Unable to discable attribute caching in 7.2
35 views
Skip to first unread message
B. Kentsch
Nov 10, 2025, 11:33:46 AMNov 10
to CAS Community
Hello,
I'm currently in the progress of upgrading from 6.x to 7.2. We've been trying to disable caching in the attribute repositories when using OIDC. This has not been disabled in our old deployment, but we need it now.
However, when a client tries to reauthenticate using a SSO session, the old attributes are returned. If another client tries to use the sso token, a list of the new and the old attributes are returned in the jwt.
We already had to define IDs to avoid this bug https://groups.google.com/a/apereo.org/g/cas-user/c/0HjUqWsM0oE/m/X3s8loW8EgAJ.
In this example, the mail attribute behaves in this way.
Our service definitions are:
{
"@class": "org.apereo.cas.services.OidcRegisteredService",
"serviceId": "^https://.*",
"name": "Test2",
"evaluationOrder": 222,
"logoutType": "FRONT_CHANNEL",
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
"mergingPolicy": "REPLACE",
"principalAttributesRepository" : {
"@class" : "org.apereo.cas.authentication.principal.cache.CachingPrincipalAttributesRepository",
"expiration" : 1,
"timeUnit": "SECONDS",
"mergingStrategy" : "REPLACE",
"attributeRepositoryIds": ["java.util.HashSet", ["attribute-repo-1", "attribute-repo-2", "attribute-repo-3", "attribute-repo-4"]]
}
},
"logoutUrl": "https://localhost/oidc/logout",
"clientSecret": "X",
"clientId": "X",
"bypassApprovalPrompt": true,
"jwtAccessToken": true,
"generateRefreshToken": true,
"supportedGrantTypes":
[
"java.util.HashSet",
[
"password",
"authorization_code",
"refresh_token"
]
],
"supportedResponseTypes":
[
"java.util.HashSet",
[
"code",
"token"
]
],
"scopes" : [ "java.util.HashSet",
[ "openid", "profile", "email", ...]
]
}
and
{
"@class": "org.apereo.cas.services.OidcRegisteredService",
"serviceId": "^https://.*",
"name": "Test",
"evaluationOrder": 222,
"logoutType": "FRONT_CHANNEL",
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
"mergingPolicy": "REPLACE",
"principalAttributesRepository" : {
"@class" : "org.apereo.cas.authentication.principal.cache.CachingPrincipalAttributesRepository",
"expiration" : 1,
"timeUnit": "SECONDS",
"mergingStrategy" : "REPLACE",
"attributeRepositoryIds": ["java.util.HashSet", ["attribute-repo-1", "attribute-repo-2", "attribute-repo-3", "attribute-repo-4"]]
}
},
"logoutUrl": "https://localhost/oidc/logout",
"clientSecret": "Y",
"clientId": "Y",
"bypassApprovalPrompt": true,
"jwtAccessToken": true,
"generateRefreshToken": true,
"supportedGrantTypes":
[
"java.util.HashSet",
[
"password",
"authorization_code",
"refresh_token"
]
],
"supportedResponseTypes":
[
"java.util.HashSet",
[
"code",
"token"
]
],
"scopes" : [ "java.util.HashSet",
[ "openid", "profile", "email", ...]
]
}
This is a very simlified version of our application yaml:
cas:
authn:
oauth:
...
oidc:
core:
issuer: "https://${CAS_SERVER_NAME}/cas/oidc"
claims-map:
cn: name
mail: mail
...
user-defined-scopes:
myscope: "cn,mail,..."
discovery:
grant-types-supported: authorization_code,password,client_credentials,refresh_token
scopes: openid,profile,email,myscope,...
claims:
- cn
- mail
...
attribute-repository:
core:
expiration-time: "0"
merger: "REPLACE"
jdbc:
- sql: SELECT u.cn, u.mail, ... FROM ...
id: "attribute-repo-1"
username: cn
user: ...
password: ...
driverClass: org.postgresql.Driver
url: ...
dialect: org.hibernate.dialect.PostgreSQLDialect
pool:
min-size: 1
- sql: select ...
id: "attribute-repo-2"
...
- singleRow: false
sql: SELECT X FROM ...
id: "attribute-repo-3"
...
- sql: select ...
id: "attribute-repo-4"
...
The response jwt looks like this:
"mail": [
"o...@mail.com",
"n...@mail.com"
]
I'm currently in the progress of upgrading from 6.x to 7.2. We've been trying to disable caching in the attribute repositories when using OIDC. This has not been disabled in our old deployment, but we need it now.
However, when a client tries to reauthenticate using a SSO session, the old attributes are returned. If another client tries to use the sso token, a list of the new and the old attributes are returned in the jwt.
We already had to define IDs to avoid this bug https://groups.google.com/a/apereo.org/g/cas-user/c/0HjUqWsM0oE/m/X3s8loW8EgAJ.
In this example, the mail attribute behaves in this way.
Our service definitions are:
{
"@class": "org.apereo.cas.services.OidcRegisteredService",
"serviceId": "^https://.*",
"name": "Test2",
"evaluationOrder": 222,
"logoutType": "FRONT_CHANNEL",
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
"mergingPolicy": "REPLACE",
"principalAttributesRepository" : {
"@class" : "org.apereo.cas.authentication.principal.cache.CachingPrincipalAttributesRepository",
"expiration" : 1,
"timeUnit": "SECONDS",
"mergingStrategy" : "REPLACE",
"attributeRepositoryIds": ["java.util.HashSet", ["attribute-repo-1", "attribute-repo-2", "attribute-repo-3", "attribute-repo-4"]]
}
},
"logoutUrl": "https://localhost/oidc/logout",
"clientSecret": "X",
"clientId": "X",
"bypassApprovalPrompt": true,
"jwtAccessToken": true,
"generateRefreshToken": true,
"supportedGrantTypes":
[
"java.util.HashSet",
[
"password",
"authorization_code",
"refresh_token"
]
],
"supportedResponseTypes":
[
"java.util.HashSet",
[
"code",
"token"
]
],
"scopes" : [ "java.util.HashSet",
[ "openid", "profile", "email", ...]
]
}
and
{
"@class": "org.apereo.cas.services.OidcRegisteredService",
"serviceId": "^https://.*",
"name": "Test",
"evaluationOrder": 222,
"logoutType": "FRONT_CHANNEL",
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",
"mergingPolicy": "REPLACE",
"principalAttributesRepository" : {
"@class" : "org.apereo.cas.authentication.principal.cache.CachingPrincipalAttributesRepository",
"expiration" : 1,
"timeUnit": "SECONDS",
"mergingStrategy" : "REPLACE",
"attributeRepositoryIds": ["java.util.HashSet", ["attribute-repo-1", "attribute-repo-2", "attribute-repo-3", "attribute-repo-4"]]
}
},
"logoutUrl": "https://localhost/oidc/logout",
"clientSecret": "Y",
"clientId": "Y",
"bypassApprovalPrompt": true,
"jwtAccessToken": true,
"generateRefreshToken": true,
"supportedGrantTypes":
[
"java.util.HashSet",
[
"password",
"authorization_code",
"refresh_token"
]
],
"supportedResponseTypes":
[
"java.util.HashSet",
[
"code",
"token"
]
],
"scopes" : [ "java.util.HashSet",
[ "openid", "profile", "email", ...]
]
}
This is a very simlified version of our application yaml:
cas:
authn:
oauth:
...
oidc:
core:
issuer: "https://${CAS_SERVER_NAME}/cas/oidc"
claims-map:
cn: name
mail: mail
...
user-defined-scopes:
myscope: "cn,mail,..."
discovery:
grant-types-supported: authorization_code,password,client_credentials,refresh_token
scopes: openid,profile,email,myscope,...
claims:
- cn
...
attribute-repository:
core:
expiration-time: "0"
merger: "REPLACE"
jdbc:
- sql: SELECT u.cn, u.mail, ... FROM ...
id: "attribute-repo-1"
username: cn
user: ...
password: ...
driverClass: org.postgresql.Driver
url: ...
dialect: org.hibernate.dialect.PostgreSQLDialect
pool:
min-size: 1
- sql: select ...
id: "attribute-repo-2"
...
- singleRow: false
sql: SELECT X FROM ...
id: "attribute-repo-3"
...
- sql: select ...
id: "attribute-repo-4"
...
The response jwt looks like this:
"mail": [
"o...@mail.com",
"n...@mail.com"
]
Reply all
Reply to author
Forward
0 new messages