CAS 6.6.x OAuth2 profile endpoint releases all authentication attributes
39 views
Skip to first unread message
Marie Schaeffer
Apr 27, 2023, 1:14:23 PM4/27/23
to CAS Community
With CAS 6.6.x (current tests were with the CAS 6.6.6 and 6.6.7 overlay) I get from the OAuth endpoint oauth2.0/profile all the authentication attributes in addition to the attributes that should be released according to the attributeReleasePolicy in the service definition.
Unwanted parts of profile endpoint:
...
"org.apereo.cas.authentication.Authentication": {
"authenticationDate": "xxx",
"principal": {
"@class": "org.apereo.cas.authentication.principal.SimplePrincipal",
"id": "xx",
"attributes": {
... all available attributes and values and not only the ones from the release policy.. "
"credentials": { ...
}
...
I tried to set configurations so that the endpoint does not release the authentication attributes in the profile endpoint.
I set in the attribute release policy within the attributeReleasePolicy:
"authorizedToReleaseAuthenticationAttributes": false
I set in the cas.properties and tried:
cas.authn.authentication-attribute-release.enabled=false
And I tested
cas.authn.authentication-attribute-release.never-release=authenticationMethod,successfulAuthenticationHandlers,authenticationDate
with
cas.authn.authentication-attribute-release.enabled=false
and also tested
cas.authn.authentication-attribute-release.enabled=true
And I tested to reduce the information by only setting the authenticationDate, but also without consequences to the information of the endpoint
cas.authn.authentication-attribute-release.enabled=true
cas.authn.authentication-attribute-release.only-release=authenticationDate
All configurations did not have any consequences at all on the profile endpoint.
Any other ideas how to reduce the released information? Did I miss the right property for the proper configuration?
With our running CAS 6.5.x the profile endpoint is alright as I only get back the "service", "attributes" (the ones from the attributeReleasePolicy) "id" and "client_id". We would like to have a similar behavior with CAS 6.6.x.
In the logs I seem to see the "right" log messages. But as mentioned above no impact on the bahavior of the profile endpoint.
2023-04-27 10:33:42,044 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationAttributeReleasePolicy] - <Attribute
release policy for service [.....] is configured to never release any authentication attributes>.
Any hints would be great. Thank you in advance.
Best regards
Marie
Unwanted parts of profile endpoint:
...
"org.apereo.cas.authentication.Authentication": {
"authenticationDate": "xxx",
"principal": {
"@class": "org.apereo.cas.authentication.principal.SimplePrincipal",
"id": "xx",
"attributes": {
... all available attributes and values and not only the ones from the release policy.. "
"credentials": { ...
}
...
I tried to set configurations so that the endpoint does not release the authentication attributes in the profile endpoint.
I set in the attribute release policy within the attributeReleasePolicy:
"authorizedToReleaseAuthenticationAttributes": false
I set in the cas.properties and tried:
cas.authn.authentication-attribute-release.enabled=false
And I tested
cas.authn.authentication-attribute-release.never-release=authenticationMethod,successfulAuthenticationHandlers,authenticationDate
with
cas.authn.authentication-attribute-release.enabled=false
and also tested
cas.authn.authentication-attribute-release.enabled=true
And I tested to reduce the information by only setting the authenticationDate, but also without consequences to the information of the endpoint
cas.authn.authentication-attribute-release.enabled=true
cas.authn.authentication-attribute-release.only-release=authenticationDate
All configurations did not have any consequences at all on the profile endpoint.
Any other ideas how to reduce the released information? Did I miss the right property for the proper configuration?
With our running CAS 6.5.x the profile endpoint is alright as I only get back the "service", "attributes" (the ones from the attributeReleasePolicy) "id" and "client_id". We would like to have a similar behavior with CAS 6.6.x.
In the logs I seem to see the "right" log messages. But as mentioned above no impact on the bahavior of the profile endpoint.
2023-04-27 10:33:42,044 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationAttributeReleasePolicy] - <Attribute
release policy for service [.....] is configured to never release any authentication attributes>.
Any hints would be great. Thank you in advance.
Best regards
Marie
Reply all
Reply to author
Forward
0 new messages