Re: [scim] [EXTERNAL] Query on a specific known resource
Danny Zollner <Danny.Zollner@microsoft.com> Thu, 07 July 2022 18:05 UTC
Return-Path: <Danny.Zollner@microsoft.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37CEEC15A748 for <scim@ietfa.amsl.com>; Thu, 7 Jul 2022 11:05:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.752
X-Spam-Level:
X-Spam-Status: No, score=-2.752 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.745, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B4uYYrnlMMrv for <scim@ietfa.amsl.com>; Thu, 7 Jul 2022 11:05:01 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-bl2nam06on2111.outbound.protection.outlook.com [40.107.65.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A43DC15948B for <scim@ietf.org>; Thu, 7 Jul 2022 11:05:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MrlRYmmv0KmJ6K4Y782pM7KKhzciCQ8nirQZnXMIQBZ7TaFbJZRUOQ86hvzQpnV6qBeLqygzblyHWMJ503WnU71iZ55vg+5Hnuesny8yJryipNKurWnhzWkEeQCWYWE2TlTgSqxo8oqccBoGeObCXFsTTXHyORGrnBjWLYDK1hxbW6NSPZWSOrTxWUb20vCGPzR/ZHDzZ3nw682Efp3eeCswQvkMOB4CANRpAd7ODXmAisB85Q/H5joJa70GgGYR+vzMNKRMa0CIM7WzT7pZB06DdnFgBpH5K2j2u5lvhCyKWSpLW0J5H8t7DnNJKFJrAv0uRK9LnfIMQWYvK+f8fQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NO0msA4XNmBECYG2FeIrnAbzdQgAkX8OlcfW337nYO8=; b=l8JM4U5Pw9ddMbvMVKS8hDhnV/4eEYk18Sv4b2/xOVqUmA2p1OmHOJhclMRGgy1WnGgOcezvIIYxfKUu7yUTyrdrPx8QI4T4bj9+aDGSy1UHzdndGWy4uIyGVQdZ80JcEqjfghOTiDWyO+kifIdKEPmo6uJxAeXJuLeoxNMF5EnDVA5BA1LNTcqax2teAyHFbDQl67ZMEtgaKAWJzFWGsfNfFb8x9gL/FXT6m9NioC4Hj9gxdCsMXXuvPhGE1/rqqku4+oCSC7BFnkqdCLhpQtPGOtMwmzT6DPbYKaLZoFgpSwnYyaxC1yVtScrREVUXoX5bMorOvQGMwWGiD8Qs1A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NO0msA4XNmBECYG2FeIrnAbzdQgAkX8OlcfW337nYO8=; b=d8mMA6GywK0FTPk7dFt27px/ym1mFBhi/imtFOkU1TOKH6mcj9Wc11BCza/5yVIxxOj1YNxoDNayfEfSiLtEkrMoHV0/SpGPKoUeeVP3fftAyCG0dBVevsRYwMU0QFdPdZS6/4VbQprhzYGK+lhTQHtiUFizHH56UHoH4fyGtqQ=
Received: from MN2PR00MB0720.namprd00.prod.outlook.com (2603:10b6:208:1d8::15) by DM6PR00MB0782.namprd00.prod.outlook.com (2603:10b6:5:1be::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5454.0; Thu, 7 Jul 2022 18:04:56 +0000
Received: from MN2PR00MB0720.namprd00.prod.outlook.com ([fe80::b40e:4537:5ae8:2306]) by MN2PR00MB0720.namprd00.prod.outlook.com ([fe80::b40e:4537:5ae8:2306%8]) with mapi id 15.20.5457.000; Thu, 7 Jul 2022 18:04:50 +0000
From: Danny Zollner <Danny.Zollner@microsoft.com>
To: Phillip Hunt <phil.hunt@independentid.com>, Julien Schneider <julien@audriga.com>
CC: "scim@ietf.org" <scim@ietf.org>
Thread-Topic: [scim] [EXTERNAL] Query on a specific known resource
Thread-Index: AQHYkdd8kWrSUoMLB0u6CRlCI7heSq1zLFiAgAACqTA=
Date: Thu, 07 Jul 2022 18:04:50 +0000
Message-ID: <MN2PR00MB0720FB58CB201915199826FDFF839@MN2PR00MB0720.namprd00.prod.outlook.com>
References: <bc9c53f8-82fd-57e9-8fe0-166e91048d6b@audriga.com> <MN2PR00MB07189D4A9DA54A11131E9896FF839@MN2PR00MB0718.namprd00.prod.outlook.com> <7792b174-48ad-181c-11e1-9adb5ff3bc54@audriga.com> <E034E806-F3BF-41B0-88BE-FC9C4E420561@independentid.com>
In-Reply-To: <E034E806-F3BF-41B0-88BE-FC9C4E420561@independentid.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2022-07-07T18:04:46Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=d5d030a8-776b-4098-bee3-e82301d6b10f; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d794c2ad-aa68-4045-8362-08da60432f6a
x-ms-traffictypediagnostic: DM6PR00MB0782:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: H3ogychQTcU6JyyfzBHpxxfza7vGTa7/fjwYGg8PNkqLuJbIhAkR/NKxGf1uIxba/NrMejgFrDxfOZmUAfbnvgOULgJPVpxhAQQmsxI3E87Rl0mJtFWa9hqTZz/o8FcxsSBqGTU0kfljUjYwrS8IFrTxVJTpWy58oohnuLXsu6qZam/eGkK4S7E4eiBxbGw2YV2Ewk6wSO09x+WTIIk0iC/T8fHnQUzi5AIcXCRClriau0lpXPIljHxbtYLA8fxHMfbuI3hqab/83wa/2lTaoZkmD/eCqNBVBIsIZcEf9rD5FMB/Lys5m8mhDzLGdaItSmwrnoLziE3QHSpaeHQokuVdSSEpXKkZlKJoItp/3EIEEOtw0SCKNA69OTnT7FCug+QChZCPc54gtftSaVNaaZKr3q0c7bKExcMKwJsM68yqv1Qaeu4tna5MCRtFsRPjT2pJ1mV8B2bt7xhYE9oqe+Mn/pJGPvzFFVi4NZS9AzJXaaCbf+6wN5B2mwpTzbhCG3KZ/sCYTPyk02Z9Wfi0i1RHYrKVI9zX+XxzWeTQkTLzrq1DwCS0Q61AHjNIvgEi8wo6i+7YO+DuEgsew2yRwS6QCCLbAD5GJ84FKwgC+VDkM2+bU0sl7H+HSoyfN4vHOGoX7KaukuUhTF4gtAqqlFoYqusWGlZqajwwzt/R4PlTQHIzQY/EKeFoOgNOMgIXzD4tNqIxdEhb3qNf3EHyn6OGITlYhbs4v0QFnJif2AUMuUVTd4IUQer/HYanTE8fOI/kwu3qshgVCV0nziZdJlcI9CH4WH5/Sj9WuBVA089oghOq6mZ3+JD224wJUQUXOZFuojhmsIbNPfmQle5eh/YS45LbL4vKK6S7/i9M5wqYOee922Ahmzr+63ARIU9K20yd7l/1Q7t7x+7hxBHLOJ4Zsxc+kpO9928pwDcoTww=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR00MB0720.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(376002)(346002)(136003)(396003)(366004)(39860400002)(451199009)(122000001)(53546011)(82960400001)(86362001)(55016003)(71200400001)(66446008)(66946007)(10290500003)(478600001)(966005)(2906002)(316002)(186003)(66476007)(64756008)(66556008)(76116006)(82950400001)(52536014)(38100700002)(166002)(4326008)(110136005)(6506007)(9326002)(8936002)(83380400001)(66574015)(5660300002)(33656002)(41300700001)(38070700005)(8990500004)(9686003)(7696005)(8676002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: azYVloSrClo5tZ2trHXBJ5trOJH0QVTsvTP3KRb8qFu2F0OUJRg15yVRA8lqnd/Pa3YH1uqWmI5NnpSFMHBBdYDqKlz1hiSSusnjd47RD6MzibRDGruPokqXwuPf6mbZiC9zII/VNrJiYyJSoR7H+nA+by+ocP0YYahE7S71bb84HtfYodDUDH/JtWFRaGr7U56Btqq5O+y7+nl6rT2WCmAe5q+rPv8ySwKzltM+2i64HUCkbEAVPYKTAg8/L2lvsZCX8AaWtsAO2ozQUEZ60wG2vjczeOjHsSlVf74ERZwZBsM11kOAd8wQd01RdRjQ6LewoNIJLerL1aLoW7t5iDHsieSK5/SyXeDJ/7rz5l+94JDLi/REdWV5M1d1SePhzJuYWJ8R8EKVXbNCqfcrf0AM1tQaQppRPlekcU5soUW08jeCoH2Tna8JuzXkApoU1eYXUQFl41Un7bG450Y7INaJ8LpZYk3qHLc+GgRCOtAhkQ49+W0pykZFdNhzxVRhsEbX4kuVnYlkXtzSfG3IKhuStOEM7a5IjdXaxBFGJ45w51y5gWW1b3/DAij5u3BsufpezbTMsOBpvxGC3mmsqYxvSpHI4hXHNLm/rVgSRxnkEq30KsBBX9AgzlwzPQpKDU/L7UE9gPI65ELJ0lhwIYfsRjGnIGnPQtfDKppola7FKKdL+SHXkywo64U7rjjdb4HD0YCcmusgRDBbQt8Mj+dX38T79Smr1xtl2Z28qSUZ59dJ2t84Q/ysjXx5bCiULA2MF7XItTOBTyp8pQF2ag/eqDQb+bpSM8f+rCXDNpeh5ImG7z5i4nKhq9jVEwCzxs9Cgax8NULxZS6plo0tVzXudckJEyHi27qEbP+ho3XiHa+52DZuXnZvq7Q/jeHNgTpR+wTSihf/jGbW5Qfhl0EGvOmA9ErqkIfyjkvzrWAJHKgcdfkK7/00UgrZQCORwHEB1LGY/oqNd1227ILe+B3uKCr7VNnNSYVePxJevPeu9b3gn1iC99niGsH/Yxp+7yIbYDdfEHxFFLnGSFwU+fZtQ/fRiZpYiix8bnRjm9nWgV7N/a3DhPLhtrfa4cMkU5xQJI8jot9Ch4EifK/LlZTshDbwDe8Ijs3snPwnqaDnbt7w8HifM0wWtq5KUHPtLLgpV7h00+4mOsOxcKptLzvEjS0diGjNxlGTBurGBZpTpqfRGFUJwRxKrT4Dk8tiswicZOvpfC0Bvg/gUK9fzG/p/i6c6jdoSPxeJ0cj0Ew/RDcMeI9Yp6x+SisBQXzGmTJRfHtUbFC1Hz/cBS9vOKamy8ADp+dBn8cvhormk9KmpY81jo7YgYXL0/BQSRw6ysRNxVvamYKxI8uAR0S55h6Y1obSY5oATwQBCsGBr5sYBVJXkes9fq1Jnn5mQ956qs8zTYBqBAh7PPgpVku2oAF4mrffBxb0GNH6dcdE9qk0sbuBPgcfqJ9vWNqsdcq1fuxgN29L4DBgb/JExmcJH+z7gIPkjQJw0UloEM6XfQO9RkfbgZym4IF0k/eDCva3BiLi4lsfQOevoTJ95XY3lOh4MslY5qZMytsd2uNjDK473dkFLNqs5YlppdGLsUvIUfPoFGbrCVlFlZT1jcypKgRQ+LsJgAGTn/ucP7hgxXOLpGsLy2GvVPj1iEQGESh9
Content-Type: multipart/alternative; boundary="_000_MN2PR00MB0720FB58CB201915199826FDFF839MN2PR00MB0720namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR00MB0720.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d794c2ad-aa68-4045-8362-08da60432f6a
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jul 2022 18:04:50.0776 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: yg+cOVeToAyOxbLICoMSa1FquDlJ8W1ngAXKN6x5hMLPXAxJwDpXazvrF23X24UiLfO2up4vJE+hLawQNgGCaA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0782
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/xVF31HrWR5QQvniwXHffjh4UFqs>
Subject: Re: [scim] [EXTERNAL] Query on a specific known resource
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jul 2022 18:05:06 -0000
Hi Phil,
I'm attempting to clarify what you've said here for both my own knowledge and others. Anything under a subsection of RFC 7644 3.4.2 counts as a query. Query endpoints can be /Users/{id}, /Users, /Groups, and although not explicitly listed - /AnyOtherResource/{id} as well.
Features that fall under the label of queries and therefore require a ListResponse type response would be:
Filtering - i.e.: GET /x?filter=userName eq "blah"
Sorting
Pagination
Attributes - both ?attributes= and ?excludedAttributes=
Looking at 3.4.2.1, where the query endpoints are listed, the following parts of 3.4.2.x make sense and what you're saying is apparent. From my own observations, I think there may be hundreds of implementations out there that implement ?attributes and ?excludedAttributes without a ListResponse wrapper when the query URL is a known resource such as GET /Groups/456?excludedAttributes=members.
I think we're still a while away from attempting major changes to the protocol and schema RFCs, but in the future I'd be interested in having a discussion on adding an exception to the ListResponse requirement for querying known resources. The attributes queries are a bit different from the others. For filter, sort and paginate you can only really use them against the root of the server or the root of a resource (i.e.: /Users) as I understand it. I can't think of a scenario where you'd do a filter like GET /Users/123?filter=userName eq "x" - is there a use case there that I'm missing? Similarly, I can't think of scenarios where you'd sort or paginate results for GET /Users/123.
Thanks,
Danny
From: Phillip Hunt <phil.hunt@independentid.com>
Sent: Thursday, July 7, 2022 12:36 PM
To: Julien Schneider <julien@audriga.com>
Cc: Danny Zollner <Danny.Zollner@microsoft.com>; scim@ietf.org
Subject: Re: [scim] [EXTERNAL] Query on a specific known resource
Julien,
You are not wrong. All queries regardless of path MUST have a ListResponse.
It may seem logical to make the jump to just returning a single resource for a query that can only return a single result, but this is not permitted in the RFC. From a protocol point of view, allowing skipping ListResponse makes the protocol more complex because it creates "exceptions" which have to be handled. For example, what happens if no filter match etc.
For the group: For historical information, the issue is actually more complex than it seems. For SCIM queries SCIM's profile of HTTP overrides both HTTP GET (retrieves a resource) and HTTP POST (create a resource) to perform a search function. In the case of GET, url based filters cause privacy concerns because of the leak of confidential information in URLs. The GET method does not allow request bodies. Because of thies, SCIM also supports http POST queries. The HTTP definition suggests creation a resource. Dual purposing these methods for search queries created necessary complexity. One of the basic rules of thumb is that whenever a "filter" shows up in a request, the request becomes a SCIM Query which mandates a ListResponse.
I discussed this at length with authors of the HTTP specifications and worked with Julian Reschke (co-author of HTTP) to submit a proposal for a HTTP SEARCH method. This would unburden GET and POST methods and simplify protocol overall. Julian indicated to me at the time of finalizing SCIM (around IETF93), that this issue comes up frequently for him as one of the HTTP authors. In the end, the HTTPbis WG chose not to create a new method because there is too much water under the bridge. See: https://httpwg.org/wg-materials/ietf93/ietf-93-httpbis-search.pdf<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhttpwg.org%2Fwg-materials%2Fietf93%2Fietf-93-httpbis-search.pdf&data=05%7C01%7CDanny.Zollner%40microsoft.com%7C61a3ef6cefda487b73ef08da603f27f4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637928122539415111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=ahU2tOHPGFEjoaXkz16HWA6W50waT9m5kcYXXIIpRzA%3D&reserved=0>
Phillip Hunt
@independentid
phil.hunt@independentid.com<mailto:phil.hunt@independentid.com>
On Jul 7, 2022, at 12:57 AM, Julien Schneider <julien@audriga.com<mailto:julien@audriga.com>> wrote:
Hi Danny, hi Phillip, hi everyone,
Thanks for your answers. I think the confusing part (for me at least) is "Queries MAY be made against a single resource or a resource type endpoint ......." at the beginning of RFC7644 section 3.4.2., followed by "Responses MUST be identified using the following URI: "urn:ietf:params:scim:api:messages:2.0:ListResponse" ".
My interpretation is that "GET /Users/2819c223-7f76-453a-919d-413861904646?attributes=userName" is a query against a single resource, and should then have a "ListResponse" response? Where am I wrong here?
Thanks
Julien Schneider
Tel: +49 721 170293 16
Fax: +49 721 170293 179
http://www.audriga.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.audriga.com%2F&data=05%7C01%7CDanny.Zollner%40microsoft.com%7C61a3ef6cefda487b73ef08da603f27f4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637928122539415111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=ugCOwiY5EXLH8EfrAacwK9%2FDCGnhMp3Sh7L%2Fo8WQNOA%3D&reserved=0> | http://www.twitter.com/audriga<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2Faudriga&data=05%7C01%7CDanny.Zollner%40microsoft.com%7C61a3ef6cefda487b73ef08da603f27f4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637928122539415111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=e6nmZrdOJiUBA%2F31N1TwKLeeQTuwCVla%2FE4UuOds7AU%3D&reserved=0>
--------------------------------------------------------------------------
audriga GmbH | Alter Schlachthof 57 | 76137 Karlsruhe
Sitz der Gesellschaft: Karlsruhe - Amtsgericht Mannheim - HRB 713034
Geschäftsführer: Dr. Frank Dengler, Dr.-Ing. Hans-Jörg Happel
--------------------------------------------------------------------------
On 07/07/2022 04:51, Danny Zollner wrote:
Hi Julien,
RFC 7644 section 3.4.2 specifically is talking about queries. Retrieving or modifying known resources (i.e.: GET /Users/12345 ) does not require a ListResponse type response. A query of GET /Users?filter=displayname contains "contoso.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcontoso.com%2F&data=05%7C01%7CDanny.Zollner%40microsoft.com%7C61a3ef6cefda487b73ef08da603f27f4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637928122539415111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=%2B7DoMHkSX3An6CfG913vNi5zgP%2BAJY28kXSnR%2FgBr80%3D&reserved=0>" or GET /Users?attributes=userName would require a ListResponse type response, as it does not identify a specific resource in the query URL via ID value (i.e.: "12345" in the previous example). On the other hand, GET /Users/12345?attributes=userName does not require the ListResponse type response as it does identify a specific resource.
To explicitly answer the final question in your email - the expected response to GET /Users/2819c223-7f76-453a-919d-413861904646?attributes=userNamewould be the second example you provided.
Cheers,
Danny Zollner
From: scim <scim-bounces@ietf.org><mailto:scim-bounces@ietf.org> On Behalf Of Julien Schneider
Sent: Wednesday, July 6, 2022 3:41 AM
To: scim@ietf.org<mailto:scim@ietf.org>
Subject: [EXTERNAL] [scim] Query on a specific known resource
Some people who received this message don't often get email from julien@audriga.com<mailto:julien@audriga.com>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
Hi all,
I have a question about queries performed against a SCIM resource object (like "/Users/{id}").
The RFC (https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc7644%23section-3.4.2&data=05%7C01%7CDanny.Zollner%40microsoft.com%7C61a3ef6cefda487b73ef08da603f27f4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637928122539415111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=jbbn1Y43e0GFmChjRVbpMnTKZEqlB5TzLgiJmhz7ZRY%3D&reserved=0>) states:
Responses MUST be identified using the following URI:
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
If I understand correctly, that means the "schemas" parameter of the response to those queries must be set to:
"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"]
While I understand how that applies to queries on a resource type endpoint (like "/Users") or on the SCIM server root, I don't understand how that applies to queries on a specific resource object.
If I understand correctly, queries on a specific resource object actually are quite identical to "retrieving a known resource" (https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.1<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc7644%23section-3.4.1&data=05%7C01%7CDanny.Zollner%40microsoft.com%7C61a3ef6cefda487b73ef08da603f27f4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637928122539415111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=wbOMKvqD9T7hP5OFtruAwY2r26XrKdncriLPSapazGQ%3D&reserved=0>) which are a GET on a specific resource, like:
GET /Users/2819c223-7f76-453a-919d-413861904646
Responses to those requests should have the "schemas" parameter set to the resource schema(s):
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"id":"2819c223-7f76-453a-919d-413861904646",
...
}
Now, how should the response to the following query should look like? And to what value should the "schemas" parameter of the response be set?
GET /Users/2819c223-7f76-453a-919d-413861904646?attributes=userName
Should it be:
{
"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults":1,
"Resources":[
{
"id":"2819c223-7f76-453a-919d-413861904646",
"userName":"bjensen"
}
]
}
Or something like:
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"id":"2819c223-7f76-453a-919d-413861904646",
"meta":{
"resourceType":"User",
"created":"2011-08-01T18:29:49.793Z",
"lastModified":"2011-08-01T18:29:49.793Z",
"location":
"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexample.com%2Fv2%2FUsers%2F2819c223-7f76-453a-919d-413861904646&data=05%7C01%7CDanny.Zollner%40microsoft.com%7C61a3ef6cefda487b73ef08da603f27f4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637928122539415111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=1BDZsY%2B1DkxD3t2ZObBwf5UHRZlnoXdE9UFuuBZioS0%3D&reserved=0>,
"version":"W\/\"f250dd84f0671c3\""
},
"userName":"bjensen"
}
Thanks a lot in advance
--
Julien Schneider
Tel: +49 721 170293 16
Fax: +49 721 170293 179
http://www.audriga.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.audriga.com%2F&data=05%7C01%7CDanny.Zollner%40microsoft.com%7C61a3ef6cefda487b73ef08da603f27f4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637928122539415111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=ugCOwiY5EXLH8EfrAacwK9%2FDCGnhMp3Sh7L%2Fo8WQNOA%3D&reserved=0> | http://www.twitter.com/audriga<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2Faudriga&data=05%7C01%7CDanny.Zollner%40microsoft.com%7C61a3ef6cefda487b73ef08da603f27f4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637928122539415111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=e6nmZrdOJiUBA%2F31N1TwKLeeQTuwCVla%2FE4UuOds7AU%3D&reserved=0>
--------------------------------------------------------------------------
audriga GmbH | Alter Schlachthof 57 | 76137 Karlsruhe
Sitz der Gesellschaft: Karlsruhe - Amtsgericht Mannheim - HRB 713034
Geschäftsführer: Dr. Frank Dengler, Dr.-Ing. Hans-Jörg Happel
--------------------------------------------------------------------------
_______________________________________________
scim mailing list
scim@ietf.org<mailto:scim@ietf.org>
https://www.ietf.org/mailman/listinfo/scim<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fscim&data=05%7C01%7CDanny.Zollner%40microsoft.com%7C61a3ef6cefda487b73ef08da603f27f4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637928122539415111%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=lgmWfvOoa2uTk4zhZ2eC6txKydhzire0Hd85sQ4Ib5Y%3D&reserved=0>
- [scim] Query on a specific known resource Julien Schneider
- Re: [scim] [EXTERNAL] Query on a specific known r… Danny Zollner
- Re: [scim] [EXTERNAL] Query on a specific known r… Phillip Hunt
- Re: [scim] [EXTERNAL] Query on a specific known r… Julien Schneider
- Re: [scim] [EXTERNAL] Query on a specific known r… Phillip Hunt
- Re: [scim] [EXTERNAL] Query on a specific known r… Danny Zollner
- Re: [scim] [EXTERNAL] Query on a specific known r… Phillip Hunt
- Re: [scim] [EXTERNAL] Query on a specific known r… Julien Schneider
- Re: [scim] [EXTERNAL] Query on a specific known r… Julien Schneider
- Re: [scim] [EXTERNAL] Query on a specific known r… Phillip Hunt
- Re: [scim] [EXTERNAL] Query on a specific known r… Julien Schneider