Skip to content

Add ability to disable an endpoint #1882

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
SledgeHammer01 opened this issue Jan 20, 2025 · 4 comments
Open

Add ability to disable an endpoint #1882

SledgeHammer01 opened this issue Jan 20, 2025 · 4 comments
Labels
type: enhancement A general enhancement
Milestone
2.0.x

Comments

@SledgeHammer01
Copy link

SledgeHammer01 commented Jan 20, 2025
edited
Loading

Spin off of #1454

Expected Behavior
As discussed in #1454, there is no clean way to disable the endpoints (including removing the filters, etc) we don't want. In our case, we want ONLY /oauth2/token and disable everything else including ./well-known, etc.

Current Behavior
Out of the box experience is that many endpoints are enabled for all the different flows, i.e. /authorization /.well-known, token revoke, introspect, etc.

Context
From a security perspective, our company has regular pen testing and SecOps and we get complaints about disabling unnecessary endpoints to minimize attack vectors.

If the user is configured for client credentials post for example, they can still send requests to all the other oauth endpoints and they are returning 400s if the request is malformed, letting an attacker know they are there. Also this is adding unnecessary processing since the filters are there and do checks to validate the requests.
@SledgeHammer01 SledgeHammer01 added the type: enhancement A general enhancement label Jan 20, 2025
@jgrandja
Copy link
Collaborator

@SledgeHammer01 This enhancement makes sense. We'll consider adding it.

@AlTurner-MOJ
Copy link

We are in an identical situation and following a PEN test have been asked by our AppSec team to disable unused end points. We are only using the /oauth2/token and /oauth2/authorize end points.

@tommyttf
Copy link

tommyttf commented Mar 2, 2025

Hi @jgrandja, I am interested in working on this issue, and have read your comment in #1498 that we better not to have a flag setting for each configurer. How about we have aremoveConfigurer function and disableXXXEndpoint for each configurer

For example in OAuth2AuthorizationServerConfigurer

	public OAuth2AuthorizationServerConfigurer disableDeviceVerificationEndpoint() {
		removeConfigurer(OAuth2DeviceVerificationEndpointConfigurer.class);
		return this;
	}

...

	@SuppressWarnings("unchecked")
	private void removeConfigurer(Class<?> type) {
		this.configurers.remove(type);
	}

Then we can disable the endpoint by

		http
			.with(authorizationServerConfigurer, (authorizationServer) ->
				authorizationServer
						.disableDeviceVerificationEndpoint()
			)

What do you think?

tommyttf added a commit to tommyttf/spring-authorization-server that referenced this issue Mar 2, 2025
@tommyttf
Add ability to disable endpoints related to oidc
03122b7 
Issue spring-projectsgh-1882

Signed-off-by: Tommy Tsang <[email protected]>
tommyttf added a commit to tommyttf/spring-authorization-server that referenced this issue Mar 3, 2025
@tommyttf
Add ability to disable endpoints for Configurers in OAuth2Authorizati…
60aa4b6 
…onServerConfigurer and OAuth2ClientAuthenticationConfigurer

Issue spring-projectsgh-1882

Signed-off-by: Tommy Tsang <[email protected]>
@tommyttf tommyttf mentioned this issue Mar 3, 2025
Closed
@OrangeDog
Copy link

This should follow the same pattern as AbstractHttpConfigurer, and add disable() to AbstractOAuth2Configurer.

I do not like @tommyttf's solution at all, as it's inconsistent with anything else.

@jgrandja jgrandja added this to the 2.0.x milestone Apr 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: enhancement A general enhancement
Projects
None yet
Milestone
2.0.x
Development

No branches or pull requests
5 participants
@OrangeDog @tommyttf @jgrandja @SledgeHammer01 @AlTurner-MOJ