I have created partially oAuth2 protected custom REST controller that is used as backend for flutter mobile application. This controller has:
several methods for getting data from database (oAuth2 protected)
one custom authentication method for token issuing (not protected)
From generic REST API I am using only refresh token method since I was not able to implement it in my custom controller. I have studied CUBA REST API Add-on (https://github.com/cuba-platform/restapi.git) but was unable to figure out where in the code token refresh was implemented.
My questions are following:
Is it possible to create refresh token method in custom rest controller?
If I must use generic REST API for token refreshing, is it possible to disable other endpoints in generic api?
Can I protect my custom method for token issuing only with client_id and secret?
We use the Spring Security OAuth library in the REST API. Endpoints that issue access and refresh tokens are implemented there, in particular in the org.springframework.security.oauth2.provider.endpoint.TokenEndpoint class. You may take a look at how it is implemented there.
If you need to allow only specific URLs of the REST API, then take a look at this forum topic.
As for the protecting token endpoints with the basic authentication only, it doesn’t conform to the OAuth specification. The standard CUBA REST API doesn’t implement this. If you need to do it, you’ll have to implement it in your application.
As I see you don’t plan to use anything from the CUBA standard REST API and also you want to implement your own authentication. So, probably you don’t need the CUBA REST API at all. You are free to use Spring MVC controllers only and implement everything there in the way you want.