Re: [scim] [INPUT REQUESTED] Re: Detailed error and status codes
Phil Hunt <phil.hunt@oracle.com> Wed, 25 June 2014 19:07 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B133E1B2E48 for <scim@ietfa.amsl.com>; Wed, 25 Jun 2014 12:07:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.651
X-Spam-Level:
X-Spam-Status: No, score=-3.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_38=0.6, J_CHICKENPOX_64=0.6, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lJlwyjuQRv0x for <scim@ietfa.amsl.com>; Wed, 25 Jun 2014 12:07:28 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3B6A1B2E2E for <scim@ietf.org>; Wed, 25 Jun 2014 12:07:15 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s5PJ7E98006610 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <scim@ietf.org>; Wed, 25 Jun 2014 19:07:15 GMT
Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s5PJ7Dil002362 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <scim@ietf.org>; Wed, 25 Jun 2014 19:07:14 GMT
Received: from abhmp0019.oracle.com (abhmp0019.oracle.com [141.146.116.25]) by userz7022.oracle.com (8.14.5+Sun/8.14.4) with ESMTP id s5PJ7CVQ004703 for <scim@ietf.org>; Wed, 25 Jun 2014 19:07:13 GMT
Received: from [192.168.1.188] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 25 Jun 2014 12:07:12 -0700
From: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_38D9A428-B9D6-44F4-9B62-547F06596BC5"
Message-Id: <C69F2063-B082-4ACC-A0B7-3FBF81083086@oracle.com>
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
Date: Wed, 25 Jun 2014 12:07:11 -0700
References: <65922FF3-8637-4116-B336-C5424BF9BAAB@oracle.com> <53A9D021.2060906@gmx.de> <71B45AEC-9B79-4F3F-A933-23B0C2AF868E@oracle.com> <BE66EB70-40F3-4FC3-87DA-F828DDB300AD@nexusgroup.com>
To: Scim WG <scim@ietf.org>
In-Reply-To: <BE66EB70-40F3-4FC3-87DA-F828DDB300AD@nexusgroup.com>
X-Mailer: Apple Mail (2.1878.2)
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Archived-At: http://mailarchive.ietf.org/arch/msg/scim/Hxz_rp8IwQWzLIYmTuJ3G4kHVAM
Subject: Re: [scim] [INPUT REQUESTED] Re: Detailed error and status codes
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jun 2014 19:07:39 -0000
On the call today (Erik, Bjorn, Morteza, and myself), we discussed the error issue.
The major concern with the draft suggested by Julian is really one of timing - we would prefer not to hold SCIM up. A good middle-ground approach is to align with the draft, but define the error fully within SCIM (using the SCIM mime type and schema namespace).
The proposal on the call is to SCIM mime/type of application/scim+json in error responses and include the SCIM error message schema declaration.
{
“schema”: "urn:scim:api:messages:2.0:Error” (indicates the SCIM message type)
"scimType" - a keyword indicating the detail error (e.g. “mutability”)
"status" - the HTTP status (should correspond to the response header)
"detail" - a detailed, human-readable message
}
Servers MAY return additional attributes (e.g. ones from http-problem draft). The only mandatory attributes are “schema” and “status”. For example on anonymous self-registration scenarios, servers may be unwilling to give detail error responses for security reasons.
The reason for using scimType (instead of type) is to avoid any confusion with “type” from draft-nottingham-http-problem and its eventual use of “type”.
In a future update to SCIM we can then transition to align with the HTTP Problem draft by simply adding “type” in the way it defines.
Phil
@independentid
www.independentid.com
phil.hunt@oracle.com
On Jun 25, 2014, at 12:25 AM, Erik Wahlström <erik.wahlstrom@nexusgroup.com> wrote:
> So that would make it look like the following right?
>
> {
> "schemas": ["urn:scim:api:messages:2.0:Error"],
> "Error":
> {
> "type": "urn:scim:api:error:2.0:mutability",
> "title": “Attribute is readOnly.",
> "detail": “Attribute 'id' is readOnly and can’t be changed in a PATCH request.",
> “status": 400
> }
> }
>
> I replaced Errors with Error.
> Also replaced urn:scim:error:api:2.0:mutability with urn:scim:api:error:2.0:mutability
>
> That works for me.
> / Erik
>
>
>
> On 25 Jun 2014, at 01:30, Phil Hunt <phil.hunt@oracle.com> wrote:
>
>> Note: July 04 is the LAST day for us to potentially submit updates for the IETF90 meeting. This gives us about 1.5 weeks to close off the error issues and update the drafts. If you have a moment please take a look and comment as soon as possible...
>>
>> Julian thanks for the suggestion. For the rest of the group’s benefit, the draft Julian referenced suggests the following attributes be returned in a standardized detailed error JSON body…
>>
>>> A problem details object MAY have the following members:
>>>
>>> o "type" (string) - An absolute URI [RFC3986] that identifies the
>>> problem type. When dereferenced, it SHOULD provide human-readable
>>> documentation for the problem type (e.g., using HTML
>>> [W3C.REC-html401-19991224]). When this member is not present, its
>>> value is assumed to be "about:blank".
>>> o "title" (string) - A short, human-readable summary of the problem
>>> type. It SHOULD NOT change from occurrence to occurrence of the
>>> problem, except for purposes of localisation.
>>> o "status" (number) - The HTTP status code ([RFC2616], Section 6)
>>> generated by the origin server for this occurrence of the problem.
>>> o "detail" (string) - An human readable explanation specific to this
>>> occurrence of the problem.
>>> o "instance" (string) - An absolute URI that identifies the specific
>>> occurrence of the problem. It may or may not yield further
>>> information if dereferenced.
>>
>> Here is the corresponding example error response:
>>> HTTP/1.1 403 Forbidden
>>> Content-Type: application/problem+json
>>> Content-Language: en
>>>
>>> {
>>> "type": "http://example.com/probs/out-of-credit",
>>> "title": "You do not have enough credit.",
>>> "detail": "Your current balance is 30, but that costs 50.",
>>> "instance": "http://example.net/account/12345/msgs/abc",
>>> "balance": 30,
>>> "accounts": ["http://example.net/account/12345",
>>> "http://example.net/account/67890"]
>>> }
>>
>>
>> Julian, what is the value of having “type” be a URI? Why not just have a SCIM specific attribute (scimType) and use simple keywords? (asking mainly for the WG’s benefit). I guess the strong case is that by standardizing HTTP responses, client code gets simplified. However, using standard attributes creates the namespace conflict issue. So we need URI based error codes.
>>
>> The SCIM specs could adopt the “type”, “detail”, and “status”. We would register a namespace of urn:scim:error:apil:2.0 in the SCIM IANA section in addition to api:messages, schema:core, etc. This would give detail error types of:
>> urn:scim:error:api:2.0:mutability, urnscim:error:api:2.0:filter, etc.
>>
>> The other items, like title, instance, etc could be optional or just omitted from SCIM spec. —> we would just indicate that clients should expect attributes within the JSON message other than those defined by the SCIM drafts.
>>
>> IMPORTANT NOTE: the format suggested by Julian allows for only one error at a time. Erik had commented he prefers to return only one. I tend to agree. In the case of BULK requests, this is not really an issue since each BULK operation gets its own response block.
>>
>> In the interests of time, any objections to using type (with URI based error codes), detail, status, per above and limiting to ONE per response?
>>
>> I know these are normative changes….however I’m pretty sure we can’t avoid changes in the final document clean up whether or not we adopt the proposed standardized error response.
>>
>> Cheers,
>>
>> Phil
>>
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>>
>>
>>
>> On Jun 24, 2014, at 12:23 PM, Julian Reschke <julian.reschke@gmx.de> wrote:
>>
>>> On 2014-06-24 21:01, Phil Hunt wrote:
>>>> With regards to tickets 37, 46, 67, it looks like we will have some
>>>> normative changes required. I am also expecting new SCIM error codes as
>>>> we look at the possible reasons a server might return Bad Request or
>>>> other HTTP status codes.
>>>>
>>>> Currently, the example response from PATCH, we use “error” to indicate a
>>>> detailed error.
>>>>
>>>> * "error":"mutability"*
>>>>
>>>> From Response Codes Section, no detail error is defined:
>>>>
>>>> *HTTP/1.1 404 NOT FOUND*
>>>>
>>>> {
>>>> "schemas": ["urn:scim:api:messages:2.0:Error"],
>>>> "Errors":[
>>>> {
>>>> *"description":"Resource 2819c223-7f76-453a-919d-413861904646 not found",
>>>> "code":"404"*
>>>> }
>>>> ]
>>>> }
>>>>
>>>>
>>>> Doing a search around Twitter, AWS, and many others, I see that “code”
>>>> is often used to indicate a detailed error message (“mutability”) and
>>>> status is used to indicate HTTP status.
>>>>
>>>> In an attempt to bring consistency across the API document, I am
>>>> proposing we use http_status and scim_code. This will help make clear
>>>> what we are referring to and allow existing implementations to co-exist
>>>> for a while (by having different names).
>>>>
>>>> _Are there any objections to normalizing the spec around following
>>>> format and attributes?_
>>>>
>>>> Proposed example:
>>>>
>>>> *HTTP/1.1 400 Bad Request*
>>>>
>>>> Content-Type: application/scim+json;charset=UTF-8
>>>> Cache-Control: no-store
>>>> Pragma: no-cache
>>>>
>>>> {
>>>> "schemas": ["urn:scim:api:messages:2.0:Error"],
>>>> "Errors":[
>>>> {
>>>> *“scim_code":"mutability”,*
>>>>
>>>> * “http_status”:400,*
>>>> "error_description":"Attribute 'id' is readOnly."
>>>> },
>>>>
>>>> . . .
>>>>
>>>> ]
>>>>
>>>> }
>>>> ...
>>>
>>> You may want to read <http://tools.ietf.org/html/draft-nottingham-http-problem-06>...
>>>
>>> Best regards, Julian
>>>
>>> _______________________________________________
>>> scim mailing list
>>> scim@ietf.org
>>> https://www.ietf.org/mailman/listinfo/scim
>>
>> _______________________________________________
>> scim mailing list
>> scim@ietf.org
>> https://www.ietf.org/mailman/listinfo/scim
>
- [scim] Detailed error and status codes Phil Hunt
- Re: [scim] Detailed error and status codes Julian Reschke
- Re: [scim] Detailed error and status codes Erik Wahlström
- [scim] [INPUT REQUESTED] Re: Detailed error and s… Phil Hunt
- Re: [scim] [INPUT REQUESTED] Re: Detailed error a… Erik Wahlström
- Re: [scim] [INPUT REQUESTED] Re: Detailed error a… Phil Hunt
- Re: [scim] [INPUT REQUESTED] Re: Detailed error a… Phil Hunt
- Re: [scim] [INPUT REQUESTED] Re: Detailed error a… David Möbius
- Re: [scim] [INPUT REQUESTED] Re: Detailed error a… Phil Hunt
- Re: [scim] [INPUT REQUESTED] Re: Detailed error a… David Möbius
- Re: [scim] [INPUT REQUESTED] Re: Detailed error a… Phil Hunt