Re: [scim] How to check isUsernameExist for Self Sign Up

"Phil Hunt (IDM)" <phil.hunt@oracle.com> Thu, 02 February 2017 19:54 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 770E7129524 for <scim@ietfa.amsl.com>; Thu, 2 Feb 2017 11:54:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.554
X-Spam-Level:
X-Spam-Status: No, score=-8.554 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-1.156, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id STDfBKHrUupY for <scim@ietfa.amsl.com>; Thu, 2 Feb 2017 11:54:26 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A29FF1294E3 for <scim@ietf.org>; Thu, 2 Feb 2017 11:54:26 -0800 (PST)
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v12JsPTS010705 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Feb 2017 19:54:26 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v12JsPqa032613 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Feb 2017 19:54:25 GMT
Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v12JsOCR030404; Thu, 2 Feb 2017 19:54:25 GMT
Received: from [10.0.1.5] (/24.86.208.48) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 02 Feb 2017 11:54:24 -0800
Content-Type: multipart/alternative; boundary="Apple-Mail-D5ACBC4E-2F3C-4875-9940-A0D5445620C9"
Mime-Version: 1.0 (1.0)
From: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (14D27)
In-Reply-To: <CALzgRAC4ka-r1rzXJ=3KPqO=zUmgojp2seGka0D61+85Uxve4g@mail.gmail.com>
Date: Thu, 02 Feb 2017 11:54:23 -0800
Content-Transfer-Encoding: 7bit
Message-Id: <23158D21-2EC9-4E0B-8592-17779D0E1311@oracle.com>
References: <CALzgRADp+vQfzQT9MEHWKiLJWH4kaSKtCUHDBOot79y18xyV0g@mail.gmail.com> <96ACFE7E-9A4C-4010-B43B-50D4086D0C49@oracle.com> <CALzgRAC4ka-r1rzXJ=3KPqO=zUmgojp2seGka0D61+85Uxve4g@mail.gmail.com>
To: Gayan Gunawardana <gayan@wso2.com>
X-Source-IP: userv0022.oracle.com [156.151.31.74]
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/GNBqjAvt2EZB8lPQRoU4zY_K3zs>
Cc: scim@ietf.org
Subject: Re: [scim] How to check isUsernameExist for Self Sign Up
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Feb 2017 19:54:28 -0000

Inline

Phil

> On Feb 2, 2017, at 11:27 AM, Gayan Gunawardana <gayan@wso2.com> wrote:
> 
> Hi Phil,
> 
>> On Fri, Feb 3, 2017 at 12:19 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>> Gayan,
>> 
>> Keep in mind SCIM is just a RESTful api. There are no functional methods like isUsernameExist.
> Yes totally understood. 
>> 
>> You can…
>> 
>> 1.  Just try HTTP POST to create the user and if there is a conflict, it gets rejected.  This is probably easiest.
>> 
>> 2.  Use GET /Users?filter="(userName eq \”val\”)”&attributes=id.  If you can no records return there were no matches. If you get a return, it is in use.  Note, either way, you will get a successful response.
> Yes both [1],[2] are possible but the problem is self sign up user(before self sign up) does not have valid credentials to perform above operations.

As i described an app could register as a developer or use dyn reg. 
>   
>> 
>> Note, I suspect it is possible that despite checking with #2, you might still get a rejection when you POST. This might be due to a reserve or lock on the username or other identifier.
>> 
>> Your rights as an administrative client will also impact what you get back with the query in particular.  For example, if you are querying anonymously, you might get no matches because the service provider has determined it is not going to answer your and confirm presence or not of the match.
> Is there any security constrains for service providers to behave like that for anonymous requests ? 

Yes DoS attacks are a concern that prevent total anonymous registration. You need some trusted broker like a web or mobile app. 

Also many IDPs likely have a vetting process to establish some assurance about claims. Eg when an enterprise calls scim the enterprise is judged authoritative over employee assertions. 

Others might do secondary validation (eg email confirmation). 

All of this is really outside the scope of provisioning protocol but part of the larger IDM services approaches. 
>> 
>> Likewise, many service providers will have DoS and other security restrictions on what clients can register.  
>> 
>> E.g. to moderate the need for “anonymous” registration, a mobile app could register with the service provider to obtain a “public” OAuth client credential that gives the mobile client the right to register a new user profile on behalf of the user (e.g. by using profile data from the mobile phone).
>> 
>> Phil
>> 
>> Oracle Corporation, Identity Cloud Services & Identity Standards
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>> On Feb 2, 2017, at 10:18 AM, Gayan Gunawardana <gayan@wso2.com> wrote:
>>> 
>>> Hello,
>>> 
>>> According to [1] self sign up can be achieved via sending authenticated request to /Me. 
>>> 
>>> What is the proper way to check isUsernameExist before self sign up ?
>>>   
>>> [1]https://tools.ietf.org/html/rfc7644#section-3.11
>>> 
>>> Thanks,
>>> Gayan
>>> -- 
>>> Gayan Gunawardana
>>> Software Engineer; WSO2 Inc.; http://wso2.com/
>>> Email: gayan@wso2.com 
>>> Mobile: +94 (71) 8020933
>>> _______________________________________________
>>> scim mailing list
>>> scim@ietf.org
>>> https://www.ietf.org/mailman/listinfo/scim
>> 
> 
> 
> 
> -- 
> Gayan Gunawardana
> Software Engineer; WSO2 Inc.; http://wso2.com/
> Email: gayan@wso2.com 
> Mobile: +94 (71) 8020933