Originally posted by **egorsivenko** November 19, 2024
I'm making a custom OAuth authorization server with [Quarkus Renarde](https://docs.quarkiverse.io/quarkus-renarde/dev/index.html).
It includes `quarkus-rest-csrf` dependency which is used for securing endpoints that accept **application/x-www-form-urlencoded** such as `/login`, `/register`, `/oauth2/clients/new`, etc.
As follows from the [OAuth specs](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3), the client sends POST request of type **application/x-www-form-urlencoded** to get the token after previously obtaining the [authorization code](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1).
As the client represents an external application, the authorization server doesn't need to verify CSRF token upon receiving [token POST request](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3), because otherwise it's basically impossible to communicate with it.
The only thing I have found in the docs is to [restrict CSRF token creation after GET request](https://quarkus.io/guides/security-csrf-prevention#restrict-csrf-token-verification), but it doesn't seem to fit the case. Is there a way to disable CSRF filter for such a specific endpoint?
geoand
commented
2 hours ago
Discussed in https://github.com/quarkusio/quarkus/discussions/44582