IETF Logo Mail Archive

Re: [scim] PATCH Multi-Valued Attribute Value Type

"McAdams, Darin" <darinm@amazon.com> Wed, 30 September 2020 22:39 UTC

Return-Path: <prvs=53554c00a=darinm@amazon.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF2EA3A0D0F for <scim@ietfa.amsl.com>; Wed, 30 Sep 2020 15:39:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.796
X-Spam-Level:
X-Spam-Status: No, score=-10.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yb8SsXUetOOy for <scim@ietfa.amsl.com>; Wed, 30 Sep 2020 15:39:00 -0700 (PDT)
Received: from smtp-fw-2101.amazon.com (smtp-fw-2101.amazon.com [72.21.196.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7625B3A0D0B for <scim@ietf.org>; Wed, 30 Sep 2020 15:39:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1601505540; x=1633041540; h=from:to:subject:date:message-id:mime-version; bh=22utEONh3G1I366i6kTTko0qNI+Oz9OQFL6YIIgZFAM=; b=Y5V6Av5FlBzDjynJ/MBp16ImlqVKlFmjUVTBmKVwi6hDOaeOIRF/ZpAu XI3p6szeIpbu72LeXnhAVvtvQS/HhMvu+sEpeDF9JWw+HgZhnKrKheHrL 9AKKituosHrFPK1Er7t+fH+mDBPRwyWWgq/cd+PRfGHzSqCH1MdVWVlOR w=;
X-IronPort-AV: E=Sophos; i="5.77,322,1596499200"; d="scan'208,217"; a="57081650"
Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-2b-5bdc5131.us-west-2.amazon.com) ([10.43.8.2]) by smtp-border-fw-out-2101.iad2.amazon.com with ESMTP; 30 Sep 2020 22:38:54 +0000
Received: from EX13MTAUWB001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan3.pdx.amazon.com [10.170.41.166]) by email-inbound-relay-2b-5bdc5131.us-west-2.amazon.com (Postfix) with ESMTPS id CF03BA1DE3; Wed, 30 Sep 2020 22:38:22 +0000 (UTC)
Received: from EX13D08UWB003.ant.amazon.com (10.43.161.186) by EX13MTAUWB001.ant.amazon.com (10.43.161.249) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 30 Sep 2020 22:38:22 +0000
Received: from EX13D08UWB001.ant.amazon.com (10.43.161.104) by EX13D08UWB003.ant.amazon.com (10.43.161.186) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 30 Sep 2020 22:38:22 +0000
Received: from EX13D08UWB001.ant.amazon.com ([10.43.161.104]) by EX13D08UWB001.ant.amazon.com ([10.43.161.104]) with mapi id 15.00.1497.006; Wed, 30 Sep 2020 22:38:22 +0000
From: "McAdams, Darin" <darinm@amazon.com>
To: Shelley <randomshelley@gmail.com>, "scim@ietf.org" <scim@ietf.org>
Thread-Topic: [scim] PATCH Multi-Valued Attribute Value Type
Thread-Index: AQHWl3pmzaX8iEKkrEKR1B5+svTu2A==
Date: Wed, 30 Sep 2020 22:38:22 +0000
Message-ID: <89C877BA-9DF9-44A1-A1A9-5719D3665B76@amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.36.20041300
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.161.236]
Content-Type: multipart/alternative; boundary="_000_89C877BA9DF944A1A1A95719D3665B76amazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/pZXcNilzwgLRmB5UoDTppdyEr6k>
Subject: Re: [scim] PATCH Multi-Valued Attribute Value Type
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2020 22:39:05 -0000

I’m curious as well. We are proposing a SCIM interop profile in FastFed and now I’m hoping we got it right!
https://openid.net/specs/fastfed-scim-1_0-02.html#rfc.section.4.3.7

From: scim <scim-bounces@ietf.org> on behalf of Shelley <randomshelley@gmail.com>
Date: Wednesday, September 30, 2020 at 2:23 PM
To: "scim@ietf.org" <scim@ietf.org>
Subject: [EXTERNAL] [scim] PATCH Multi-Valued Attribute Value Type

For "add" and "replace" PATCH operations that specify multi-valued attributes, is the content of the "value" attribute supposed to be an array containing the new/replaced element(s) or a single JSON object containing the new/replaced element? The RFC seems to contain examples for both, and I would like to better understand the difference.

Add Operation "Value" Type for Multi-Valued Attributes
There is an "add" example on page 37 which specifies an array for a multi-valued attribute:
{
  "op": "add",
  "path": "members",
  "value": [{
    "display": "Babs Jensen",
    "$ref": "https://example.com/v2/Users/2819c223...413861904646",
    "value": "2819c223-7f76-453a-919d-413861904646"
  }]
}

The description of "add", however, indicates that it contains "a "value" member whose content specifies the value to be added." In the case of "add", the value being added is the individual element, not an array.

Also, the "add" description indicates that the "value MAY be a quoted value, or it may be a JSON object containing the sub-attributes" but does not seem to allow arrays (nor JSON literals, such as booleans or numbers, which is a separate question...).

Is the description or the example incorrect? Should the operation "value" here be a JSON object or an array?

Replace Operation "Value" Type for Multi-Valued Attributes
For "replace", there is an example on page 44 that specifies an array for the "value" of a multi-valued attribute:
{
  "op": "replace",
  "path": "members",
  "value": [{
      "display": "Babs Jensen",
      "$ref": "https://example.com/v2/Users/2819c223...413861904646",
      "value": "2819c223...413861904646"
    },
    {
      "display": "James Smith",
      "$ref": "https://example.com/v2/Users/08e1d05d...473d93df9210",
      "value": "08e1d05d...473d93df9210"
    }
  ]
}
However, there is also a "replace" example on page 45 that specifies an object (not an array) for the "value" of a multi-valued attribute:
{
  "op": "replace",
  "path": "addresses[type eq \"work\"]",
  "value": {
    "type": "work",
    "streetAddress": "911 Universal City Plaza",
    "locality": "Hollywood",
    "region": "CA",
    "postalCode": "91608",
    "country": "US",
    "formatted": "911 Universal City Plaza\nHollywood, CA 91608 US",
    "primary": true
  }
}

The use of the array for "replace" on "members" seems appropriate since it is replacing the entire attribute with one or more values. For the "addresses" value path, it's a little less clear to me. The use of an object seems to imply that even if multiple addresses are matched by the filter, only one new element may be specified to take it's/their place. Can someone provide clarification on when to use array vs. object here?

Thank you!

v2.23.0 | Report a Bug | By Email