Re: [scim] Setting a mutability value such as readOnly or readWrite for whole SCIM resources
Phillip Hunt <phil.hunt@independentid.com> Thu, 08 December 2022 18:57 UTC
Return-Path: <phil.hunt@independentid.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA92BC14F730 for <scim@ietfa.amsl.com>; Thu, 8 Dec 2022 10:57:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.893
X-Spam-Level:
X-Spam-Status: No, score=-1.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=independentid-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KtqykJQUx4jq for <scim@ietfa.amsl.com>; Thu, 8 Dec 2022 10:57:53 -0800 (PST)
Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7768C14CE38 for <scim@ietf.org>; Thu, 8 Dec 2022 10:57:53 -0800 (PST)
Received: by mail-pf1-x42c.google.com with SMTP id 124so2036328pfy.0 for <scim@ietf.org>; Thu, 08 Dec 2022 10:57:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=independentid-com.20210112.gappssmtp.com; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=1Zb6lJ8aB5uLDuXbGV2hVFAE+TGTnvrCAoAX+tKzNK4=; b=0hcRTuEnbb/MEhDspHuAdCg23b7mohsiQk3QF6FF0V9B+h8aHy4ckjy05yYFw7Yo0v 4dbZxyZVrGemtja/0rn+KWwhrXI8WFncVz6v2CXzfp5fBonXAlXpT+ASDHmTDsgrw0tO jOcvkV8obbyQmBoCEBuHpa8nBgGH8fl33EiqdN8527tEwwhMabuSJ0LGmauQ6660zIaB Q5GP82K7ACHttpilohnF3WmiybaQuH0sbyeta+Px17oeEsiWfWAkx6ebZvAGXp4jAk3Z 9xPAy9qhjm98vHwOotWSYNbMSO1/fUf/24/L0rkU64lE08cHCIpCgY5Mx6TmmqeFxM7e UJfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=1Zb6lJ8aB5uLDuXbGV2hVFAE+TGTnvrCAoAX+tKzNK4=; b=CYGuqipxOfAVGiIsFjEfp0d5R7D+VlfKtCPDTLYYA23mY5ZV6cpGFeaMHBh9mUdSmq ECVSJxPBHo0OF3l8je8sQpEDxORyOio//gfZUYS/lFcnWq6hJl+4NA0WaBXX6LiaPLcL IbGZD2682Kk/KqkYYB8zWN/r3j+bp/xpTXdAbP0xzazk/youIJvDLEm3MBpF0MHavOxt TMz8TP9iPCJ8lJRSQDQBCTs7F5gDS894YJaehOHWmVtXkJeUqFdaNPIM+4g7aXsVQyrL auiPFjbUvTWug12k0CBccNE3vqrkFc2kVa8cC474EbPsWGmtmMaQMwRW/jyOQOyC8SLH 0Ktw==
X-Gm-Message-State: ANoB5pm/d36nbKhB83cUsl3lk4rw88kveasr6BNVK1chdmneBVLXq6KP 2CS/xQogBFVbTHX5dFSHutQjkmooqjq8SMeg6kQ=
X-Google-Smtp-Source: AA0mqf5UAIi4ZdSelE0zHrRi/pFNASi0gUWlyLNqH5P5V8pdhyi6+rtoyZTSCfNK0mioxub/UNpqAw==
X-Received: by 2002:a05:6a00:1786:b0:566:901d:cbef with SMTP id s6-20020a056a00178600b00566901dcbefmr3919646pfg.1.1670525873141; Thu, 08 Dec 2022 10:57:53 -0800 (PST)
Received: from smtpclient.apple (node-1w7jr9plyoqwtilmjjaneohes.ipv6.telus.net. [2001:569:540c:4900:5d9f:82cc:370d:5824]) by smtp.gmail.com with ESMTPSA id x13-20020aa79acd000000b00577986d77c5sm2743722pfp.152.2022.12.08.10.57.52 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Dec 2022 10:57:52 -0800 (PST)
From: Phillip Hunt <phil.hunt@independentid.com>
Message-Id: <3CC40FEB-2F7D-41EF-ADB7-B96B98D21F15@independentid.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F916703C-04AB-440D-A70C-F403E6DB2C53"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.200.110.1.12\))
Date: Thu, 08 Dec 2022 10:57:41 -0800
In-Reply-To: <621ed78f-5071-cff5-3d5a-92446647f22e@audriga.com>
Cc: scim@ietf.org
To: Hans-Joerg Happel <happel@audriga.com>
References: <621ed78f-5071-cff5-3d5a-92446647f22e@audriga.com>
X-Mailer: Apple Mail (2.3731.200.110.1.12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/04gZmvCnF8XAMYDU0_V8KUnWeCk>
Subject: Re: [scim] Setting a mutability value such as readOnly or readWrite for whole SCIM resources
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Dec 2022 18:57:54 -0000
Hans, If I understand your case (resource mutability), it can be handled with access controls in order to determine if/when a client may update a particular resource or resource type. As with LDAP specifications of the past and the wide variance of access/authoriztion in http services, the SCIM specs are silent on how access policy is defined/managed. Per Sec 3.12, SCIM follows the HTTP specs for signalling errors (e.g. 403 Forbidden). In the error response payload (shown at the end of 3.12) you could give a detail value that indicates mutability as the reason for the 403. The issue here is that most clients would ignore the detail response. Still its useful if a support person is trying to figure out why the operation is failing. Attribute mutability in the spec is defined because it does impact the overall protocol. For example on a PUT, a readOnly value is ignored, On a GET and writeOnly value (e.g. password) is never returned. Hope this helps! Phillip Hunt phil.hunt@independentid.com > On Dec 8, 2022, at 9:25 AM, Hans-Joerg Happel <happel@audriga.com> wrote: > > Hi, > > RFC 7643 allows to define a "mutability" to SCIM resource attributes to express if a certain attribute is, e.g., readOnly, readWrite, or writeOnly. > > We've some cases where we would like to have a "mutability" value assigned to whole SCIM resources instead of attributes only (This might also be a relevant feature in the light of the discussion at the recent SCIM interim about multiple different SCIM "actors" interacting). > > As far as I see, this is not possible based on the current spec. So some workaround for an SCIM endpoint right now might just be to return some error code on HTTP level [2], if, e.g., a request tries to write a resource which cannot be written for some reason. > > However, perhaps I am missing something here? > > Otherwise, this might be a candidate for a rfc7643bis. Is there already a place where we track issues for those? > > Thanks and best, > Hans-Joerg > > ps.: In addition, the (im)mutability of SCIM "service provider configuration" endpoints (/ServiceProviderConfig, Schemas and /ResourceTypes) seems to be rather implicitly specified currently (https://datatracker.ietf.org/doc/html/rfc7644#section-4): "SCIM defines three endpoints to facilitate discovery of SCIM service provider features and schema that MAY be retrieved using HTTP GET:" > > [1] https://datatracker.ietf.org/doc/html/rfc7643#section-2-2 > [2] https://datatracker.ietf.org/doc/html/rfc7644#section-3.2 > > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim
- [scim] Setting a mutability value such as readOnl… Hans-Joerg Happel
- Re: [scim] Setting a mutability value such as rea… Phillip Hunt
- Re: [scim] Setting a mutability value such as rea… Hans-Joerg Happel