Best practise for endpoint disabling?

[wilhen01]

Does anyone have any guidance on best practise re: disabling endpoints? Our implementation is only using the Implicit Flow type which I believe means we can disable some of the endpoints (e.g. Token & TokenRevocation) but I'm not sure if I'm being overzealous. Is it insecure to leave the endpoints available even if we aren't using them?

[brockallen]

There's an Endpoints option: https://identityserver.github.io/Documentation/docsv2/configuration/identityServerOptions.html that you can use to disable individual endpoints.

[wilhen01]

@brockallen I already found that; I know how to disable endpoints, I'm asking for opinions on whether I should!

[brockallen]

So the answer is yes -- that's why we have those settings. If you're not using them, then don't expose them.

[wilhen01]

Is there definitive documentation as to which endpoints are required for each of the flows? I had a look but couldn't find anything exhaustive, and the Endpoints documentation listed here doesn't seem to cover every endpoint available to enable/disable?

[brockallen]

We don't, but that's a good idea for documentation. IdentityServer/Documentation#198

[wilhen01]

OK, I guess I'll play around and work out which endpoints I can ditch one by one without breaking anything! Thanks @brockallen

[brockallen]

Yep, that's a reasonable way to start :)

[wilhen01]

For reference in case anyone is interested, the following endpoint config seems to work for us using ImplicitFlow:

Endpoints = new EndpointOptions
                {
                    // Enabled
                    EnableAuthorizeEndpoint = true, // used to request access tokens / auth codes. (Flows: Implicit, Authorization Code).
                    EnableCheckSessionEndpoint = true,
                    EnableClientPermissionsEndpoint = true,
                    EnableEndSessionEndpoint = true, // used for logout
                    EnableUserInfoEndpoint = true, // used to retrieve identity information about a subject
                    EnableDiscoveryEndpoint = true, // used to retrieve metadata about IdentityServer

                    // Disabled
                    EnableAccessTokenValidationEndpoint = false, // used to validate reference tokens
                    EnableCspReportEndpoint = false, // reporting endpoint for Content Security Policy
                    EnableIdentityTokenValidationEndpoint = false, // used by clients without access to crypto libs e.g. Javascript
                    EnableIntrospectionEndpoint = false, // used to validate reference tokens
                    EnableTokenEndpoint = false, // used to progrmatically request or refresh tokens (Flows: resource owner password credential, authorization code, client credentials)
                    EnableTokenRevocationEndpoint = false, // used for revoking access tokens (reference tokens only) and refresh token
                }