Hello, I'm currently in the progress of upgrading from 6.x to 7.2. We've been trying to disable caching in the attribute repositories when using OIDC. This has not been disabled in our old deployment, but we need it now.
However, when a client tries to reauthenticate using a SSO session, the old attributes are returned. If another client tries to use the sso token, a list of the new and the old attributes are returned in the jwt. We already had to define IDs to avoid this bug https://groups.google.com/a/apereo.org/g/cas-user/c/0HjUqWsM0oE/m/X3s8loW8EgAJ. In this example, the mail attribute behaves in this way. Our service definitions are: { "@class": "org.apereo.cas.services.OidcRegisteredService", "serviceId": "^https://.*";, "name": "Test2", "evaluationOrder": 222, "logoutType": "FRONT_CHANNEL", "attributeReleasePolicy": { "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy", "mergingPolicy": "REPLACE", "principalAttributesRepository" : { "@class" : "org.apereo.cas.authentication.principal.cache.CachingPrincipalAttributesRepository", "expiration" : 1, "timeUnit": "SECONDS", "mergingStrategy" : "REPLACE", "attributeRepositoryIds": ["java.util.HashSet", ["attribute-repo-1", "attribute-repo-2", "attribute-repo-3", "attribute-repo-4"]] } }, "logoutUrl": "https://localhost/oidc/logout";, "clientSecret": "X", "clientId": "X", "bypassApprovalPrompt": true, "jwtAccessToken": true, "generateRefreshToken": true, "supportedGrantTypes": [ "java.util.HashSet", [ "password", "authorization_code", "refresh_token" ] ], "supportedResponseTypes": [ "java.util.HashSet", [ "code", "token" ] ], "scopes" : [ "java.util.HashSet", [ "openid", "profile", "email", ...] ] } and { "@class": "org.apereo.cas.services.OidcRegisteredService", "serviceId": "^https://.*";, "name": "Test", "evaluationOrder": 222, "logoutType": "FRONT_CHANNEL", "attributeReleasePolicy": { "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy", "mergingPolicy": "REPLACE", "principalAttributesRepository" : { "@class" : "org.apereo.cas.authentication.principal.cache.CachingPrincipalAttributesRepository", "expiration" : 1, "timeUnit": "SECONDS", "mergingStrategy" : "REPLACE", "attributeRepositoryIds": ["java.util.HashSet", ["attribute-repo-1", "attribute-repo-2", "attribute-repo-3", "attribute-repo-4"]] } }, "logoutUrl": "https://localhost/oidc/logout";, "clientSecret": "Y", "clientId": "Y", "bypassApprovalPrompt": true, "jwtAccessToken": true, "generateRefreshToken": true, "supportedGrantTypes": [ "java.util.HashSet", [ "password", "authorization_code", "refresh_token" ] ], "supportedResponseTypes": [ "java.util.HashSet", [ "code", "token" ] ], "scopes" : [ "java.util.HashSet", [ "openid", "profile", "email", ...] ] } This is a very simlified version of our application yaml: cas: authn: oauth: ... oidc: core: issuer: "https://${CAS_SERVER_NAME}/cas/oidc"; claims-map: cn: name mail: mail ... user-defined-scopes: myscope: "cn,mail,..." discovery: grant-types-supported: authorization_code,password,client_credentials,refresh_token scopes: openid,profile,email,myscope,... claims: - cn - mail ... attribute-repository: core: expiration-time: "0" merger: "REPLACE" jdbc: - sql: SELECT u.cn, u.mail, ... FROM ... id: "attribute-repo-1" username: cn user: ... password: ... driverClass: org.postgresql.Driver url: ... dialect: org.hibernate.dialect.PostgreSQLDialect pool: min-size: 1 - sql: select ... id: "attribute-repo-2" ... - singleRow: false sql: SELECT X FROM ... id: "attribute-repo-3" ... - sql: select ... id: "attribute-repo-4" ... The response jwt looks like this: "mail": [ "[email protected]", "[email protected]" ] -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/62023a85-5452-4ab4-b1a0-d3cb3fc3d7c2n%40apereo.org.
