IETF Logo Mail Archive

Re: [scim] Multi-Valued Attribute "Value" Requirement

Shelley <randomshelley@gmail.com> Tue, 10 May 2022 20:30 UTC

Return-Path: <randomshelley@gmail.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78744C14F73D for <scim@ietfa.amsl.com>; Tue, 10 May 2022 13:30:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PJXnUdTpVlBY for <scim@ietfa.amsl.com>; Tue, 10 May 2022 13:30:47 -0700 (PDT)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17266C14F739 for <scim@ietf.org>; Tue, 10 May 2022 13:30:47 -0700 (PDT)
Received: by mail-ed1-x529.google.com with SMTP id a21so204191edb.1 for <scim@ietf.org>; Tue, 10 May 2022 13:30:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8VEHHgjBxKCDLwHMffp+HF8viHwQt8KyvIO6ZAr3omQ=; b=Ui3sdsVw3B9rlkz4uO+IpgWIbxtYn3qPToXu3XLF7shyM74uB9nxt9QelZL2uMFiTb 4deMsCbAXDEtlutfvavTU54+ntPX4FNLJSbBIU6Oj0sJi8bjz+TllfsDwFVGlPz7VG0s 85GyCRAnv3iToJPlOoV3/TxLHzxI6tCDezdtogCi4+zjgM49tlIj5ZMW5dmg0qSdDpcu TrJ4CKmjbC0Xz04f6UI5E+rS7yEaRZhe148ztSmCLboJQwwv6RAf1P6Oc7334W+HcFSf y+ERzOya7WA9LEGS8ATPnNs4AY6QQVOibJ11rXj6W/s4TO9iQRO1t3ajrLM/fpncDbK4 yBfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8VEHHgjBxKCDLwHMffp+HF8viHwQt8KyvIO6ZAr3omQ=; b=MQCSoOoiIAEw2S2x8Tkx9sNYBZ/ca25c1m/1RBrQUJip6HTP5x6ybI1KVzMWe9bl4M Vz3SVH8QXxBlUhuabJDQqY1GxA20azkEOdFMwjqcmezP/JPBcQeEG1M7a56BgLgbl7zj jnLuvfR4lgeC6D+FVF8bIChHskqk05ZK1Wz5Bc6m+7NGcOtcNYoYMarBJAKhAwSXfMHm tgF4fu2ugd0DwBDG1CLwnntCp00+ArkJyrihuQmzs6XfS2mZOrlA4IIUq4YD0Hti6/Yg AM7pCrkgfiWDrq4GfMplg//wBmMqQorwRmFXUArlOiIdIdgOFVMJPJM1MRS181biC+a/ 4Rjw==
X-Gm-Message-State: AOAM533AzcH2+gXesPNO1TOvpIgF591EMMEegq2zUE9g6H39yewS8x19 ldLywHzkXBo8noRPb3LfH2eEC/CpcB4Oe7U8XTyI8vlbO9d5+A==
X-Google-Smtp-Source: ABdhPJyc+qWxQumR+max6L36Dp9nkxwCZPRL8LPV/2I9jxmCqw/CiZX0MiPsUgclBtgMihiCNNcLR8ZwLl7iOJrfpEc=
X-Received: by 2002:a05:6402:3687:b0:428:aafb:23c9 with SMTP id ej7-20020a056402368700b00428aafb23c9mr8414935edb.388.1652214644873; Tue, 10 May 2022 13:30:44 -0700 (PDT)
MIME-Version: 1.0
References: <CAGUsYPzB2HGN7M--oof99BpCJYaEKL5w6fa-3SvAmM_v_Sbv+g@mail.gmail.com> <1CD92F57-E326-4720-8ED3-B161C15DF95B@independentid.com>
In-Reply-To: <1CD92F57-E326-4720-8ED3-B161C15DF95B@independentid.com>
From: Shelley <randomshelley@gmail.com>
Date: Tue, 10 May 2022 15:30:33 -0500
Message-ID: <CAGUsYPz+VE-5DTxxVfxcr2O0zO4ZcMsxk2eZ3UVqa9NqXhtoig@mail.gmail.com>
To: Phillip Hunt <phil.hunt@independentid.com>
Cc: scim@ietf.org
Content-Type: multipart/alternative; boundary="000000000000001d6705deae336e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/VRdnaGZs4sMbOfRXPK5zBJ5W8xs>
Subject: Re: [scim] Multi-Valued Attribute "Value" Requirement
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 May 2022 20:30:49 -0000

Thanks for the feedback.

*> Is the clients sending all of the numbers at once?  Or are these meant
> as individual examples?  *
>

The client is not sending all of those values in a single "phoneNumbers"
array; the example was just to illustrate several value-less "phoneNumbers"
that SCIM implementations would need to handle, and to help provide
different examples in case each may be interpreted differently.

*> I would look to Section 3.3 (Create) and 3.5.1 (Put) and also 7643 Sec
> 2.5, where “null” (or [] in the case of multi-values) means to override
> existing or default values to assert them as null.  Doing so inside of a MV
> attribute makes a little less sense. *
>

Correct, those sections don't really speak directly to sub-attributes. For
reference, on a POST or PUT our implementation does accept any of the
following, inline with the RFC:

   - "phoneNumbers": null
   - "phoneNumbers": []
   - omission of the multi-valued attribute

*> The ugliness of this example does show why making “value” as required in
> phoneNumbers for the next iteration of 7643 might be a good idea.  :-)*
>

Is there somewhere that we can log this to keep track of this for inclusion
in the next RFC?

In the meantime, I'm still curious as to how other server implementations
and clients handle this scenario. My first preference would be to continue
requiring the "value" subattribute in these cases, but if we need to make
changes for broader compatibility with such clients, I'm assuming we should
just ignore the value-less multi-valued attributes? And/or are others
actually persisting and returning these valueless objects (e.g. with just
the "type"/"primary" subattributes)?


On Tue, May 10, 2022 at 3:02 PM Phillip Hunt <phil.hunt@independentid.com>
wrote:

> Shelley,
>
> I would look to Section 3.3 (Create) and 3.5.1 (Put) and also 7643 Sec
> 2.5, where “null” (or [] in the case of multi-values) means to override
> existing or default values to assert them as null.  Doing so inside of a MV
> attribute makes a little less sense.
>
> Is the clients sending all of the numbers at once?  Or are these meant as
> individual examples?
>
> For a SCIM PUT operation, sending “phoneNumbers”: [],  or “phoneNumbers”:
> [{}] would likely result in reseting the phoneNumbers value to unasserted
> removing any existing values. In the case of create, it overrides any
> default values that would otherwise be generated.   This is useful because
> some servers might default work number to a company 1-800 number. Using
> “null” allows clients to override to say no number for this person.
>
> The ugliness of this example does show why making “value” as required in
> phoneNumbers for the next iteration of 7643 might be a good idea.  :-)
>
> Phillip Hunt
> @independentid
> phil.hunt@independentid.com
>
>
>
>
> On May 10, 2022, at 12:41 PM, Shelley <randomshelley@gmail.com> wrote:
>
> How should a SCIM server implementation interpret and manage multi-valued
> attributes that are sent without values?
>
> For example, if a SCIM client sends any of the following phone numbers:
>
> "phoneNumbers": [
>   {},
>   {
>     "value": null
>   },
>   {
>     "value": null,
>     "type": null
>   },
>   {
>     "value": null,
>     "primary": true
>   },
>   {
>     "type": "work",
>     "primary": false
>   }
> ]
>
> Should the SCIM server accept, ignore, or reject some/all of these phone
> numbers? The spec does not strictly require the "value", but it seems quite
> ambiguous to send a phone number without a phone number, for example.
>
> In our SCIM 1.1 and 2.0 server implementations, we have marked the "value"
> subattribute for all supported multi-valued attributes as "required" in our
> schema, documentation, and functionality. After 11 years, we have just now
> encountered a SCIM client that sends multi-valued attributes without value
> subattributes, however, to which we return a 400 error. We have documented
> the "value" subattribute as required in the schema we return from the
> "Schemas" endpoint:
>
> {
>   "name": "value",
>   "type": "string",
>   "multiValued": false,
>   "description": "The phone number.",
>   "required": true,
>   "caseExact": false,
>   "mutability": "readWrite",
>   "returned": "default",
>   "uniqueness": "none"
> }
>
> However, the SCIM specification does not explicitly require it in the
> example schema nor in the RFC text.
>
> In my opinion, since the "value" is "the significant value", it *should*
> be required for the multi-valued attributes that support it, and SCIM
> clients should simply omit the object if there is no enclosed value.
> Without a value, the object seems invalid/incomplete/ambiguous. In lieu of
> that, is our next best bet just to completely ignore any valueless
> multi-valued attributes, regardless of whether any other subattributes are
> provided? How do other SCIM providers and consumers handle this?
> _______________________________________________
> scim mailing list
> scim@ietf.org
> https://www.ietf.org/mailman/listinfo/scim
>
>
>

v2.23.0 | Report a Bug | By Email