IETF Logo Mail Archive

Re: [scim] [INPUT REQUESTED] Re: Detailed error and status codes

Phil Hunt <phil.hunt@oracle.com> Thu, 26 June 2014 16:20 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 985CC1B30D7 for <scim@ietfa.amsl.com>; Thu, 26 Jun 2014 09:20:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.052
X-Spam-Level:
X-Spam-Status: No, score=-1.052 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_38=0.6, J_CHICKENPOX_64=0.6, MANGLED_WANT=2.3, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MguLzjbH5mem for <scim@ietfa.amsl.com>; Thu, 26 Jun 2014 09:20:45 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75A331B311A for <scim@ietf.org>; Thu, 26 Jun 2014 08:35:25 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s5QFZN14016839 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 26 Jun 2014 15:35:24 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s5QFZM6E020411 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 26 Jun 2014 15:35:22 GMT
Received: from abhmp0012.oracle.com (abhmp0012.oracle.com [141.146.116.18]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s5QFZM9F020402; Thu, 26 Jun 2014 15:35:22 GMT
Received: from [192.168.1.188] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 26 Jun 2014 08:35:21 -0700
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <53ABE35E.7030404@tarent.de>
Date: Thu, 26 Jun 2014 08:34:50 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <BB042EFD-5BDF-4BE4-9B7E-F324A23EA411@oracle.com>
References: <65922FF3-8637-4116-B336-C5424BF9BAAB@oracle.com> <53A9D021.2060906@gmx.de> <71B45AEC-9B79-4F3F-A933-23B0C2AF868E@oracle.com> <BE66EB70-40F3-4FC3-87DA-F828DDB300AD@nexusgroup.com> <C69F2063-B082-4ACC-A0B7-3FBF81083086@oracle.com> <53ABE35E.7030404@tarent.de>
To: David Möbius <d.moebius@tarent.de>
X-Mailer: Apple Mail (2.1878.2)
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Archived-At: http://mailarchive.ietf.org/arch/msg/scim/mJOTS8OKgVkia_5h7iIWfHDuj2I
Cc: scim@ietf.org
Subject: Re: [scim] [INPUT REQUESTED] Re: Detailed error and status codes
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jun 2014 16:20:47 -0000

1. scimType is intended to indicate many of these details. Like a unique index conflict (e.g. “uniqueness”).  That said, I’m not sure it would indicate which attribute caused the failure.  Should we indicate which attribute is not unique or which attribute has a mutability error through another response element?

2. Why isn’t the standard accept-langauge headers not appropriate to localize the detail message? 

There are also some security considerations here in cross-domain scenarios. It is very likely that even if we mandate detail errors that many SPs will return generic Status 400 errors to non-privledged clients.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com



On Jun 26, 2014, at 2:09 AM, David Möbius <d.moebius@tarent.de> wrote:

> Hello,
> 
> I would like to adjust to add a "error group" type to the error object.
> 
> Example:
> 
> {
>  “schema”: "urn:scim:api:messages:2.0:Error”
>  "scimGroupType" - "saving user"
>  "scimDetailType" - "username allready taken"
>  "status" - the HTTP status (should correspond to the response header)
>  "detail" - "The username 'marissa' is already taken"
> }
> 
> 
> The scimGroupType and the scimDetailType should never change if you do
> the same mistage to make it machine readable.
> 
> Example and Reason:
> I have a mask where the user can create an account. I have created my
> html page the way that the user can't do "anything" wrong. The only
> think the could do wrong is to use a existing username.
> 
> After I send the new user to the backend I get an exception. Since I
> wan't to display the exception message in german or an other language I
> need to know what type of exception was the problem.
> 
> I would like to give the User kind of messages:
> 
> 1. The user used a given username: If this is the problem I can see it
> with the help of the scimDetailType which will always be "username
> already taken".
> 
> 2. It is somethink wrong with the userdata (for example a email without
> @ which I forget to check in my frontend). That something is wrong with
> the userdata in generall I can see with the "scimGroupType"
> 
> 3. Something else happens and I want to log the exception in my logs and
> give an general message to the user
> 
> In my front end it could look like
> 
> if(scimException.getScimDetailType.equals("username allready taken")){
> 
> errorMessage = "in german: Your username is already taken. Plase use a
> other one."
> }else if(scimException.getScimGroupType.equals("saving user")){
> 
> errorMessage = "in german: Could not save your data. Please check your
> given data.";
> }else{
> 
> log.Error(scimException);
> errorMessage= "in german: an error happen. Please try again later."
> }
> 
> For this reason it would be good if we have 2 error codings in our error
> json object. What do you think about this?
> 
> by David
> 
> Am 25.06.2014 21:07, schrieb Phil Hunt:
>> On the call today (Erik, Bjorn, Morteza, and myself), we discussed the
>> error issue.
>> 
>> The major concern with the draft suggested by Julian is really one of
>> timing - we would prefer not to hold SCIM up. A good middle-ground
>> approach is to align with the draft, but define the error fully within
>> SCIM (using the SCIM mime type and schema namespace).
>> 
>> The proposal on the call is to SCIM mime/type of application/scim+json
>> in error responses and include the SCIM error message schema declaration.  
>> 
>> {
>> “schema”: "urn:scim:api:messages:2.0:Error” (indicates the SCIM message
>> type)
>> "scimType" - a keyword indicating the detail error (e.g.  “mutability”)
>> "status" - the HTTP status (should correspond to the response header)
>> "detail" - a detailed, human-readable message
>> }
>> 
>> Servers MAY return additional attributes (e.g. ones from http-problem
>> draft).  The only mandatory attributes are “schema” and “status”.  For
>> example on anonymous self-registration scenarios, servers may be
>> unwilling to give detail error responses for security reasons.
>> 
>> The reason for using scimType (instead of type) is to avoid any
>> confusion with “type” from draft-nottingham-http-problem and its
>> eventual use of “type”.
>> 
>> In a future update to SCIM we can then transition to align with the HTTP
>> Problem draft by simply adding “type” in the way it defines. 
>> 
>> Phil
>> 
>> @independentid
>> www.independentid.com <http://www.independentid.com>
>> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>> 
>> 
>> 
>> On Jun 25, 2014, at 12:25 AM, Erik Wahlström
>> <erik.wahlstrom@nexusgroup.com <mailto:erik.wahlstrom@nexusgroup.com>>
>> wrote:
>> 
>>> So that would make it look like the following right?
>>> 
>>> {
>>>  "schemas": ["urn:scim:api:messages:2.0:Error"],
>>>  "Error":
>>>    {
>>>      "type": "urn:scim:api:error:2.0:mutability",
>>>      "title": “Attribute is readOnly.",
>>>      "detail": “Attribute 'id' is readOnly and can’t be changed in a
>>> PATCH request.",
>>>      “status": 400  
>>>    }
>>> }
>>> 
>>> I replaced Errors with Error.
>>> Also replaced urn:scim:error:api:2.0:mutability with
>>> urn:scim:api:error:2.0:mutability
>>> 
>>> That works for me.
>>> / Erik
>>> 
>>> 
>>> 
>>> On 25 Jun 2014, at 01:30, Phil Hunt <phil.hunt@oracle.com
>>> <mailto:phil.hunt@oracle.com>> wrote:
>>> 
>>>> Note: July 04 is the LAST day for us to potentially submit updates
>>>> for the IETF90 meeting.  This gives us about 1.5 weeks to close off
>>>> the error issues and update the drafts.  If you have a moment please
>>>> take a look and comment as soon as possible...
>>>> 
>>>> Julian thanks for the suggestion.  For the rest of the group’s
>>>> benefit, the draft Julian referenced suggests the following
>>>> attributes be returned in a standardized detailed error JSON body…
>>>> 
>>>>>   A problem details object MAY have the following members:
>>>>> 
>>>>>   o  "type" (string) - An absolute URI [RFC3986 <http://tools.ietf.org/html/rfc3986>] that identifies the
>>>>>      problem type.  When dereferenced, it SHOULD provide human-readable
>>>>>      documentation for the problem type (e.g., using HTML
>>>>>      [W3C.REC-html401-19991224 <http://tools.ietf.org/html/draft-nottingham-http-problem-06#ref-W3C.REC-html401-19991224>]).  When this member is not present, its
>>>>>      value is assumed to be "about:blank".
>>>>>   o  "title" (string) - A short, human-readable summary of the problem
>>>>>      type.  It SHOULD NOT change from occurrence to occurrence of the
>>>>>      problem, except for purposes of localisation.
>>>>>   o  "status" (number) - The HTTP status code ([RFC2616], Section 6 <http://tools.ietf.org/html/rfc2616#section-6>)
>>>>>      generated by the origin server for this occurrence of the problem.
>>>>>   o  "detail" (string) - An human readable explanation specific to this
>>>>>      occurrence of the problem.
>>>>>   o  "instance" (string) - An absolute URI that identifies the specific
>>>>>      occurrence of the problem.  It may or may not yield further
>>>>>      information if dereferenced.
>>>> 
>>>> Here is the corresponding example error response:
>>>>>   HTTP/1.1 403 Forbidden
>>>>>   Content-Type: application/problem+json
>>>>>   Content-Language: en
>>>>> 
>>>>>   {
>>>>>    "type": "http://example.com/probs/out-of-credit",
>>>>>    "title": "You do not have enough credit.",
>>>>>    "detail": "Your current balance is 30, but that costs 50.",
>>>>>    "instance": "http://example.net/account/12345/msgs/abc",
>>>>>    "balance": 30,
>>>>>    "accounts": ["http://example.net/account/12345",
>>>>>                 "http://example.net/account/67890"]
>>>>>   }
>>>> 
>>>> Julian, what is the value of having “type” be a URI?  Why not just
>>>> have a SCIM specific attribute (scimType) and use simple keywords?
>>>> (asking mainly for the WG’s benefit). I guess the strong case is that
>>>> by standardizing HTTP responses, client code gets simplified.
>>>> However, using standard attributes creates the namespace conflict
>>>> issue.  So we need URI based error codes.
>>>> 
>>>> The SCIM specs could adopt the “type”, “detail”, and “status”. We
>>>> would register a namespace of urn:scim:error:apil:2.0 in the SCIM
>>>> IANA section in addition to api:messages, schema:core, etc.  This
>>>> would give detail error types of:
>>>>  urn:scim:error:api:2.0:mutability, urnscim:error:api:2.0:filter, etc.
>>>> 
>>>> The other items, like title, instance, etc could be optional or just
>>>> omitted from SCIM spec. —> we would just indicate that clients should
>>>> expect attributes within the JSON message other than those defined by
>>>> the SCIM drafts.
>>>> 
>>>> IMPORTANT NOTE:  the format suggested by Julian allows for only one
>>>> error at a time.  Erik had commented he prefers to return only one. I
>>>> tend to agree. In the case of BULK requests, this is not really an
>>>> issue since each BULK operation gets its own response block.
>>>> 
>>>> *_In the interests of time, any objections to using type (with URI
>>>> based error codes), detail, status, per above and limiting to ONE per
>>>> response?  _*
>>>> 
>>>> I know these are normative changes….however I’m pretty sure we can’t
>>>> avoid changes in the final document clean up whether or not we adopt
>>>> the proposed standardized error response.
>>>> 
>>>> Cheers,
>>>> 
>>>> Phil
>>>> 
>>>> @independentid
>>>> www.independentid.com <http://www.independentid.com/>
>>>> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>>>> 
>>>> 
>>>> 
>>>> On Jun 24, 2014, at 12:23 PM, Julian Reschke <julian.reschke@gmx.de
>>>> <mailto:julian.reschke@gmx.de>> wrote:
>>>> 
>>>>> On 2014-06-24 21:01, Phil Hunt wrote:
>>>>>> With regards to tickets 37, 46, 67, it looks like we will have some
>>>>>> normative changes required.  I am also expecting new SCIM error
>>>>>> codes as
>>>>>> we look at the possible reasons a server might return Bad Request or
>>>>>> other HTTP status codes.
>>>>>> 
>>>>>> Currently, the example response from PATCH, we use “error” to
>>>>>> indicate a
>>>>>> detailed error.
>>>>>> 
>>>>>> * "error":"mutability"*
>>>>>> 
>>>>>> From Response Codes Section, no detail error is defined:
>>>>>> 
>>>>>> *HTTP/1.1 404 NOT FOUND*
>>>>>> 
>>>>>> {
>>>>>>  "schemas": ["urn:scim:api:messages:2.0:Error"],
>>>>>>  "Errors":[
>>>>>>    {
>>>>>>      *"description":"Resource 2819c223-7f76-453a-919d-413861904646
>>>>>> not found",
>>>>>>      "code":"404"*
>>>>>>    }
>>>>>>  ]
>>>>>> }
>>>>>> 
>>>>>> 
>>>>>> Doing a search around Twitter, AWS, and many others, I see that “code”
>>>>>> is often used to indicate a detailed error message (“mutability”) and
>>>>>> status is used to indicate HTTP status.
>>>>>> 
>>>>>> In an attempt to bring consistency across the API document, I am
>>>>>> proposing we use http_status and scim_code. This will help make clear
>>>>>> what we are referring to and allow existing implementations to co-exist
>>>>>> for a while (by having different names).
>>>>>> 
>>>>>> _Are there any objections to normalizing the spec around following
>>>>>> format and attributes?_
>>>>>> 
>>>>>> Proposed example:
>>>>>> 
>>>>>> *HTTP/1.1 400 Bad Request*
>>>>>> 
>>>>>>   Content-Type: application/scim+json;charset=UTF-8
>>>>>>   Cache-Control: no-store
>>>>>>   Pragma: no-cache
>>>>>> 
>>>>>>   {
>>>>>>     "schemas": ["urn:scim:api:messages:2.0:Error"],
>>>>>>     "Errors":[
>>>>>>       {
>>>>>>         *“scim_code":"mutability”,*
>>>>>> 
>>>>>> *          “http_status”:400,*
>>>>>>         "error_description":"Attribute 'id' is readOnly."
>>>>>>       },
>>>>>> 
>>>>>>        . . .
>>>>>> 
>>>>>>     ]
>>>>>> 
>>>>>>   }
>>>>>> ...
>>>>> 
>>>>> You may want to read
>>>>> <http://tools.ietf.org/html/draft-nottingham-http-problem-06>...
>>>>> 
>>>>> Best regards, Julian
>>>>> 
>>>>> _______________________________________________
>>>>> scim mailing list
>>>>> scim@ietf.org <mailto:scim@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/scim
>>>> 
>>>> _______________________________________________
>>>> scim mailing list
>>>> scim@ietf.org <mailto:scim@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/scim
>>> 
>> 
>> 
>> 
>> _______________________________________________
>> scim mailing list
>> scim@ietf.org
>> https://www.ietf.org/mailman/listinfo/scim
>> 
> 
> _______________________________________________
> scim mailing list
> scim@ietf.org
> https://www.ietf.org/mailman/listinfo/scim

v2.23.0 | Report a Bug | By Email