When using the OAuthV2 policy and setting custom attributes with "display=false" on the access token this setting does NOT persist when a RefreshAccessToken operation for the original token is executed.

A OAuthV2 RefreshAccessToken operation after the initial call returns a token with all custom attributes.

This persistence issue is due to a design in favor of a small overhead to maintain low latency.

In order to avoid returning custom properties with a refresh token that should not be returned, the attributes need to be removed inside the proxy. For example this can be achieved with a post-processing JS policy, that removes custom attributes that need