IETF Logo Mail Archive

Re: [scim] How to check isUsernameExist for Self Sign Up

"Phil Hunt (IDM)" <phil.hunt@oracle.com> Mon, 06 February 2017 18:07 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 985EA1295A5 for <scim@ietfa.amsl.com>; Mon, 6 Feb 2017 10:07:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.087
X-Spam-Level:
X-Spam-Status: No, score=-6.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-1.887, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R8pbjEmO0T4N for <scim@ietfa.amsl.com>; Mon, 6 Feb 2017 10:07:01 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B5BE129428 for <scim@ietf.org>; Mon, 6 Feb 2017 10:07:01 -0800 (PST)
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v16I70En004394 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 6 Feb 2017 18:07:00 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id v16I7082010336 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 6 Feb 2017 18:07:00 GMT
Received: from abhmp0014.oracle.com (abhmp0014.oracle.com [141.146.116.20]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v16I6xP5031398; Mon, 6 Feb 2017 18:06:59 GMT
Received: from [10.0.53.147] (/209.53.70.79) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 06 Feb 2017 10:06:59 -0800
Content-Type: multipart/alternative; boundary="Apple-Mail-9A6EEC41-E838-48BF-8E90-B79A92A588DD"
Mime-Version: 1.0 (1.0)
From: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (14D27)
In-Reply-To: <90E3A155-A2CE-474D-A5F9-FBCC30605FFB@oracle.com>
Date: Mon, 06 Feb 2017 10:06:53 -0800
Content-Transfer-Encoding: 7bit
Message-Id: <2457A99D-1CBA-4158-8CA7-A43EABA92991@oracle.com>
References: <CALzgRADp+vQfzQT9MEHWKiLJWH4kaSKtCUHDBOot79y18xyV0g@mail.gmail.com> <96ACFE7E-9A4C-4010-B43B-50D4086D0C49@oracle.com> <CALzgRAC4ka-r1rzXJ=3KPqO=zUmgojp2seGka0D61+85Uxve4g@mail.gmail.com> <23158D21-2EC9-4E0B-8592-17779D0E1311@oracle.com> <CALzgRAAuBx=j+8FN0c=K5a6qn4FXJwJYz15qwENad-e8XL=J9Q@mail.gmail.com> <90E3A155-A2CE-474D-A5F9-FBCC30605FFB@oracle.com>
To: Gayan Gunawardana <gayan@wso2.com>
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/VlU9iQj2MzcfU6kOHMhO4YeoWYo>
Cc: scim@ietf.org
Subject: Re: [scim] How to check isUsernameExist for Self Sign Up
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Feb 2017 18:07:03 -0000

There is also a scim profile in oidc. See drafts section. 

Phil

> On Feb 6, 2017, at 9:43 AM, Phil Hunt (IDM) <phil.hunt@oracle.com> wrote:
> 
> Dyn reg in oauth. But oidc may also apply depending on what you are doing. 
> 
> Phil
> 
>> On Feb 4, 2017, at 8:25 PM, Gayan Gunawardana <gayan@wso2.com> wrote:
>> 
>> 
>> 
>>> On Fri, Feb 3, 2017 at 1:24 AM, Phil Hunt (IDM) <phil.hunt@oracle.com> wrote:
>>> Inline
>>> 
>>> Phil
>>> 
>>>> On Feb 2, 2017, at 11:27 AM, Gayan Gunawardana <gayan@wso2.com> wrote:
>>>> 
>>>> Hi Phil,
>>>> 
>>>>> On Fri, Feb 3, 2017 at 12:19 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>>> Gayan,
>>>>> 
>>>>> Keep in mind SCIM is just a RESTful api. There are no functional methods like isUsernameExist.
>>>> Yes totally understood. 
>>>>> 
>>>>> You can…
>>>>> 
>>>>> 1.  Just try HTTP POST to create the user and if there is a conflict, it gets rejected.  This is probably easiest.
>>>>> 
>>>>> 2.  Use GET /Users?filter="(userName eq \”val\”)”&attributes=id.  If you can no records return there were no matches. If you get a return, it is in use.  Note, either way, you will get a successful response.
>>>> Yes both [1],[2] are possible but the problem is self sign up user(before self sign up) does not have valid credentials to perform above operations.
>>> 
>>> As i described an app could register as a developer or use dyn reg. 
>> I guess you are referencing to dynamic client registration in OIDC right ? 
>>>>   
>>>>> 
>>>>> Note, I suspect it is possible that despite checking with #2, you might still get a rejection when you POST. This might be due to a reserve or lock on the username or other identifier.
>>>>> 
>>>>> Your rights as an administrative client will also impact what you get back with the query in particular.  For example, if you are querying anonymously, you might get no matches because the service provider has determined it is not going to answer your and confirm presence or not of the match.
>>>> Is there any security constrains for service providers to behave like that for anonymous requests ? 
>>> 
>>> Yes DoS attacks are a concern that prevent total anonymous registration. You need some trusted broker like a web or mobile app. 
>> Yes having some trusted broker like a web or mobile app would resolve many problems. Many Thanks Phil. 
>>> 
>>> Also many IDPs likely have a vetting process to establish some assurance about claims. Eg when an enterprise calls scim the enterprise is judged authoritative over employee assertions. 
>>> 
>>> Others might do secondary validation (eg email confirmation). 
>>> 
>>> All of this is really outside the scope of provisioning protocol but part of the larger IDM services approaches. 
>>> 
>>>>> 
>>>>> Likewise, many service providers will have DoS and other security restrictions on what clients can register.  
>>>>> 
>>>>> E.g. to moderate the need for “anonymous” registration, a mobile app could register with the service provider to obtain a “public” OAuth client credential that gives the mobile client the right to register a new user profile on behalf of the user (e.g. by using profile data from the mobile phone).
>>>>> 
>>>>> Phil
>>>>> 
>>>>> Oracle Corporation, Identity Cloud Services & Identity Standards
>>>>> @independentid
>>>>> www.independentid.com
>>>>> phil.hunt@oracle.com
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>>> On Feb 2, 2017, at 10:18 AM, Gayan Gunawardana <gayan@wso2.com> wrote:
>>>>>> 
>>>>>> Hello,
>>>>>> 
>>>>>> According to [1] self sign up can be achieved via sending authenticated request to /Me. 
>>>>>> 
>>>>>> What is the proper way to check isUsernameExist before self sign up ?
>>>>>>   
>>>>>> [1]https://tools.ietf.org/html/rfc7644#section-3.11
>>>>>> 
>>>>>> Thanks,
>>>>>> Gayan
>>>>>> -- 
>>>>>> Gayan Gunawardana
>>>>>> Software Engineer; WSO2 Inc.; http://wso2.com/
>>>>>> Email: gayan@wso2.com 
>>>>>> Mobile: +94 (71) 8020933
>>>>>> _______________________________________________
>>>>>> scim mailing list
>>>>>> scim@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/scim
>>>>> 
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> Gayan Gunawardana
>>>> Software Engineer; WSO2 Inc.; http://wso2.com/
>>>> Email: gayan@wso2.com 
>>>> Mobile: +94 (71) 8020933
>> 
>> 
>> 
>> -- 
>> Gayan Gunawardana
>> Software Engineer; WSO2 Inc.; http://wso2.com/
>> Email: gayan@wso2.com 
>> Mobile: +94 (71) 8020933
> _______________________________________________
> scim mailing list
> scim@ietf.org
> https://www.ietf.org/mailman/listinfo/scim

v2.23.0 | Report a Bug | By Email