[scim] Maintaining SCIM client-side cache consistency with SCIMv2

"Matt Peterson (mpeterso)" <Matt.Peterson@oneidentity.com> Thu, 06 May 2021 00:22 UTC

Return-Path: <Matt.Peterson@oneidentity.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CA9E3A27DA for <scim@ietfa.amsl.com>; Wed, 5 May 2021 17:22:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=oneidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WL53J6HIKVqb for <scim@ietfa.amsl.com>; Wed, 5 May 2021 17:22:34 -0700 (PDT)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2113.outbound.protection.outlook.com [40.107.223.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CD233A27D9 for <scim@ietf.org>; Wed, 5 May 2021 17:22:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kFqT/KZG828uLa1G9NYiKZ5YriqTPtO8H7fqdAMdudhXUynUHAHMBmHmRgISAkJpLLQiS+4WTG8Kgxz+6SiY/BtSweQOCNS+30AU+R7WM8Wv9Sz7QXCnEV3xEWjiO+E1C0a8Z4uva6DW8rcIBwLZfRlyCbG49BucjBlPukdA0X5gps6JwIXLyoXy3yLy5ovhRVy/AxsWki0cVqGkVomv2n+FxR5XfJYmSrMOh6KeK5JU/BJeWf8/L20nTpJi0cQx+a+S2vW41nFD9vptp0w8ttrHLdMlMWndrfnbAgeVTHaajqj2ELMRXONopiBPTY7QhxrTut5e6jwASWsPPuuPKw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HzaAjmhuTwxTptmqlyxQWFkzrPSOcnbhOohmAlzFYqw=; b=BSoba9kjZxuJPdfqNL1yDQkhFzQoPVje1dJv1A8cxhzld6PHh4yLx3e9B6xhXc4K1Plbs7t9A7VFqssZm1becrsFl0TGsaEjaB8WHIi1eMzJ8HzZr7YHB05Q8xgfb+n9wTWv0THolPqYDCCAUFEZYXGgpDU8K8s9jJvYy0X4CYVbzlXYNahBxRhcLrIICsdENZXqAJg6lkVNVAYR2Z/O6SO35ZSECrbQ2N1r69gkxZ07VSpNWphDnWiGnljDFaSjOD/QP5c3sNxUbqqNcg4frYS7Cv67lKaq/CvCVwt3owCbvCimh8IMNy91BzCwY1wHPHhGVTLTjC6WoUFuPwbILQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oneidentity.com; dmarc=pass action=none header.from=oneidentity.com; dkim=pass header.d=oneidentity.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oneidentity.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HzaAjmhuTwxTptmqlyxQWFkzrPSOcnbhOohmAlzFYqw=; b=CsU7VyszyZDO89rrgxDc86RaYspLXLHn8iMqRvWsme8wdOXp+fjk66ZqR7wYr4PEr8ZYRhc8Gc3SdQM7SMS5PuLjjOy+U/zRkJe68i7t/O+nM55dX9DkFZaat8gn7OljT3RczDsZEJPAi6tUOxrAhUGlcfeOhzvTGKlhVXqrfCc=
Received: from CY4PR19MB0950.namprd19.prod.outlook.com (2603:10b6:903:a6::18) by CY4PR19MB1639.namprd19.prod.outlook.com (2603:10b6:903:142::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.38; Thu, 6 May 2021 00:22:31 +0000
Received: from CY4PR19MB0950.namprd19.prod.outlook.com ([fe80::a051:adee:a6e4:b538]) by CY4PR19MB0950.namprd19.prod.outlook.com ([fe80::a051:adee:a6e4:b538%11]) with mapi id 15.20.4087.044; Thu, 6 May 2021 00:22:30 +0000
From: "Matt Peterson (mpeterso)" <Matt.Peterson@oneidentity.com>
To: "scim@ietf.org" <scim@ietf.org>
Thread-Topic: Maintaining SCIM client-side cache consistency with SCIMv2
Thread-Index: AddCCPgXs5y+d+2pQmW4VnwN6p1nTw==
Date: Thu, 6 May 2021 00:22:30 +0000
Message-ID: <CY4PR19MB095084CB073A73D93F76A4A4E1589@CY4PR19MB0950.namprd19.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=oneidentity.com;
x-originating-ip: [166.70.31.124]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2f9f0b5f-7120-42b4-c4c4-08d910250992
x-ms-traffictypediagnostic: CY4PR19MB1639:
x-microsoft-antispam-prvs: <CY4PR19MB1639FC8C17A301FED3DB6F66E1589@CY4PR19MB1639.namprd19.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: S6Ntlgp056F+IOWTmvb3Kr/2JFiaFPu8kjKw9UyCFNZjR9+yqNY5I+srL2wRWXl/Ki/8iI8By1tiglhv/+/eo6xmJCM16i4xhcQ+OoQ/py1vlHlsIYOlTnC+/0Ys8YPROsaS/CPim5txjdt9l7NdL+xqadnNNanQuXGZeCTuGPdk42BB9zwZ5ONIMkddR4C3tKCh9oEZpEYPRJYt0FkPLaSCECGa7eho3zFr+YG4LQ7uCixCF93zmBN//dAtO4mQOHAvM1seobKOU0Zict/m8nEmY4ERX1nw8jRPoDNOdi6Xir/n/eW5PKI6dVytMcPeA7we/rMv/S0xaWt9nbv9b/fxs77fir3dyKoMfRLclGioCYO2x9Wvd/IGa0jyd6F1KEjdp0Qz/J8JWzy6kDhwBSIw53ukJnXSSZivh+/lKPdXwj0hw44u2LEcze+mXQAZw7bqWDiq1Y5tT8A0F0iMRIJUx823qPY6uroyDtpDpAZsXf6AnKtsyozSzJZSrTpn3BF8aF5DiMuD3WL4pHAH9dTUdapjFF3lnxTboBWMoLa2vIJy7NyAvIl+uQ214fhdNRPpbRfTLMj3JHKqjIOhLwC3lrkZrqET5osV3xJgXrJ4r5WsPNxxoY88+L1lkJM0uQaBzaN6XA3H7BOFHJFLanknLCxMI589sQ/vXhpq7EQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY4PR19MB0950.namprd19.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(39860400002)(376002)(396003)(366004)(136003)(5660300002)(66574015)(55236004)(45080400002)(9686003)(52536014)(38100700002)(6506007)(55016002)(7696005)(71200400001)(6916009)(966005)(26005)(122000001)(8676002)(86362001)(66476007)(2906002)(8936002)(83380400001)(66556008)(64756008)(66946007)(33656002)(186003)(66446008)(166002)(316002)(76116006)(478600001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?us-ascii?Q?wrGPVC84eUkeo+sZOZzd0NE7tOmBJ1Cm4soiMUoNAWA1Fsmm1UgoZUOlcIUR?= =?us-ascii?Q?V4GqS7Ckpl6LEWxSIgulPXObdcRujo8yaL9qpYsYAxHHRkXbSwnUsoG5teyj?= =?us-ascii?Q?UwNRKw0wbERTVVBhUg6MB6Np7imfh8NInLZFnXMqkEADJ+vabaR0d73GwE9p?= =?us-ascii?Q?WeyBuk1f0wh/M4X6luXiygIhvh3xf2/DcRWASsMoe8/42lY7BLwd9xlwNJ9o?= =?us-ascii?Q?4u4B4MSqBDzAqn16jCQcIRsNxKyvs8ly+XBw5MMC6Yu8x+FiCc8hUS6Gr3zv?= =?us-ascii?Q?EMuO9TX+eIfA6WbHZIJobx0KxJiKIwji0ishXP/3UPasgHp5580rWZCBahjf?= =?us-ascii?Q?ikaROr7UQsOprECz0JPs8R5rPdqXBR00hhDpLn/UeelRR0MoIYpev/geNWpH?= =?us-ascii?Q?C5PrkQazje4nzLXyseljGov7rum9XrCFwF5OnVnKT8HmuLHxiiWo+ZRVnMX6?= =?us-ascii?Q?t3CvOIFmAUo7idP2JriuOtYKVveojhgFtScUhThneGVJwrpInEmQdxVkPOI0?= =?us-ascii?Q?6Kj0czWc7K/+djVdl8xs/9brEAOlGmmDB+W7IjQdCgoGlEYjawWjzkhK+Dvv?= =?us-ascii?Q?xKVmmGofhi8RDcj7mz+c4WcpkezbJQLsiuynMCOrOEKwWlH31F4cR75ZXuSM?= =?us-ascii?Q?NN9mUaiKndd7kInnr0JmU6df3bsY77EEhUT2DKCbDxGBkarGXlFuR3BgsmcN?= =?us-ascii?Q?T5ql3eomvsQvK0nZXT1xhMcuyb/pPHmMKM/luaSd+KgXuBkjkRVbSSomPbnS?= =?us-ascii?Q?ficjJ61FTgqpFYgzjCewfOAXAHCNhacNAKAxkug+3nhBsBSeO/XI1Lt58QPH?= =?us-ascii?Q?PlqOPnBOz+o3o0Q+LQDfdg6N46wYKsPcBtkm2MxBY2tYSSKr077mFkdKPUCw?= =?us-ascii?Q?3s70CWqry8IDP+jYnjjKD8t5x3JRzJupjnKwuPFPNHGrHUXovBsxQgl38VwL?= =?us-ascii?Q?yFaw1DUeDKDOJpN7Buxu6G0WZeMVeRind/6cHhEvlcepqJ/G1FC+9SEMM5Eu?= =?us-ascii?Q?FSkVmADjBBWfqT0zjz5LdBuPIdlUxl/4UMikgOo5nXrnolT0S4hIDIcrTyLP?= =?us-ascii?Q?aUFjVup3IuXfup1bJmWfUatYWlWJouRcl28UyC9zYDSki/WQRBvf6eSY5TXF?= =?us-ascii?Q?y5KBW/fNHqM27fkd5xyp26Lqn0iAUBzqFSI5A1xbsxTmEGjRZjkSrnTNe0F3?= =?us-ascii?Q?5SJdZDApqJRiGHQKf/Em3Ca8GKMeiD0SgSbQFUeDOs4wJNKlD624a34jZy3v?= =?us-ascii?Q?xxymZt77nMdnXsQh4st2hBJqommNLedC4ad1smptTNSe/8DC2WkEPnqGUK2o?= =?us-ascii?Q?EQAPULYsg18ybjth207x8a82?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CY4PR19MB095084CB073A73D93F76A4A4E1589CY4PR19MB0950namp_"
MIME-Version: 1.0
X-OriginatorOrg: oneidentity.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CY4PR19MB0950.namprd19.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2f9f0b5f-7120-42b4-c4c4-08d910250992
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 May 2021 00:22:30.8944 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 91c369b5-1c9e-439c-989c-1867ec606603
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: jdba7cVtuiZsNRSLLy5rC/FWQDqvPj9xMli/IMQBU4Y2ou+JIIMJ3q1X43bE23Uk7VAMNlWA7TeBYrBRRkrPpg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR19MB1639
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/P5DVTqWLmVKqyvD0dgUszADQZrE>
Subject: [scim] Maintaining SCIM client-side cache consistency with SCIMv2
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 May 2021 00:22:39 -0000

The discussion on this SCIM Interest Group meeting today (recording here: https://www.youtube.com/watch?v=q7Fpf0JfLcM) suggested that it is very common (for various reasons) for relying party applications to keep their own database of identity objects (users and groups).  For example, checking access to an application resource is something that happens frequently enough to justify optimizing with a cache of objects so that the application does not need to query the IDP (using SCIM) for every authorization event.

The in-application database is essentially a "cache" of the users and groups for which the application *is not an authority*.   The Identity Provider is the authority for these objects.   Nevertheless, the application may want to keep its copy of these objects up to date when changes are made to the authoritative objects (on the IDP).  This is especially the case for deleted users, and group membership changes which may have important security/authorization implications for the application.

There are several ways that an application could maintain SCIM Client cache consistency:


  *   Option #0:  Update at login - Inspecting the token (SAML, OIDC, etc)  presented by the authenticated user may allow the application to update user properties in the application cache.
  *   Option #1:  Scheduled polling - The application periodically queries the IDP to fetch users and groups.   Scheduled polling is possible today (with no changes to SCIM), but it could be much more efficient if default SCIM schema included a "update sequence number (USN)" or "LastChangedTime" attribute that could be used by a SCIM client in SCIM filter to get only the objects that have changed since the last time the application polled.
  *   Option #2: Simple Webhook notification - Discussed briefly on recent SCIM workgroup virtual meetings.  This would follow a simple pattern used by many systems for delivering real-time change notifications.  No Internet Draft has been written.
  *   Option #3:  https://tools.ietf.org/html/draft-hunt-scim-notify-00 - an inclusive SCIM notifications proposal that includes multiple notification mechanisms (poll, webhook, RFC 8030 webpush, etc).
  *   Option #4:  https://tools.ietf.org/html/draft-wahl-scim-profile-00 -The IDP (acting as a SCIM client) pushes changes to the application (acting as a SCIM Server).


(All of the following are strongly prefaced with "in my opinion":)

Option #0  is included mainly for completeness.  It's not really a viable option for most applications because it does not allow update of application "cache" until a user logs in -- which will never happen for a deleted user.  It also may require too much application-specific information to be included in tokens - complicating mapping rules for the IDP and transferring authorization responsibilities to the IDP where they would be too distant from the application which knows the details about the resources to which need to be secured.

Option #1 is the easiest to implement because it only requires a simple change to SCIM schema that could be readily implemented by most IDPs (SCIM servers).  It follows a pattern that is been proven by Microsoft Active Directory and compatible applications that use the uSNChanged attribute (see: https://docs.microsoft.com/en-us/windows/win32/ad/polling-for-changes-using-usnchanged).  Option #1 may not be the most elegant solution, but it is the quickest, simplest solution that is most likely to achieve community consensus and interoperable implementations.

Option #2 needs an internet draft, a simple short internet draft describing the webhook.  This simple webhook option may be easier/quicker for driving consensus and interoperable implementations than option #3.

Option #3 is a more elegant and inclusive approach than option #1 and/or option #2.  It includes multiple notification mechanisms (polling, webhook, RFC 8030 web push, etc).  However, it introduces a feed service and other complexities that might make take longer to get community consensus and interoperable implementations.

Option #4 (IMO) invites unnecessary confusion, and complication.   It complicates development of both a SCIM Server (IDP) and the SCIM client (relying party application) by ambiguating the only "profiles" that the community appears to be comfortable with (SCIM Server and SCIM Client).  It proposes that IDPs and Relying Party applications implement the SCIM aspects of the other.  The authentication implementation and configuration pre-requisites for a relying party application (now both a SCIM client and a SCIM server) to authenticate an IDP (now both a SCIM server and a client) would be difficult for most application.

There are already two drafts (referenced above)  that are address the same topic of "Maintaining SCIM client-side cache consistency with SCIMv2".   I think it is worth tackling topic  as a general topic of interest, and *then* charter the draft(s) (or draft revisions) that are most likely to garner the most support and consensus.

--
Matt Peterson
Distinguished Engineer
Quest Software