Re: [scim] Extension Clarification Request
Phillip Hunt <phil.hunt@independentid.com> Fri, 21 October 2022 17:12 UTC
Return-Path: <phil.hunt@independentid.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5885C152718 for <scim@ietfa.amsl.com>; Fri, 21 Oct 2022 10:12:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=independentid-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CSBnrPmQW5bJ for <scim@ietfa.amsl.com>; Fri, 21 Oct 2022 10:12:19 -0700 (PDT)
Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58643C152711 for <scim@ietf.org>; Fri, 21 Oct 2022 10:12:19 -0700 (PDT)
Received: by mail-pf1-x42e.google.com with SMTP id d10so3140940pfh.6 for <scim@ietf.org>; Fri, 21 Oct 2022 10:12:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=independentid-com.20210112.gappssmtp.com; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=tNxjsIOmQfbYEXVzsx3b/SpGwHAFT6l4G5NqbXJd5vA=; b=U6X+Eta2zLUmdwq2jk947cZYImY95jGhnt5uuq8+t/gInP2Vak6dIQc5Up01H0OXu1 E7Fww4ly465KrB+EqcQdsvL2+fFL/yYsnOi7732VxRRTR4kVuA1zzswYn5rLuD0GRVsw hRSgIXGMI9Vqr70QxEDe+Ulo89s7SQuuO1UD2JaQ00Fat6aZmIxAGydv6jnCrZPKX5G2 AxLu69QukY2/qvzjo9iIWBbk+Mb2PIzpHcj9/SBNFyd0Q5sq3xTGqneYf3EzlN+iZBkd Q9EzJM4lCe83oBYI83m1qSvrxajsszrkyuIw/oaBWWEyKOO20BehaIpreIxzURlE54tV mK6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=tNxjsIOmQfbYEXVzsx3b/SpGwHAFT6l4G5NqbXJd5vA=; b=NFfFSUX6V9ndpXaYLpZy8bp0gl0EGb69imLfCUmV2ojj5HFszJI4+a/l7WDcT5GFf2 SrIFPoTTBYEhGJQyh9906mLT3mGCMFvfGXQzDTL1XkLcbsa8eOu1FiEPUx31487Pg2pR sGYpYy+U6r3qb8HlgWeYKqLSQdDXtpBcQMXHj7WlUxREvWz+E/GfUd9Ya81B8N2GLo89 oPOG9tIBg+Ww2QqztaGH8eqx7Z+O+ydQmokcNBJ+2vR48HqXCcDknjhrAlbSOQs47P4b CJmdmz0JQB2R3gHYowQ7udPEoVzqybcagdSMw1mlJS6I+DOl1PWYtUm5XUCHsmRzinqD aN/w==
X-Gm-Message-State: ACrzQf2Rx61xC/EOTUiOZcqrhLzrqj92CN2lNw9tBQH1Q4Ykfqy7tVun e0v9rRiIUdVZOHPrjMxhEDE6y38JXscPvQ==
X-Google-Smtp-Source: AMsMyM4r5mpFXp3XywA9q7byMgEkAO35lEVw4ijam4NcBApHUKWxRgzT9twJWY1AToMu5OZ/WwFH1w==
X-Received: by 2002:a05:6a00:2409:b0:54e:a3ad:d5ab with SMTP id z9-20020a056a00240900b0054ea3add5abmr20213961pfh.11.1666372338240; Fri, 21 Oct 2022 10:12:18 -0700 (PDT)
Received: from smtpclient.apple (node-1w7jr9qrlnt9i1lwowyd5u9yu.ipv6.telus.net. [2001:569:7a98:6800:5a3:3046:73c0:26f6]) by smtp.gmail.com with ESMTPSA id bf1-20020a170902b90100b0017f7d7e95d3sm14954240plb.167.2022.10.21.10.12.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 21 Oct 2022 10:12:17 -0700 (PDT)
From: Phillip Hunt <phil.hunt@independentid.com>
Message-Id: <AAB851CE-D019-49E2-8DA9-132B8EA03DD4@independentid.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7B615A08-D74B-49D4-BC21-469B54C2B3F2"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Fri, 21 Oct 2022 10:12:17 -0700
In-Reply-To: <CAKXu=h_4LR-VXiEozAA2OwSX-E==7NLcD4oVU1DKngyUfSGoGQ@mail.gmail.com>
Cc: scim@ietf.org
To: Chad Vincent <chad.vincent@crashplan.com>
References: <CAKXu=h_4LR-VXiEozAA2OwSX-E==7NLcD4oVU1DKngyUfSGoGQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/shokQiu5lM_8evGyNu3PuLm7U8M>
Subject: Re: [scim] Extension Clarification Request
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2022 17:12:20 -0000
Chad, The logic should be: The ResourceType for the ServiceProvider defines what schemas are possible in the User resource type. The schemas attribute indicates what attributes are present in the JSON object and how to parse them (by looking up the schema in the /Schemas endpoint). So if you add an enterprise user attribute to a User, you have to make sure the enterprise user schema URI value is in the schemas attribute. If no enterprise user attributes are present, then the schema value is not there either. The idea here is to help parsers know what to look for. Phillip Hunt @independentid phil.hunt@independentid.com > On Oct 21, 2022, at 9:50 AM, Chad Vincent <chad.vincent@crashplan.com> wrote: > > If I could get clarification on this from an official source, it would be most helpful. > > A Service Provider responding to a SCIM request has a User with none of the fields in the Enterprise Extension set. Based on RFC 7643 Section 3, the "schemas" attribute is "used to indicate the namespaces of the SCIM schemas that define the attributes present in the current JSON structure." As there are no Enterprise Extension attributes present, the extension schema urn would not be included. However, later in the same paragraph it says that it, "MUST include a non-empty array with value(s) of the URIs supported (emphasis mine) by that representation." > > Section 3.3 is likewise not helpful in clarifying, as I am reading "Each value in the "schemas" attribute indicates additive schema that MAY exist in a SCIM resource representation." as being indicative of the particular representation/response, not the service provider as a whole. And in Section 6 it says that including the extensions in the Resource Type schema is optional. > > This comes up because we've identified an Identity Provider that will not add the extension and its attributes if the extension isn't already in the user when performing a GET. It will, however, include the extension on net-new user creation or update it if already present. Okta and Azure have no issue with seeing a User object without the Enterprise Extension and then adding one if they want to set one of those fields. The library we're using likewise doesn't include the schema if it's not present in the User. This has us reviewing our interpretation of the specification. > > So for a SCIM response where all the fields in an extension do not exist, is it correct to send just the root schema, include the extension schema in the "schemas" attribute, or include the extension schema in the "schemas" attribute and an empty extension attribute/object? > > Sample objects: > > -- No values -- > { > "schemas": > ["urn:ietf:params:scim:schemas:core:2.0:User"], > "id": "2819c223-7f76-453a-919d-413861904646", > "externalId": "701984", > "userName": "bjensen@example.com <mailto:bjensen@example.com>", > "emails": [ > { > "value": "bjensen@example.com <mailto:bjensen@example.com>", > "type": "work", > "primary": true > } > ], > "userType": "Employee", > "title": "Tour Guide", > "active":true, > "meta": { > "resourceType": "User", > "created": "2010-01-23T04:56:22Z", > "lastModified": "2011-05-13T04:42:34Z", > "version": "W\/\"3694e05e9dff591\"", > "location": > "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646 <https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646>" > } > } > > -- Schema but no Object -- > { > "schemas": > ["urn:ietf:params:scim:schemas:core:2.0:User", > "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"], > "id": "2819c223-7f76-453a-919d-413861904646", > "externalId": "701984", > "userName": "bjensen@example.com <mailto:bjensen@example.com>", > "emails": [ > { > "value": "bjensen@example.com <mailto:bjensen@example.com>", > "type": "work", > "primary": true > } > ], > "userType": "Employee", > "title": "Tour Guide", > "active":true, > "meta": { > "resourceType": "User", > "created": "2010-01-23T04:56:22Z", > "lastModified": "2011-05-13T04:42:34Z", > "version": "W\/\"3694e05e9dff591\"", > "location": > "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646 <https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646>" > } > } > > -- Empty object present -- > { > "schemas": > ["urn:ietf:params:scim:schemas:core:2.0:User", > "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"], > "id": "2819c223-7f76-453a-919d-413861904646", > "externalId": "701984", > "userName": "bjensen@example.com <mailto:bjensen@example.com>", > "emails": [ > { > "value": "bjensen@example.com <mailto:bjensen@example.com>", > "type": "work", > "primary": true > } > ], > "userType": "Employee", > "title": "Tour Guide", > "active":true, > "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {}, > "meta": { > "resourceType": "User", > "created": "2010-01-23T04:56:22Z", > "lastModified": "2011-05-13T04:42:34Z", > "version": "W\/\"3694e05e9dff591\"", > "location": > "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646 <https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646>" > } > } > > -- > Chad Vincent (he/him) | Software Engineer, Senior - CrashPlan > chad.vincent@crashplan.com <mailto:chad.vincent@crashplan.com> > 400 S 4th St Suite 410 PMB 31083 Minneapolis, MN 55415-1419 > > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim
- [scim] Extension Clarification Request Chad Vincent
- Re: [scim] Extension Clarification Request Phillip Hunt
- Re: [scim] [EXTERNAL] Re: Extension Clarification… Danny Zollner
- Re: [scim] [EXTERNAL] Extension Clarification Req… Phillip Hunt
- Re: [scim] [EXTERNAL] Extension Clarification Req… Danny Zollner