Add ability to disable an endpoint

[SledgeHammer01]

trafficstars

Spin off of https://github.com/spring-projects/spring-authorization-server/issues/1454

Expected Behavior As discussed in #1454, there is no clean way to disable the endpoints (including removing the filters, etc) we don't want. In our case, we want ONLY /oauth2/token and disable everything else including ./well-known, etc.

Current Behavior Out of the box experience is that many endpoints are enabled for all the different flows, i.e. /authorization /.well-known, token revoke, introspect, etc.

Context From a security perspective, our company has regular pen testing and SecOps and we get complaints about disabling unnecessary endpoints to minimize attack vectors.

If the user is configured for client credentials post for example, they can still send requests to all the other oauth endpoints and they are returning 400s if the request is malformed, letting an attacker know they are there. Also this is adding unnecessary processing since the filters are there and do checks to validate the requests.