Re: [scim] Error extensibility in SCIM - meeting follow up
Phillip Hunt <phil.hunt@independentid.com> Mon, 22 January 2024 21:52 UTC
Return-Path: <phil.hunt@independentid.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA5B3C151981 for <scim@ietfa.amsl.com>; Mon, 22 Jan 2024 13:52:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=independentid-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xD4kGTqpPsQR for <scim@ietfa.amsl.com>; Mon, 22 Jan 2024 13:52:37 -0800 (PST)
Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BABD9C1519B3 for <scim@ietf.org>; Mon, 22 Jan 2024 13:52:29 -0800 (PST)
Received: by mail-pj1-x102c.google.com with SMTP id 98e67ed59e1d1-2906bcae4feso798614a91.3 for <scim@ietf.org>; Mon, 22 Jan 2024 13:52:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=independentid-com.20230601.gappssmtp.com; s=20230601; t=1705960349; x=1706565149; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=N07DkUTuw9JiC7sV4UIEcBYthdJ8vuxsyJBMRnbY43E=; b=3MU+KQ0FJ0R4NDEmdy9azy3ndEVbpBWay3oJBkIaptMf7kAwBN+syHLs106C+D2M5b T2nzGxHpethLoT1CDcNYZEuK9kOYr/Nwxu59fK9uEkhJariaLGWssZjSHoOfjoKFlkbX eX84HdmYUk8+57kFJ0is79OUHnt+/4XWShUyHDUuvttrXX1y7xRYKwoKTcFv4MmWtgRn qvJ1ZrsgTrt7Y9yCwn++VGH3dt0S9jOn6fjDlJiV/j1db44uvbzcvbWgJmWGGhFLW5Hp /v8AS4XtUAMRSjPgxFTv9a5tC2nn79yMcUr8EgCwRyL/ZlJ6N28JA/9lYzK1Dh79S96g QF8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705960349; x=1706565149; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=N07DkUTuw9JiC7sV4UIEcBYthdJ8vuxsyJBMRnbY43E=; b=giATsTCGB8l5jVyNCVpQ9Ic4uJeWJ8sqbqtkKWfoxZjpOOoSLI+9/SAl91sclLRO3N sYwzW9BPtWjWKKJ9EtNO7qmmuzoCX53LNCwzFm3I1XVtp1GCdBx4VfryAQDhfghPMTfY SAAXatlpNuQdNNCSstAFZbK7CsSVH1Oq8bO4WLUifsGqv+tr7kN1PJ7OHNPug8pWCZAq JTcQjIQJl+5VfWcFMjSadl9tuHLr1+/F+PuYIaODO4mJY9ftlraVFpK0g4j1+4oX4u4L +k2Amtz3Et0NZ0msO1CGyd/X6hmzmgGSbnN7qfnoEDe+lbRQNYx89/y4B/RYQUUdszTO 283w==
X-Gm-Message-State: AOJu0Yzn3nqEZG9BpP0vilT5Q5SEWqgJo64JVqvBl+lvq3igdLSrXlLK 1X1InpGasclbrQhmWwe0fF1CJa2y25n07F93XsAQFmTlR4wapkrpQDoX04zVfhCeXco+S2Q0vUh Y
X-Google-Smtp-Source: AGHT+IG+P2+/ENjzhvGnR25I0ru9JHIkMcQnx7N1UZA+j2JTE77A0FWZHN2kWT3OVdJ2oJJE8XgKgg==
X-Received: by 2002:a17:90a:c90a:b0:28d:61d:ac40 with SMTP id v10-20020a17090ac90a00b0028d061dac40mr1944881pjt.0.1705960348546; Mon, 22 Jan 2024 13:52:28 -0800 (PST)
Received: from smtpclient.apple ([2001:569:540c:4900:b050:ad16:9dda:1872]) by smtp.gmail.com with ESMTPSA id su7-20020a17090b534700b0028d29d837c7sm10041234pjb.36.2024.01.22.13.52.27 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 22 Jan 2024 13:52:28 -0800 (PST)
From: Phillip Hunt <phil.hunt@independentid.com>
Message-Id: <F7CB06C8-F9E7-48DC-9BD7-6F13FC3EF779@independentid.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F18908CB-FB85-4173-AA41-40274665F8F7"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.300.61.1.2\))
Date: Mon, 22 Jan 2024 13:52:17 -0800
In-Reply-To: <CY4PR06MB34132DAEE819AB18D45EC76996722@CY4PR06MB3413.namprd06.prod.outlook.com>
Cc: "scim@ietf.org" <scim@ietf.org>
To: Jennifer Schreiber <jennifer.winer=40workday.com@dmarc.ietf.org>
References: <CY4PR06MB34132DAEE819AB18D45EC76996722@CY4PR06MB3413.namprd06.prod.outlook.com>
X-Mailer: Apple Mail (2.3774.300.61.1.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/QO3PPloezXXjXBWabMQZHg6potI>
Subject: Re: [scim] Error extensibility in SCIM - meeting follow up
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jan 2024 21:52:41 -0000
Jennifer, Sorry for not getting back to this sooner. This is important. First, I will just zero in on your example (this may not answer your question about extending errors): In SCIM, the expected behavior is to ignore read-only attribute updates in most cases. The best description of this is probably within the SCIM PUT. The intent was that a relatively simply client (eg. javascript) could do a GET, change a value, and then do PUT to put the reosurce back. The value of PUT was to avoid having to pay attention to mutability. The mutability error does apply to PATCH when the intent by the client is to “target" a read-only attribute. With that said, if a client (or more likely a support tech) wants to know why an attribute isn’t updating, the schema endpoint is supposed to report the actual mutability. ==> the reason this was done was that the collective experience of the WG at the time was that X.500 and LDAP were far too fragile by throwing errors on everything didn’t line up perfectly. The consensus at the time was to follow Postel’s Law (aka the Robustness Principle), which boiled down meant that SCIM servers should accept requests that are understood (but not perfect), and the client must accept the response (disclosure: I understand many in the IETF have ‘moved on’ from favouring ‘robustness'. This use case is an example where this robustness plays out. A client doing a PUT has a bunch of attriibutes that can’t be modified but one or two that can. The server accepts the requests and updates the modified fields. The final state is returned to the client which tells the client what was actually accepted. —> In this way SCIM avoids the need for a lot of complex signalling and error reporting. Let me know if this answers your question. Or did you still have another use case for a detailed error? Phil phil.hunt@independentid.com > On Jan 17, 2024, at 8:29 AM, Jennifer Schreiber <jennifer.winer=40workday.com@dmarc.ietf.org> wrote: > > Thanks everyone for a great discussion yesterday at the meeting. We discussed error handling as relevant to scim events draft and RFC 7644. > > Mainly, the big question that came up: > Is there any extensibility method for the error messages ("urn:ietf:params:scim:api:messages:2.0:Error"), similar to Section 3.3 of RFC 7643 <https://datatracker.ietf.org/doc/html/rfc7643#section-3.3>? Can error messages, as well as the other scim messages defined in Section 8.2 of RFC 7644 <https://datatracker.ietf.org/doc/html/rfc7644#section-8.2> be extended? > > Section 3.12 of RFC 7644 <https://datatracker.ietf.org/doc/html/rfc7644#section-3.12> is a bit vague about the matter. > > This came up for my internally, as the error message is not meeting my implementation needs. We're requiring an additional field, errorCode. Anjali also mentioned the need for an jsonPath field. > > During the meeting, we talked through a couple ideas (that I will review in the next meeting) such as below, but we kept coming back to the same extensibility question. I wanted to open up the discussion here prior to the meeting. > > ``` > { > "schemas": ["urn:ietf:params:scim:api:messages:2.0:Error", "urn:ietf:params:scim:api:extension:messages:2.0:AdvancedError"], > "scimType":"mutability" > "detail":"Attribute 'id' is readOnly", > "status": "400" > "urn:ietf:params:scim:api:extension:messages:2.0:AdvancedError": { > "errorCode": "ABC-1235" > } > } > ``` > > Thanks, > Jen > _______________________________________________ > scim mailing list > scim@ietf.org <mailto:scim@ietf.org> > https://www.ietf.org/mailman/listinfo/scim
- [scim] Error extensibility in SCIM - meeting foll… Jennifer Schreiber
- Re: [scim] Error extensibility in SCIM - meeting … Danny Zollner
- Re: [scim] Error extensibility in SCIM - meeting … Phillip Hunt
- Re: [scim] [External Sender] Re: Error extensibil… Jennifer Schreiber
- Re: [scim] [External Sender] Re: Error extensibil… Sehgal, Anjali
- Re: [scim] [External Sender] Re: Error extensibil… Phillip Hunt