With CAS 6.6.x (current tests were with the CAS 6.6.6 and 6.6.7 overlay) I get from the OAuth endpoint oauth2.0/profile all the authentication attributes in addition to the attributes that should be released according to the attributeReleasePolicy in the service definition.
Unwanted parts of profile endpoint: ... "org.apereo.cas.authentication.Authentication": { "authenticationDate": "xxx", "principal": { "@class": "org.apereo.cas.authentication.principal.SimplePrincipal", "id": "xx", "attributes": { ... all available attributes and values and not only the ones from the release policy.. " "credentials": { ... } ... I tried to set configurations so that the endpoint does not release the authentication attributes in the profile endpoint. I set in the attribute release policy within the attributeReleasePolicy: "authorizedToReleaseAuthenticationAttributes": false I set in the cas.properties and tried: cas.authn.authentication-attribute-release.enabled=false And I tested cas.authn.authentication-attribute-release.never-release=authenticationMethod,successfulAuthenticationHandlers,authenticationDate with cas.authn.authentication-attribute-release.enabled=false and also tested cas.authn.authentication-attribute-release.enabled=true And I tested to reduce the information by only setting the authenticationDate, but also without consequences to the information of the endpoint cas.authn.authentication-attribute-release.enabled=true cas.authn.authentication-attribute-release.only-release=authenticationDate All configurations did not have any consequences at all on the profile endpoint. Any other ideas how to reduce the released information? Did I miss the right property for the proper configuration? With our running CAS 6.5.x the profile endpoint is alright as I only get back the "service", "attributes" (the ones from the attributeReleasePolicy) "id" and "client_id". We would like to have a similar behavior with CAS 6.6.x. In the logs I seem to see the "right" log messages. But as mentioned above no impact on the bahavior of the profile endpoint. 2023-04-27 10:33:42,044 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationAttributeReleasePolicy] - <Attribute release policy for service [.....] is configured to never release any authentication attributes>. Any hints would be great. Thank you in advance. Best regards Marie -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fb9c4e44-7331-4fc0-b6a7-cdc0bd1d45f5n%40apereo.org.