feat(admin): Auth token clean-up

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

admin_manual/configuration_user/authentication.rst

@@ -0,0 +1,28 @@
+.. _authentication:
+
+==============
+Authentication
+==============
+
+App passwords
+^^^^^^^^^^^^^
+
+App passwords allow users to authenticate multiple client applications against their Nextcloud account without giving the application the login password. App passwords are mandatory for accounts with :ref:`two-factor authentication<two-factor-auth>` enabled.
+
+Some clients support *remote wipe*, which makes the connected application delete its local data.
+
+.. _authentication-app-password-clean-up:
+
+Automated clean-up
+******************
+
+.. versionadded:: 30
+
+Nextcloud will delete unused passwords. Passwords set for *remote wipe* are deleted after 60 days of no usage. App passwords of client applications are deleted after 365 days of no usage.
+
+The time spans can be overwritten with configuration::
+
+  php occ config:system:set token_auth_wipe_token_retention --type=int --value 2592000 # 60*60*24*30 - 30 days
+  php occ config:system:set token_auth_token_retention --type=int --value 63072000     # 60*60*24*365*2 - 2 years
+
+Values are set in **seconds**.

admin_manual/configuration_user/index.rst

@@ -9,6 +9,7 @@ User management
     reset_admin_password
     reset_user_password
     user_password_policy
+    authentication
     two_factor-auth
     user_auth_ldap
     user_auth_ldap_cleanup

admin_manual/release_notes/upgrade_to_30.rst

@@ -30,3 +30,8 @@ Previews for PDF files with Imaginary
 
 The preview provider ``OC\Preview\Imaginary`` is no longer generating previews for PDF files.
 Add the new preview provider ``OC\Preview\ImaginaryPDF`` to ``enabledPreviewProviders`` to enable preview generation with Imaginary for PDF files.
+
+Automated clean-up of app password
+----------------------------------
+
+Nextcloud 30 will :ref:`clean-up unused app passwords<authentication-app-password-clean-up>`.