+If your CAS server is functioning as an OAuth or OpenID Connect identity provider **AND** you have configured the system to create and share **access tokens as JWTs**, you are affected by this issue, which mistakenly allows CAS to ignore the attribute/claim release policies assigned to the application definition and to release all possible claims to the application as part of the JWT access token. The patch releases listed below should help CAS re-evaluate the claim release policy of the application before building and sharing a JWT access token. There are also smaller measures in place to ensure CAS selects the correct *indexed* service definition during request processing, particularly if and when the service definition record is modified dynamically at runtime.
0 commit comments