Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent CSRF Filter from verifying token for a specific path #44625

Open
egorsivenko opened this issue Nov 21, 2024 · 0 comments
Open

Prevent CSRF Filter from verifying token for a specific path #44625

egorsivenko opened this issue Nov 21, 2024 · 0 comments
Labels
triage/needs-triage

Comments

@egorsivenko
Copy link

Discussed in #44582

Originally posted by egorsivenko November 19, 2024
I'm making a custom OAuth authorization server with Quarkus Renarde.

It includes quarkus-rest-csrf dependency which is used for securing endpoints that accept application/x-www-form-urlencoded such as /login, /register, /oauth2/clients/new, etc.

As follows from the OAuth specs, the client sends POST request of type application/x-www-form-urlencoded to get the token after previously obtaining the authorization code.

As the client represents an external application, the authorization server doesn't need to verify CSRF token upon receiving token POST request, because otherwise it's basically impossible to communicate with it.

The only thing I have found in the docs is to restrict CSRF token creation after GET request, but it doesn't seem to fit the case. Is there a way to disable CSRF filter for such a specific endpoint?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage/needs-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@egorsivenko