Description
Spin off of #1454
Expected Behavior
As discussed in #1454, there is no clean way to disable the endpoints (including removing the filters, etc) we don't want. In our case, we want ONLY /oauth2/token and disable everything else including ./well-known, etc.
Current Behavior
Out of the box experience is that many endpoints are enabled for all the different flows, i.e. /authorization /.well-known, token revoke, introspect, etc.
Context
From a security perspective, our company has regular pen testing and SecOps and we get complaints about disabling unnecessary endpoints to minimize attack vectors.
If the user is configured for client credentials post for example, they can still send requests to all the other oauth endpoints and they are returning 400s if the request is malformed, letting an attacker know they are there. Also this is adding unnecessary processing since the filters are there and do checks to validate the requests.