Automated cleanup of unused OAuth2 first-party clients

[cjslep]

Currently, logging in multiple times will generate a lot of auto-registered OAuth2 local first-party clients into the database. That doesn't seem like too much of a problem, but it is potentially a source of boundless growth.

It would be nice to have a routine that periodically checks: determine if this local first-party client have any reference to it in the tokens table, and if not, delete it. This is neither a simple nor cheap SQL operation, and may require a VACUUM-like behavior with a background goroutine doing this task and determining the diffs. Fortunately the problem is partitioned per-user, which can aid in designing such a routine.