResponse<ScimUser> findAccountByUuid(String uuid) {
+    Optional<IamAccount> account = repo.findByUuid(uuid);
+    return responseFromOptional(account, converter);
   }
 }
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountService.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountService.java
index aca1e154b..67825b9d6 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountService.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountService.java
@@ -15,13 +15,10 @@
  */
 package it.infn.mw.iam.api.account.find;
 
-import java.util.Optional;
-
 import org.springframework.data.domain.Pageable;
 
 import it.infn.mw.iam.api.scim.model.ScimListResponse;
 import it.infn.mw.iam.api.scim.model.ScimUser;
-import it.infn.mw.iam.persistence.model.IamAccount;
 
 public interface FindAccountService {
 
@@ -49,5 +46,5 @@ ScimListResponse<ScimUser> findAccountByGroupUuidWithFilter(String groupUuid, St
   ScimListResponse<ScimUser> findAccountNotInGroupWithFilter(String groupUuid, String filter,
       Pageable pageable);
       
-  Optional<IamAccount> findAccountByUuid(String uuid);
+  ScimListResponse<ScimUser> findAccountByUuid(String uuid);
 }
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/utils/FindUtils.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/utils/FindUtils.java
index 5c9b78efa..e45cdd3c6 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/utils/FindUtils.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/utils/FindUtils.java
@@ -17,6 +17,7 @@
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Optional;
 
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.Pageable;
@@ -43,6 +44,9 @@ public static <D, E> ScimListResponse<D> responseFromPage(Page<E> results,
     return builder.build();
   }
 
-
-
+  public static <D, E> ScimListResponse<D> responseFromOptional(Optional<E> account, Converter<D, E> converter) {
+    ScimListResponseBuilder<D> builder = ScimListResponse.builder();
+    account.ifPresent(a -> builder.singleResource(converter.dtoFromEntity(a)));
+    return builder.build();
+  }
 }

From 66ce06bd2d3d1621fe257365cdfb36117809631d Mon Sep 17 00:00:00 2001
From: Manoj Garai <manoj.garai@stfc.ac.uk>
Date: Fri, 10 May 2024 09:47:22 +0100
Subject: [PATCH 06/12] Return ScimUser to match interface design

---
 .../account/find/FindAccountController.java   | 28 ++-----------------
 .../clients/client/client.component.js        |  2 +-
 .../clientslist/clientslist.component.js      |  2 +-
 .../user/myclients/myclients.component.js     |  2 +-
 .../dashboard-app/services/find.service.js    |  2 +-
 5 files changed, 7 insertions(+), 29 deletions(-)

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java
index 0e27d2b1e..1df4b6af5 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java
@@ -129,31 +129,9 @@ public ListResponseDTO<ScimUser> findNotInGroup(@PathVariable String groupUuid,
     }
   }
 
-  @GetMapping(FIND_BY_UUID_RESOURCE)
+  @GetMapping(value = FIND_BY_UUID_RESOURCE, produces = ScimConstants.SCIM_CONTENT_TYPE)
   @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or hasRole('USER')")
-  public JSONObject findByUuid(@PathVariable String accountUuid) {
-    Optional<IamAccount> iamAccount = service.findAccountByUuid(accountUuid);
-    if(iamAccount.isPresent()){
-      return getIamAccountJson(iamAccount.get());
-    } else{
-      throw NoSuchAccountError.forUuid(accountUuid);
-    }    
-  }
-
-  @ResponseStatus(value = HttpStatus.NOT_FOUND)
-  @ExceptionHandler(NoSuchAccountError.class)
-  @ResponseBody
-  @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or hasRole('USER')")
-  public ErrorDTO accountNotFoundError(HttpServletRequest req, Exception ex) {
-    return ErrorDTO.fromString(ex.getMessage());
-  }
-
-  private JSONObject getIamAccountJson(IamAccount iamAccount) {
-    JSONObject iamAccountJson = new JSONObject();
-    iamAccountJson.put("id", iamAccount.getId());
-    iamAccountJson.put("accountUuid", iamAccount.getUuid());
-    iamAccountJson.put("username", iamAccount.getUsername());
-    iamAccountJson.put("active", iamAccount.isActive());
-    return iamAccountJson;
+  public ListResponseDTO<ScimUser> findByUuid(@PathVariable String accountUuid) {
+    return service.findAccountByUuid(accountUuid);
   }
 }
diff --git a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/client.component.js b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/client.component.js
index 2084a890c..a3f4002bd 100644
--- a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/client.component.js
+++ b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/client.component.js
@@ -135,7 +135,7 @@
 
         function getClientStatusMessage(){
             FindService.findAccountByUuid(self.clientVal.status_changed_by).then(function(res){
-                self.clientStatusMessage = "Suspended by " + res.username + " on " + getFormatedDate(self.clientVal.status_changed_on);                                            
+                self.clientStatusMessage = "Suspended by " + res.userName + " on " + getFormatedDate(self.clientVal.status_changed_on);                                            
             }).catch(function (res) {
                 console.debug("Error retrieving user account!", res);
             });           
diff --git a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/clientslist/clientslist.component.js b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/clientslist/clientslist.component.js
index 50ad86daf..a22ceb89c 100644
--- a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/clientslist/clientslist.component.js
+++ b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/clientslist/clientslist.component.js
@@ -122,7 +122,7 @@
 
         function getClientStatusMessage(client){
             FindService.findAccountByUuid(client.status_changed_by).then(function(res){
-                self.clientStatusMessage = "Suspended by " + res.username + " on " + getFormatedDate(client.status_changed_on);                                            
+                self.clientStatusMessage = "Suspended by " + res.userName + " on " + getFormatedDate(client.status_changed_on);                                            
             }).catch(function (res) {
                 console.debug("Error retrieving user account!", res);
             });           
diff --git a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/user/myclients/myclients.component.js b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/user/myclients/myclients.component.js
index 0e4fbaf35..917708f2a 100644
--- a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/user/myclients/myclients.component.js
+++ b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/user/myclients/myclients.component.js
@@ -122,7 +122,7 @@
 
         function getClientStatusMessage(client){
             FindService.findAccountByUuid(client.status_changed_by).then(function(res){
-                self.clientStatusMessage = "Suspended by " + res.username + " on " + getFormatedDate(client.status_changed_on);                                            
+                self.clientStatusMessage = "Suspended by " + res.userName + " on " + getFormatedDate(client.status_changed_on);                                            
             }).catch(function (res) {
                 console.debug("Error retrieving user account!", res);
             });           
diff --git a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/services/find.service.js b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/services/find.service.js
index df4467610..017095c8b 100644
--- a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/services/find.service.js
+++ b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/services/find.service.js
@@ -51,7 +51,7 @@
         function findAccountByUuid(accountUuid) {
             var url = "/iam/account/find/byuuid/" + accountUuid;
             return $http.get(url).then(function (result) {
-                return result.data;
+                return result.data.Resources[0];
             }).catch(function (error) {
                 console.error("Error loading account details: ", error);
                 return $q.reject(error);

From 56be86c65a7b4a9c511d3c74cfc1d71c380c3a92 Mon Sep 17 00:00:00 2001
From: Manoj Garai <manoj.garai@stfc.ac.uk>
Date: Fri, 10 May 2024 09:48:31 +0100
Subject: [PATCH 07/12] Use different endpoint to enable and disable client

---
 .../ClientManagementAPIController.java        | 26 ++++----
 .../DefaultClientRegistrationService.java     | 60 +++++++++----------
 .../client/status/client.status.component.js  |  7 +--
 .../dashboard-app/services/clients.service.js | 15 ++++-
 4 files changed, 60 insertions(+), 48 deletions(-)

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java
index 2c377ef43..c6309bef7 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java
@@ -44,9 +44,8 @@
 import org.springframework.web.bind.annotation.RestController;
 
 import com.fasterxml.jackson.annotation.JsonView;
-import com.google.gson.JsonObject;
-import com.google.gson.JsonParser;
 
+import it.infn.mw.iam.api.account.AccountUtils;
 import it.infn.mw.iam.api.client.error.InvalidPaginationRequest;
 import it.infn.mw.iam.api.client.error.NoSuchClient;
 import it.infn.mw.iam.api.client.management.service.ClientManagementService;
@@ -56,6 +55,7 @@
 import it.infn.mw.iam.api.common.PagingUtils;
 import it.infn.mw.iam.api.common.client.RegisteredClientDTO;
 import it.infn.mw.iam.api.scim.model.ScimUser;
+import it.infn.mw.iam.persistence.model.IamAccount;
 
 @RestController
 @RequestMapping(ClientManagementAPIController.ENDPOINT)
@@ -64,9 +64,11 @@ public class ClientManagementAPIController {
   public static final String ENDPOINT = "/iam/api/clients";
 
   private final ClientManagementService managementService;
+  private final AccountUtils accountUtils;
 
-  public ClientManagementAPIController(ClientManagementService managementService) {
+  public ClientManagementAPIController(ClientManagementService managementService, AccountUtils accountUtils) {
     this.managementService = managementService;
+    this.accountUtils = accountUtils;
   }
 
   @PostMapping
@@ -143,14 +145,18 @@ public RegisteredClientDTO updateClient(@PathVariable String clientId,
     return managementService.updateClient(clientId, client);
   }
 
-  @PatchMapping("/{clientId}/status")
+  @PatchMapping("/{clientId}/enable")
   @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
-  public void updateClientStatus(@PathVariable String clientId,
-      @RequestBody String body) {  
-    JsonObject jsonObject = JsonParser.parseString(body).getAsJsonObject();
-    boolean status = jsonObject.get("status").getAsBoolean();
-    String userId = jsonObject.get("userId").getAsString();      
-    managementService.updateClientStatus(clientId, status, userId);
+  public void enableClient(@PathVariable String clientId) {   
+    Optional<IamAccount> accpunt = accountUtils.getAuthenticatedUserAccount();
+    accpunt.ifPresent(a -> managementService.updateClientStatus(clientId, true, a.getUuid()));
+  }
+
+  @PatchMapping("/{clientId}/disable")
+  @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  public void disableClient(@PathVariable String clientId) {
+    Optional<IamAccount> accpunt = accountUtils.getAuthenticatedUserAccount();     
+    accpunt.ifPresent(a -> managementService.updateClientStatus(clientId, false, a.getUuid()));
   }
 
   @PostMapping("/{clientId}/secret")
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java
index a79ab9af2..cb47ce787 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java
@@ -396,39 +396,37 @@ public RegisteredClientDTO updateClient(String clientId, RegisteredClientDTO req
 
     ClientDetailsEntity oldClient =
         lookupClient(clientId, authentication).orElseThrow(clientNotFound(clientId));
-
+    if(!oldClient.isActive()){
+      throw new ClientSuspended("Client " + clientId + " is suspended!");
+    }    
     checkAllowedGrantTypesOnUpdate(request, authentication, oldClient);
     cleanupRequestedScopesOnUpdate(request, authentication, oldClient);
-    if(oldClient.isActive()){    
-      ClientDetailsEntity newClient = converter.entityFromRegistrationRequest(request);
-      newClient.setId(oldClient.getId());
-      newClient.setClientSecret(oldClient.getClientSecret());
-      newClient.setAccessTokenValiditySeconds(oldClient.getAccessTokenValiditySeconds());
-      newClient.setIdTokenValiditySeconds(oldClient.getIdTokenValiditySeconds());
-      newClient.setRefreshTokenValiditySeconds(oldClient.getRefreshTokenValiditySeconds());
-      newClient.setDeviceCodeValiditySeconds(oldClient.getDeviceCodeValiditySeconds());
-      newClient.setDynamicallyRegistered(true);
-      newClient.setAllowIntrospection(oldClient.isAllowIntrospection());
-      newClient.setAuthorities(oldClient.getAuthorities());
-      newClient.setCreatedAt(oldClient.getCreatedAt());
-      newClient.setReuseRefreshToken(oldClient.isReuseRefreshToken());
-      newClient.setActive(oldClient.isActive());
-
-      ClientDetailsEntity savedClient = clientService.updateClient(newClient);
-
-      eventPublisher.publishEvent(new ClientUpdatedEvent(this, savedClient));
-
-      RegisteredClientDTO response = converter.registrationResponseFromClient(savedClient);
-
-      maybeUpdateRegistrationAccessToken(savedClient, authentication).ifPresent(t -> {
-        eventPublisher.publishEvent(new ClientRegistrationAccessTokenRotatedEvent(this, savedClient));
-        response.setRegistrationAccessToken(t);
-      });
-      return response;
-  } else {
-    throw new ClientSuspended("Client " + clientId + " is suspended!");
-  }
-    
+       
+    ClientDetailsEntity newClient = converter.entityFromRegistrationRequest(request);
+    newClient.setId(oldClient.getId());
+    newClient.setClientSecret(oldClient.getClientSecret());
+    newClient.setAccessTokenValiditySeconds(oldClient.getAccessTokenValiditySeconds());
+    newClient.setIdTokenValiditySeconds(oldClient.getIdTokenValiditySeconds());
+    newClient.setRefreshTokenValiditySeconds(oldClient.getRefreshTokenValiditySeconds());
+    newClient.setDeviceCodeValiditySeconds(oldClient.getDeviceCodeValiditySeconds());
+    newClient.setDynamicallyRegistered(true);
+    newClient.setAllowIntrospection(oldClient.isAllowIntrospection());
+    newClient.setAuthorities(oldClient.getAuthorities());
+    newClient.setCreatedAt(oldClient.getCreatedAt());
+    newClient.setReuseRefreshToken(oldClient.isReuseRefreshToken());
+    newClient.setActive(oldClient.isActive());
+
+    ClientDetailsEntity savedClient = clientService.updateClient(newClient);
+
+    eventPublisher.publishEvent(new ClientUpdatedEvent(this, savedClient));
+
+    RegisteredClientDTO response = converter.registrationResponseFromClient(savedClient);
+
+    maybeUpdateRegistrationAccessToken(savedClient, authentication).ifPresent(t -> {
+      eventPublisher.publishEvent(new ClientRegistrationAccessTokenRotatedEvent(this, savedClient));
+      response.setRegistrationAccessToken(t);
+    });
+    return response;      
   }
 
   @Override
diff --git a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/status/client.status.component.js b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/status/client.status.component.js
index 6cb82457f..2c8512814 100644
--- a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/status/client.status.component.js
+++ b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/components/clients/client/status/client.status.component.js
@@ -56,23 +56,22 @@
     };
 
     self.enableClient = function() {
-      return ClientsService.setClientActiveStatus(self.client.client_id, true, self.loggedUserId)
+      return ClientsService.enableClient(self.client.client_id)
           .then(self.handleSuccess)
           .catch(self.handleError);
     };
 
     self.disableClient = function() {
-      return ClientsService.setClientActiveStatus(self.client.client_id, false, self.loggedUserId)
+      return ClientsService.disableClient(self.client.client_id)
           .then(self.handleSuccess)
           .catch(self.handleError);
     };
 
 
-    self.openDialog = function(loggedUserId) {
+    self.openDialog = function() {
 
       var modalOptions = null;
       var updateStatusFunc = null;
-      self.loggedUserId = loggedUserId;
 
       if (self.client.active) {
         modalOptions = {
diff --git a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/services/clients.service.js b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/services/clients.service.js
index 4c02e5e8e..f9eec42d3 100644
--- a/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/services/clients.service.js
+++ b/iam-login-service/src/main/webapp/resources/iam/apps/dashboard-app/services/clients.service.js
@@ -45,7 +45,8 @@
             removeClientOwner: removeClientOwner,
             newClient: newClient,
             getClientList: getClientList,
-            setClientActiveStatus: setClientActiveStatus
+            enableClient: enableClient,
+            disableClient: disableClient
         };
 
         return service;
@@ -177,8 +178,16 @@
             return newClient;
         }
 
-        function setClientActiveStatus(clientId, isActive, userId){
-            return $http.patch(endpoint(clientId) + "/status", "{\"status\": "+ isActive + ",\"userId\":" + userId + "}", defaultRequestConfig).then(function (res) {
+        function enableClient(clientId){
+            return $http.patch(endpoint(clientId) + "/enable").then(function (res) {
+                return res.data;
+            }).catch(function (res) {
+                return $q.reject(res);
+            });
+        }
+
+        function disableClient(clientId){
+            return $http.patch(endpoint(clientId) + "/disable").then(function (res) {
                 return res.data;
             }).catch(function (res) {
                 return $q.reject(res);

From 21779fc86f547319c54c3ff30a76ca95007dffb2 Mon Sep 17 00:00:00 2001
From: Manoj Garai <manoj.garai@stfc.ac.uk>
Date: Fri, 10 May 2024 16:32:46 +0100
Subject: [PATCH 08/12] Fix test cases

---
 .../find/FindAccountIntegrationTests.java     | 17 +++++++--------
 .../ClientManagementAPIIntegrationTests.java  | 21 ++++++++++++++++---
 2 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/account/find/FindAccountIntegrationTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/account/find/FindAccountIntegrationTests.java
index c9b5fa582..0b35d0e31 100644
--- a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/account/find/FindAccountIntegrationTests.java
+++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/account/find/FindAccountIntegrationTests.java
@@ -43,7 +43,6 @@
 import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.test.web.servlet.MockMvc;
 
-import it.infn.mw.iam.api.common.error.NoSuchAccountError;
 import it.infn.mw.iam.core.group.IamGroupService;
 import it.infn.mw.iam.core.user.IamAccountService;
 import it.infn.mw.iam.persistence.model.IamAccount;
@@ -305,19 +304,17 @@ public void findByUUIDWorks() throws Exception {
 
     mvc.perform(get(FIND_BY_UUID_RESOURCE, testAccount.getUuid()))
       .andExpect(OK)
-      .andExpect(jsonPath("$.id", is(testAccount.getId()), Long.class))
-      .andExpect(jsonPath("$.accountUuid", is(testAccount.getUuid())))
-      .andExpect(jsonPath("$.username", is(testAccount.getUsername())))
-      .andExpect(jsonPath("$.active", is(testAccount.isActive())));
+      .andExpect(jsonPath("$.Resources[0].id", is(testAccount.getUuid())))
+      .andExpect(jsonPath("$.Resources[0].userName", is(testAccount.getUsername())))
+      .andExpect(jsonPath("$.Resources[0].active", is(testAccount.isActive())));
   }
 
   @Test
   @WithMockUser(username = "test", roles = "USER")
-  public void findByUUIDThorowsException() throws Exception {
+  public void totalResultDoesNotExistForUnknownUUID() throws Exception {
     mvc.perform(get(FIND_BY_UUID_RESOURCE, "unknown_uuid"))
-       .andExpect(status().isNotFound())
-       .andExpect(result -> assertTrue(result.getResolvedException() instanceof NoSuchAccountError))
-       .andExpect(result -> assertEquals("Account not found for id 'unknown_uuid'", result.getResolvedException().getMessage()));
+       .andExpect(OK)
+       .andExpect(jsonPath("$.totalResults").doesNotExist())
+       .andExpect(jsonPath("$.Resources", emptyIterable()));
   }
-
 }
diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/client/ClientManagementAPIIntegrationTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/client/ClientManagementAPIIntegrationTests.java
index 757f778f9..2b40da102 100644
--- a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/client/ClientManagementAPIIntegrationTests.java
+++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/client/ClientManagementAPIIntegrationTests.java
@@ -296,14 +296,29 @@ public void negativeRefreshTokenLifetimesSetToInfinite() throws Exception {
 
   @Test
   @WithMockUser(username = "admin", roles = {"ADMIN", "USER"})
-  public void clientStatusUpdateWorks() throws Exception {
+  public void setClientEnableWorks() throws Exception {
 
    mvc.perform(get(ClientManagementAPIController.ENDPOINT + "/client"))
       .andExpect(OK)
       .andExpect(jsonPath("$.active").value(true));
 
-    mvc.perform(patch(ClientManagementAPIController.ENDPOINT + "/{clientId}/status", "client")
-    .content("{\"status\": false, \"userId\": userId}")
+    mvc.perform(patch(ClientManagementAPIController.ENDPOINT + "/{clientId}/enable", "client")
+    ).andExpect(OK);
+
+    mvc.perform(get(ClientManagementAPIController.ENDPOINT + "/client"))
+      .andExpect(OK)
+      .andExpect(jsonPath("$.active").value(true));
+  }
+
+  @Test
+  @WithMockUser(username = "admin", roles = {"ADMIN", "USER"})
+  public void setClientDisableWorks() throws Exception {
+
+   mvc.perform(get(ClientManagementAPIController.ENDPOINT + "/client"))
+      .andExpect(OK)
+      .andExpect(jsonPath("$.active").value(true));
+
+    mvc.perform(patch(ClientManagementAPIController.ENDPOINT + "/{clientId}/disable", "client")
     ).andExpect(OK);
 
     mvc.perform(get(ClientManagementAPIController.ENDPOINT + "/client"))

From 912a9630b9a8df4a5a3ef3756de2136d2feaeb25 Mon Sep 17 00:00:00 2001
From: Manoj Garai <manoj.garai@stfc.ac.uk>
Date: Wed, 15 May 2024 15:10:07 +0100
Subject: [PATCH 09/12] Fix typo

---
 .../client/management/ClientManagementAPIController.java  | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java
index c6309bef7..406891a30 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java
@@ -148,15 +148,15 @@ public RegisteredClientDTO updateClient(@PathVariable String clientId,
   @PatchMapping("/{clientId}/enable")
   @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   public void enableClient(@PathVariable String clientId) {   
-    Optional<IamAccount> accpunt = accountUtils.getAuthenticatedUserAccount();
-    accpunt.ifPresent(a -> managementService.updateClientStatus(clientId, true, a.getUuid()));
+    Optional<IamAccount> account = accountUtils.getAuthenticatedUserAccount();
+    account.ifPresent(a -> managementService.updateClientStatus(clientId, true, a.getUuid()));
   }
 
   @PatchMapping("/{clientId}/disable")
   @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   public void disableClient(@PathVariable String clientId) {
-    Optional<IamAccount> accpunt = accountUtils.getAuthenticatedUserAccount();     
-    accpunt.ifPresent(a -> managementService.updateClientStatus(clientId, false, a.getUuid()));
+    Optional<IamAccount> account = accountUtils.getAuthenticatedUserAccount();     
+    account.ifPresent(a -> managementService.updateClientStatus(clientId, false, a.getUuid()));
   }
 
   @PostMapping("/{clientId}/secret")

From 26b53a9a2a83329f4cf7ebd3d5d6f5ec28bbc11f Mon Sep 17 00:00:00 2001
From: Manoj Garai <manoj.garai@stfc.ac.uk>
Date: Wed, 15 May 2024 15:13:34 +0100
Subject: [PATCH 10/12] Check user updating suspended client

---
 .../ClientRegistrationApiController.java           |  2 +-
 .../service/DefaultClientRegistrationService.java  | 14 +++++++++++---
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/ClientRegistrationApiController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/ClientRegistrationApiController.java
index 5f1b1e210..5b8ef1cd6 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/ClientRegistrationApiController.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/ClientRegistrationApiController.java
@@ -120,7 +120,7 @@ public ErrorDTO noSuchClient(HttpServletRequest req, Exception ex) {
     return ErrorDTO.fromString(ex.getMessage());
   }
 
-  @ResponseStatus(value = HttpStatus.BAD_REQUEST)
+  @ResponseStatus(value = HttpStatus.FORBIDDEN)
   @ExceptionHandler(ClientSuspended.class)
   public ErrorDTO clientSuspended(HttpServletRequest req, Exception ex) {
     return ErrorDTO.fromString(ex.getMessage());
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java
index cb47ce787..e9aa131fb 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java
@@ -321,6 +321,15 @@ && registrationAccessTokenAuthenticationValidForClientId(client.getClientId(), a
     return Optional.empty();
   }
 
+  private void checkUserUpdatingSuspendedClient(Authentication authentication, ClientDetailsEntity oldClient) {
+    if (accountUtils.isAdmin(authentication)) {
+      return;
+    }
+    if(!oldClient.isActive()){
+      throw new ClientSuspended("Client " + oldClient.getClientId() + " is suspended!");
+    }
+  }
+
   @Validated(OnDynamicClientRegistration.class)
   @Override
   public RegisteredClientDTO registerClient(RegisteredClientDTO request,
@@ -396,9 +405,8 @@ public RegisteredClientDTO updateClient(String clientId, RegisteredClientDTO req
 
     ClientDetailsEntity oldClient =
         lookupClient(clientId, authentication).orElseThrow(clientNotFound(clientId));
-    if(!oldClient.isActive()){
-      throw new ClientSuspended("Client " + clientId + " is suspended!");
-    }    
+
+    checkUserUpdatingSuspendedClient(authentication, oldClient);    
     checkAllowedGrantTypesOnUpdate(request, authentication, oldClient);
     cleanupRequestedScopesOnUpdate(request, authentication, oldClient);
        

From 8c980d8d7bf2fa5731908c06413e9992c2bf2177 Mon Sep 17 00:00:00 2001
From: Manoj Garai <manoj.garai@stfc.ac.uk>
Date: Wed, 15 May 2024 15:30:06 +0100
Subject: [PATCH 11/12] Remove unused imports

---
 .../mw/iam/api/account/find/FindAccountController.java | 10 ----------
 .../api/account/find/FindAccountIntegrationTests.java  |  3 ---
 2 files changed, 13 deletions(-)

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java
index 1df4b6af5..2c540b8c8 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java
@@ -20,27 +20,17 @@
 import static java.util.Objects.isNull;
 import static org.springframework.web.bind.annotation.RequestMethod.GET;
 
-import java.util.Optional;
-
-import javax.servlet.http.HttpServletRequest;
-
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.domain.Pageable;
-import org.springframework.http.HttpStatus;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.validation.BindingResult;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 
-import com.nimbusds.jose.shaded.json.JSONObject;
-
-import it.infn.mw.iam.api.common.ErrorDTO;
 import it.infn.mw.iam.api.common.ListResponseDTO;
-import it.infn.mw.iam.api.common.error.NoSuchAccountError;
 import it.infn.mw.iam.api.common.form.PaginatedRequestWithFilterForm;
 import it.infn.mw.iam.api.scim.model.ScimConstants;
 import it.infn.mw.iam.api.scim.model.ScimUser;
-import it.infn.mw.iam.persistence.model.IamAccount;
 
 @RestController
 @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/account/find/FindAccountIntegrationTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/account/find/FindAccountIntegrationTests.java
index 0b35d0e31..1fd5c30fa 100644
--- a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/account/find/FindAccountIntegrationTests.java
+++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/account/find/FindAccountIntegrationTests.java
@@ -26,11 +26,8 @@
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.CoreMatchers.not;
 import static org.hamcrest.Matchers.emptyIterable;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 import java.util.function.Supplier;
 

From ef46cf9a934547568493293098e11ba30b7fafa8 Mon Sep 17 00:00:00 2001
From: Manoj Garai <manoj.garai@stfc.ac.uk>
Date: Fri, 24 May 2024 12:02:26 +0100
Subject: [PATCH 12/12] Set current timestamp as default for status_changed_on
 column

---
 ...V103__add_active_and_status_changed_on_to_client_details.sql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/iam-persistence/src/main/resources/db/migration/mysql/V103__add_active_and_status_changed_on_to_client_details.sql b/iam-persistence/src/main/resources/db/migration/mysql/V103__add_active_and_status_changed_on_to_client_details.sql
index c916edaf6..9aa3f3596 100644
--- a/iam-persistence/src/main/resources/db/migration/mysql/V103__add_active_and_status_changed_on_to_client_details.sql
+++ b/iam-persistence/src/main/resources/db/migration/mysql/V103__add_active_and_status_changed_on_to_client_details.sql
@@ -1,3 +1,3 @@
 ALTER TABLE client_details ADD COLUMN (active BOOLEAN, 
-                                        status_changed_on TIMESTAMP DEFAULT '1970-01-01 00:00:01',
+                                        status_changed_on TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
                                         status_changed_by VARCHAR(36));
\ No newline at end of file