Document client registration access token rotation executor (#1736)

Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>

securing_apps/topics/client-registration.adoc

@@ -61,7 +61,8 @@ Authorization: bearer eyJhbGciOiJSUz...
 When you create a client through the Client Registration Service the response will include a registration access token.
 The registration access token provides access to retrieve the client configuration later, but also to update or delete the client.
 The registration access token is included with the request in the same way as a bearer token or initial access token.
-Registration access tokens are only valid once, when it's used the response will include a new token. 
+
+By default, registration access token rotation is enabled. This means a registration access token is only valid once. When the token is used, the response will include a new token. Note that registration access token rotation can be disabled by using link:{adminguide_link}#_client_policies[Client Policies].
 
 If a client was created outside of the Client Registration Service it won't have a registration access token associated with it.
 You can create one through the admin console. This can also be useful if you lose the token for a particular client.

server_admin/topics/clients/client-policies.adoc

@@ -123,6 +123,7 @@ One of several purposes for this executor is to realize the security requirement
 * Enforce more secure signature algorithm when client registration
 * Enforce `binding_message` parameter is used for CIBA requests
 * Enforce <<_secret_rotation, Client Secret Rotation>>
+* Enforce Client Registration Access Token
 * Enforce checking if a client is the one to which an intent was issued in a use case where an intent is issued before starting an authorization code flow to get an access token like UK OpenBanking
 
 [[_client_policy_profile]]