IETF Logo Mail Archive

Re: [scim] [EXTERNAL] Extension Clarification Request

Phillip Hunt <phil.hunt@independentid.com> Fri, 21 October 2022 19:39 UTC

Return-Path: <phil.hunt@independentid.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 131EFC157B56 for <scim@ietfa.amsl.com>; Fri, 21 Oct 2022 12:39:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.804
X-Spam-Level:
X-Spam-Status: No, score=-1.804 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=independentid-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qrfHpdM7G379 for <scim@ietfa.amsl.com>; Fri, 21 Oct 2022 12:39:13 -0700 (PDT)
Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B89AC157B49 for <scim@ietf.org>; Fri, 21 Oct 2022 12:39:13 -0700 (PDT)
Received: by mail-pj1-x1032.google.com with SMTP id x31-20020a17090a38a200b0020d2afec803so3931202pjb.2 for <scim@ietf.org>; Fri, 21 Oct 2022 12:39:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=independentid-com.20210112.gappssmtp.com; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=OQgOXAXm0IiXP4qsz8ma54A9Gb6VGCIu55Slxy7UnsA=; b=1iYZoX9JkZRrrV+M6BU8ytiICFgGwEPynH/b0ULO3n9pdiMI7M1YEvg59F+8jz/RdG X2+QFPnFHI8spwWiJW6kEGikGR/PSwjpEVYfqhpCbD9R3qz7n7YYVJBwD7slhrgwg/SD SGyi+Wf3Jput31cy5kp1YMN7ur2/ll5hHANUx465DWmqBDGDhvZhzVXpRWBwiPkT8sVf HmijrqkyPqA1yxROX6lflEsv/8q/BVLr0haraJLw1lM0oyQkns5EBCxLmh3MOVxW9ZbL IdSzvnkdLXJfERo/wW56uyy1zDy/3boF/ItX2TNGJHCYod9rVY6Sd4es6pp7i0UKHqEo 52oQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=OQgOXAXm0IiXP4qsz8ma54A9Gb6VGCIu55Slxy7UnsA=; b=WItoPk+1fgGru9elw+KwrtHgwz+MAP4MHKVb7gc0jvQtOs+13r75mJlZIyT0UR0e5i ZEPL2Ro7FyluQp588lPVZbVCfAGZqdO2cErji1Y7KNOfkB17kPe60BDCYQFEDdiDr+HG I1mZdW2B+7XuU67s5qoJSd5O/p5VylDKYmNVXDLmgvjo9WnSF7CsUs3tMzH0n3U+hXa3 ySem8J33/VqGW27SoF79wd9g9iaosfoOI4dRN7JVygL2Zw37E5WNuNUeXZx3TUvxbk7S fb+2lUAy91j5a6RJfQd07EINNOglrgtXD6jnMB2wIgDkGNpOSRJctyFEuJQeiSK4OCEU JDfg==
X-Gm-Message-State: ACrzQf20aw/0Ru6J9vJdWr3dwm2YSEN5X6dh6Du90LhQ0D873uinnb1b ZS3y9xFWpaRvjwq7HUTxFY2c8h9kmtEVqw==
X-Google-Smtp-Source: AMsMyM46uBHM7qcB5AYkBKIakiBChQ9t3YfvCRC5eI8dByy1Lms/JDZqHwxDsI2Z+AbCMNXNbcP1xw==
X-Received: by 2002:a17:90b:4ac5:b0:20a:de32:366b with SMTP id mh5-20020a17090b4ac500b0020ade32366bmr23557660pjb.197.1666381152342; Fri, 21 Oct 2022 12:39:12 -0700 (PDT)
Received: from smtpclient.apple (node-1w7jr9qrlnt9i1lwowyd5u9yu.ipv6.telus.net. [2001:569:7a98:6800:5a3:3046:73c0:26f6]) by smtp.gmail.com with ESMTPSA id i10-20020a170902e48a00b00186616b8fbasm3961064ple.10.2022.10.21.12.39.11 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 21 Oct 2022 12:39:11 -0700 (PDT)
From: Phillip Hunt <phil.hunt@independentid.com>
Message-Id: <E5F26DF8-1665-4B6E-8B72-8E9B537F6740@independentid.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_40F96648-FBD2-4BD0-947D-E41A50B297E3"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Fri, 21 Oct 2022 12:39:10 -0700
In-Reply-To: <BY5PR00MB070873165E22B5A4FF549BD0FF2D9@BY5PR00MB0708.namprd00.prod.outlook.com>
Cc: Chad Vincent <chad.vincent@crashplan.com>, "scim@ietf.org" <scim@ietf.org>
To: Danny Zollner <Danny.Zollner@microsoft.com>
References: <CAKXu=h_4LR-VXiEozAA2OwSX-E==7NLcD4oVU1DKngyUfSGoGQ@mail.gmail.com> <AAB851CE-D019-49E2-8DA9-132B8EA03DD4@independentid.com> <BY5PR00MB070873165E22B5A4FF549BD0FF2D9@BY5PR00MB0708.namprd00.prod.outlook.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/ZUS5B2h1sng4lwA0mgIfQDxT_7c>
Subject: Re: [scim] [EXTERNAL] Extension Clarification Request
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2022 19:39:17 -0000

Danny,

The spec is very clear on this. I think you are trying to take a rule and say it applies everywhere ignoring all other rules. In this case there it is an additive condition.  If A is present then B MUST be present.

If one includes an extension schema in schemas, then there MUST be a correspoinding schema extension attribute for it.  
>  "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {},


So why list a schema extension that is not in use?  It turns out there is an occasion where this is needed.  For example in a PUT operation, specifying the extension object without attributes is expressing that those extension attributes are to be removed.   E.g.  if one used Chad’s third example record in a PUT, that would allow the SCIM service provider to infer that the attributes are to be removed (See “readWrite” under 3.5.1 Replacing with PUT).

Best,

Phillip Hunt
@independentid
phil.hunt@independentid.com




> On Oct 21, 2022, at 12:01 PM, Danny Zollner <Danny.Zollner@microsoft.com> wrote:
> 
> Looking at RFC 7643, I can see how the language isn’t crystal clear on the requirement for each in-use schema to be represented by a value in the schemas attribute. I think the line that states this is in 7643 3.3:
>  
> All representations of SCIM schemas MUST include a non-empty array with value(s) of the URIs supported by that representation. 
>  
> The latter half of that sentence being key, I think. The MUST applies to both “include a non-empty array” and “with values of the URIs supported by that representation” – meaning every schema represented on the resource needs to be present in the array of values for the schemas attribute. 
>  
> I think if we end up revising the core schema RFC and publish a new version in the future, there may be a way to word this requirement more clearly.
>  
> (As a side note, originally, I was going to say that based on a past reading I’d had of the spec that it wasn’t clear if including each schema value was a requirement, but while rereading to make that case the above quoted part of 7643 3.3 made sense to me as meaning the same thing that Phil said in his email) 
>  
> Thanks,
>  
> Danny Zollner (He/Him)
> 
> From: scim <scim-bounces@ietf.org> On Behalf Of Phillip Hunt
> Sent: Friday, October 21, 2022 12:12 PM
> To: Chad Vincent <chad.vincent@crashplan.com>
> Cc: scim@ietf.org
> Subject: [EXTERNAL] Re: [scim] Extension Clarification Request
>  
> Chad,
>  
> The logic should be: The ResourceType for the ServiceProvider defines what schemas are possible in the User resource type.  The schemas attribute indicates what attributes are present in the JSON object and how to parse them (by looking up the schema in the /Schemas endpoint). So if you add an enterprise user attribute to a User, you have to make sure the enterprise user schema URI value is in the schemas attribute.
>  
> If no enterprise user attributes are present, then the schema value is not there either.  
>  
> The idea here is to help parsers know what to look for.
>  
> Phillip Hunt
> @independentid
> phil.hunt@independentid.com <mailto:phil.hunt@independentid.com>
>  
>  
> 
> 
> 
> On Oct 21, 2022, at 9:50 AM, Chad Vincent <chad.vincent@crashplan.com <mailto:chad.vincent@crashplan.com>> wrote:
>  
> If I could get clarification on this from an official source, it would be most helpful.
> 
> A Service Provider responding to a SCIM request has a User with none of the fields in the Enterprise Extension set.  Based on RFC 7643 Section 3, the "schemas" attribute is "used to indicate the namespaces of the SCIM schemas that define the attributes present in the current JSON structure."  As there are no Enterprise Extension attributes present, the extension schema urn would not be included.  However, later in the same paragraph it says that it, "MUST include a non-empty array with value(s) of the URIs supported (emphasis mine) by that representation."
>  
> Section 3.3 is likewise not helpful in clarifying, as I am reading "Each value in the "schemas" attribute indicates additive schema that MAY exist in a SCIM resource representation." as being indicative of the particular representation/response, not the service provider as a whole.  And in Section 6 it says that including the extensions in the Resource Type schema is optional.
>  
> This comes up because we've identified an Identity Provider that will not add the extension and its attributes if the extension isn't already in the user when performing a GET.  It will, however, include the extension on net-new user creation or update it if already present.  Okta and Azure have no issue with seeing a User object without the Enterprise Extension and then adding one if they want to set one of those fields.  The library we're using likewise doesn't include the schema if it's not present in the User.  This has us reviewing our interpretation of the specification.
>  
> So for a SCIM response where all the fields in an extension do not exist, is it correct to send just the root schema, include the extension schema in the "schemas" attribute, or include the extension schema in the "schemas" attribute and an empty extension attribute/object?
>  
> Sample objects:
>  
> -- No values --
> {
>   "schemas":
>     ["urn:ietf:params:scim:schemas:core:2.0:User"],
>   "id": "2819c223-7f76-453a-919d-413861904646",
>   "externalId": "701984",
>   "userName": "bjensen@example.com <mailto:bjensen@example.com>",
>   "emails": [
>     {
>       "value": "bjensen@example.com <mailto:bjensen@example.com>",
>       "type": "work",
>       "primary": true
>     }
>   ],
>   "userType": "Employee",
>   "title": "Tour Guide",
>   "active":true,
>   "meta": {
>     "resourceType": "User",
>     "created": "2010-01-23T04:56:22Z",
>     "lastModified": "2011-05-13T04:42:34Z",
>     "version": "W\/\"3694e05e9dff591\"",
>     "location":
> "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexample.com%2Fv2%2FUsers%2F2819c223-7f76-453a-919d-413861904646&data=05%7C01%7Cdanny.zollner%40microsoft.com%7Ca40158f6408c4669e01108dab3876be8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638019691494951041%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=fmk9GAxu6%2FFZr6VQ%2F5NihrHbeO3UVBhziJ4%2FEl1UW00%3D&reserved=0>"
>   }
> }
>  
> -- Schema but no Object --
> {
>   "schemas":
>     ["urn:ietf:params:scim:schemas:core:2.0:User",
>       "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
>   "id": "2819c223-7f76-453a-919d-413861904646",
>   "externalId": "701984",
>   "userName": "bjensen@example.com <mailto:bjensen@example.com>",
>   "emails": [
>     {
>       "value": "bjensen@example.com <mailto:bjensen@example.com>",
>       "type": "work",
>       "primary": true
>     }
>   ],
>   "userType": "Employee",
>   "title": "Tour Guide",
>   "active":true,
>   "meta": {
>     "resourceType": "User",
>     "created": "2010-01-23T04:56:22Z",
>     "lastModified": "2011-05-13T04:42:34Z",
>     "version": "W\/\"3694e05e9dff591\"",
>     "location":
> "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexample.com%2Fv2%2FUsers%2F2819c223-7f76-453a-919d-413861904646&data=05%7C01%7Cdanny.zollner%40microsoft.com%7Ca40158f6408c4669e01108dab3876be8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638019691494951041%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=fmk9GAxu6%2FFZr6VQ%2F5NihrHbeO3UVBhziJ4%2FEl1UW00%3D&reserved=0>"
>   }
> }
>  
> -- Empty object present --
> {
>   "schemas":
>     ["urn:ietf:params:scim:schemas:core:2.0:User",
>       "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
>   "id": "2819c223-7f76-453a-919d-413861904646",
>   "externalId": "701984",
>   "userName": "bjensen@example.com <mailto:bjensen@example.com>",
>   "emails": [
>     {
>       "value": "bjensen@example.com <mailto:bjensen@example.com>",
>       "type": "work",
>       "primary": true
>     }
>   ],
>   "userType": "Employee",
>   "title": "Tour Guide",
>   "active":true,
>   "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {},
>   "meta": {
>     "resourceType": "User",
>     "created": "2010-01-23T04:56:22Z",
>     "lastModified": "2011-05-13T04:42:34Z",
>     "version": "W\/\"3694e05e9dff591\"",
>     "location":
> "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexample.com%2Fv2%2FUsers%2F2819c223-7f76-453a-919d-413861904646&data=05%7C01%7Cdanny.zollner%40microsoft.com%7Ca40158f6408c4669e01108dab3876be8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638019691494951041%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=fmk9GAxu6%2FFZr6VQ%2F5NihrHbeO3UVBhziJ4%2FEl1UW00%3D&reserved=0>"
>   }
> }
>  
> -- 
> Chad Vincent (he/him) | Software Engineer, Senior - CrashPlan
> chad.vincent@crashplan.com <mailto:chad.vincent@crashplan.com>
> 400 S 4th St Suite 410 PMB 31083 Minneapolis, MN 55415-1419
>  
> _______________________________________________
> scim mailing list
> scim@ietf.org <mailto:scim@ietf.org>
> https://www.ietf.org/mailman/listinfo/scim <https://www.ietf.org/mailman/listinfo/scim>

v2.23.0 | Report a Bug | By Email