Re: [scim] Multi-Valued Attribute "Value" Requirement

Phillip Hunt <phil.hunt@independentid.com> Tue, 10 May 2022 22:43 UTC

Return-Path: <phil.hunt@independentid.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B43EC15949C for <scim@ietfa.amsl.com>; Tue, 10 May 2022 15:43:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=independentid-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CwvTWfcSP0i3 for <scim@ietfa.amsl.com>; Tue, 10 May 2022 15:43:41 -0700 (PDT)
Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41A6DC157B54 for <scim@ietf.org>; Tue, 10 May 2022 15:43:41 -0700 (PDT)
Received: by mail-pf1-x42b.google.com with SMTP id p8so379520pfh.8 for <scim@ietf.org>; Tue, 10 May 2022 15:43:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=independentid-com.20210112.gappssmtp.com; s=20210112; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=HARZiq1UvAuvyDCYLaiCNZM1qn28BRFGw1rUm7yWhcI=; b=xdLK9F1RTEahQvHW4mEPjvCqC8WYDW6dy0AdT1cmCHx1VluZc7zNdc9qwX8zDt2etA 2a4rhGgg+9Af6/BkWxkekrTE/AsqHvpCc4JHLiJWPJRg6hXkiKppQGj+H4cXtX03qlDb kiUh8kE5odmD/lXxM+1fCHU4HbjuzJd/Q7E3yIq0lt864q87RGnXMTap6VAUbShTz9kj Am68OsPEvHmejM0bSCwboxz1PiwtGF9MiTxyL3sEjjeSWoEzjBWIDtnigdeGSQqVkNPX hEJyA3dXNZ97WIDstT1V3p334jBEtNd4tynnYT1UrFTrgvE/gBv/AXRL0QJvDNmKUZFz Rj3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=HARZiq1UvAuvyDCYLaiCNZM1qn28BRFGw1rUm7yWhcI=; b=JMYivqrq7gvHQDIHLZn3/eSnavFk9qbL4HTh+iE1gJc0HB77n5HOLdCIS6hViSEFPX Fx/1GMSo20eD3DbJVcHvkzYNa6YXTidtpJabyDBHFIfyTRUV7oBQsEWAEmVJ0wKqLzcY BBAS8XWroh5Aql7Mh/naNiBIVISYqNDZaaxmfe6Xwy4uUAjrH9z4HbVt+blLkqRlcbhv vEYtr8gP9JwGItTDTFBVG3jI326DpDY50+s+U36fQX5ZeJwsb/y4Gd7XqX1+tEq5xGTo mAXzLuqkZlX25/SubWAe0QQvr/mvaBU1311g+l5cW6J6AijmOaV9HY7blyMz2xco0Xmo WbRg==
X-Gm-Message-State: AOAM530wMyNA+HwMoe6HYas3VNNYbMA9buSJutf1ljkg/eGyyszXbV3p 6Z2eiJXe4U7ar7nMxKlcR2+mEA==
X-Google-Smtp-Source: ABdhPJwNO2EGjifYK3K5pEZ9sSVdV7RLwJfDj4fZHJPSQi2nhYaDi6XPbvqCfJnjrsqgqhjFqIQwdA==
X-Received: by 2002:a63:5a13:0:b0:3c6:3d28:87e5 with SMTP id o19-20020a635a13000000b003c63d2887e5mr19012631pgb.452.1652222619760; Tue, 10 May 2022 15:43:39 -0700 (PDT)
Received: from smtpclient.apple (node-1w7jr9qjhqzxoi37tfz9niu1l.ipv6.telus.net. [2001:569:7316:ae00:6dec:7495:5cf8:9399]) by smtp.gmail.com with ESMTPSA id y20-20020a1709029b9400b0015e8d4eb1d9sm158142plp.35.2022.05.10.15.43.38 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 May 2022 15:43:39 -0700 (PDT)
From: Phillip Hunt <phil.hunt@independentid.com>
Message-Id: <23AC1401-D0C4-4337-9254-5F353406F363@independentid.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4D982DEA-B773-4870-BBB8-114977D825F5"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\))
Date: Tue, 10 May 2022 15:43:38 -0700
In-Reply-To: <CAGUsYPz+VE-5DTxxVfxcr2O0zO4ZcMsxk2eZ3UVqa9NqXhtoig@mail.gmail.com>
Cc: scim@ietf.org
To: Shelley <randomshelley@gmail.com>
References: <CAGUsYPzB2HGN7M--oof99BpCJYaEKL5w6fa-3SvAmM_v_Sbv+g@mail.gmail.com> <1CD92F57-E326-4720-8ED3-B161C15DF95B@independentid.com> <CAGUsYPz+VE-5DTxxVfxcr2O0zO4ZcMsxk2eZ3UVqa9NqXhtoig@mail.gmail.com>
X-Mailer: Apple Mail (2.3696.80.82.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/pybxcUMtisctv-hBPLypAdBIGBE>
Subject: Re: [scim] Multi-Valued Attribute "Value" Requirement
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 May 2022 22:43:42 -0000

Shelley,

This looks like the SCIM client has a serious bug and is failing to map the number correctly and is not intending to delete all values. As a service provider, to be careful, I would change the phoneNumbers value attribute schema to be required. This would cause the operation to fail. I think following the “null” or “empty set” rule might risk deleting data that was not intended.

Phillip Hunt
@independentid
phil.hunt@independentid.com




> On May 10, 2022, at 1:30 PM, Shelley <randomshelley@gmail.com> wrote:
> 
> Thanks for the feedback. 
> 
> > Is the clients sending all of the numbers at once?  Or are these meant as individual examples?  
> 
> The client is not sending all of those values in a single "phoneNumbers" array; the example was just to illustrate several value-less "phoneNumbers" that SCIM implementations would need to handle, and to help provide different examples in case each may be interpreted differently.
> 
> > I would look to Section 3.3 (Create) and 3.5.1 (Put) and also 7643 Sec 2.5, where “null” (or [] in the case of multi-values) means to override existing or default values to assert them as null.  Doing so inside of a MV attribute makes a little less sense. 
> 
> Correct, those sections don't really speak directly to sub-attributes. For reference, on a POST or PUT our implementation does accept any of the following, inline with the RFC:
> "phoneNumbers": null
> "phoneNumbers": []
> omission of the multi-valued attribute
> > The ugliness of this example does show why making “value” as required in phoneNumbers for the next iteration of 7643 might be a good idea.  :-)
> 
> Is there somewhere that we can log this to keep track of this for inclusion in the next RFC?
> 
> In the meantime, I'm still curious as to how other server implementations and clients handle this scenario. My first preference would be to continue requiring the "value" subattribute in these cases, but if we need to make changes for broader compatibility with such clients, I'm assuming we should just ignore the value-less multi-valued attributes? And/or are others actually persisting and returning these valueless objects (e.g. with just the "type"/"primary" subattributes)?
>  
> 
> On Tue, May 10, 2022 at 3:02 PM Phillip Hunt <phil.hunt@independentid.com <mailto:phil.hunt@independentid.com>> wrote:
> Shelley,
> 
> I would look to Section 3.3 (Create) and 3.5.1 (Put) and also 7643 Sec 2.5, where “null” (or [] in the case of multi-values) means to override existing or default values to assert them as null.  Doing so inside of a MV attribute makes a little less sense. 
> 
> Is the clients sending all of the numbers at once?  Or are these meant as individual examples?  
> 
> For a SCIM PUT operation, sending “phoneNumbers”: [],  or “phoneNumbers”: [{}] would likely result in reseting the phoneNumbers value to unasserted removing any existing values. In the case of create, it overrides any default values that would otherwise be generated.   This is useful because some servers might default work number to a company 1-800 number. Using “null” allows clients to override to say no number for this person.
> 
> The ugliness of this example does show why making “value” as required in phoneNumbers for the next iteration of 7643 might be a good idea.  :-)
> 
> Phillip Hunt
> @independentid
> phil.hunt@independentid.com <mailto:phil.hunt@independentid.com>
> 
> 
> 
> 
>> On May 10, 2022, at 12:41 PM, Shelley <randomshelley@gmail.com <mailto:randomshelley@gmail.com>> wrote:
>> 
>> How should a SCIM server implementation interpret and manage multi-valued attributes that are sent without values?
>> 
>> For example, if a SCIM client sends any of the following phone numbers:
>> 
>> "phoneNumbers": [
>>   {},
>>   {
>>     "value": null
>>   }, 
>>   {
>>     "value": null,
>>     "type": null
>>   },
>>   {
>>     "value": null,
>>     "primary": true
>>   },
>>   {
>>     "type": "work",
>>     "primary": false
>>   }
>> ]
>> 
>> Should the SCIM server accept, ignore, or reject some/all of these phone numbers? The spec does not strictly require the "value", but it seems quite ambiguous to send a phone number without a phone number, for example.
>> 
>> In our SCIM 1.1 and 2.0 server implementations, we have marked the "value" subattribute for all supported multi-valued attributes as "required" in our schema, documentation, and functionality. After 11 years, we have just now encountered a SCIM client that sends multi-valued attributes without value subattributes, however, to which we return a 400 error. We have documented the "value" subattribute as required in the schema we return from the "Schemas" endpoint:
>> 
>> {
>>   "name": "value",
>>   "type": "string",
>>   "multiValued": false,
>>   "description": "The phone number.",
>>   "required": true,
>>   "caseExact": false,
>>   "mutability": "readWrite",
>>   "returned": "default",
>>   "uniqueness": "none"
>> }
>> 
>> However, the SCIM specification does not explicitly require it in the example schema nor in the RFC text.
>> 
>> In my opinion, since the "value" is "the significant value", it should be required for the multi-valued attributes that support it, and SCIM clients should simply omit the object if there is no enclosed value. Without a value, the object seems invalid/incomplete/ambiguous. In lieu of that, is our next best bet just to completely ignore any valueless multi-valued attributes, regardless of whether any other subattributes are provided? How do other SCIM providers and consumers handle this?
>> _______________________________________________
>> scim mailing list
>> scim@ietf.org <mailto:scim@ietf.org>
>> https://www.ietf.org/mailman/listinfo/scim <https://www.ietf.org/mailman/listinfo/scim>
>