IETF Logo Mail Archive

Re: [scim] Multi-Valued Attribute "Value" Requirement

Shelley <randomshelley@gmail.com> Tue, 10 May 2022 23:03 UTC

Return-Path: <randomshelley@gmail.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C869C14F74B for <scim@ietfa.amsl.com>; Tue, 10 May 2022 16:03:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 31EbcGatfGGo for <scim@ietfa.amsl.com>; Tue, 10 May 2022 16:03:48 -0700 (PDT)
Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B48EC14F740 for <scim@ietf.org>; Tue, 10 May 2022 16:03:48 -0700 (PDT)
Received: by mail-ej1-x62c.google.com with SMTP id gh6so787821ejb.0 for <scim@ietf.org>; Tue, 10 May 2022 16:03:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NQwPonby/H6wmkVpBs0pn0kJfNvUYJt2YLzYIIENNjE=; b=c+YPOwvEwNDRZQPYkIg0aoNGCUscJf+g/43YH12++tWBaTwl/sJVsbhjUTqj/CLND0 lnPv2MFRej4UTSVT8WOte12utCUThT6MMTUSQMuxbxGOrspi64A0VHPryeR71MIwvYjO mOiHQ4h3akfNaWmX+L7P4yePxoPLBVAbH1LgI1bWeDw9yC0+2y+b0jTU3jfYOYg9Gf5q uLRAizL675nfRwZvyMqg8qWa+SNvY9sJlvMyLXunJpn1A5IAZd7Y6zI3oEuSFycN/een fOVUw9Cy33aT4P/BT6wkPpBY31iKRwweEFg4ljfU64lVEDqA/KElMumsd6kq6YCZNYHv xrqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NQwPonby/H6wmkVpBs0pn0kJfNvUYJt2YLzYIIENNjE=; b=CFGRtuvbZZ0iQxYhkBw6M6pIwkwuQ19Knn4SNWxXR+WMWnEA8K3pXa+Yo1VoJ6CMZj +DAfP6Bw4PRQPOh1ELEzhYOk2RqbG7HW8RrWKiRuRwaLQn0Ixxlybi2Xleks0w9cLnvN 2aWNnqaNYQzduESRTBs+5Ad/qbiT3Fv288ajgGND/19T+XqTtV9R73gamtUhn153xd3K 3YZumLLERTFBkYAH/Yg8XaLxwhkY7o/J0rHCErF6I4LrncWZhpViK47jyVPwiNVCWQbv i93XnwuXH3jN4AJwCYQwwQVtHOIxZMW9q2vLopbrUv61opFoUQW76Gh9iG+BJaXrRueT vg/w==
X-Gm-Message-State: AOAM533tlIkKonnk0HZsFKUyt4bcl3mzIY5MK26gXg4/rgByuDd68+31 p0wleV3PO050SfUb9tcjFhqDVMEPAmGdEGf9J4V9PlXqmi0Ocg==
X-Google-Smtp-Source: ABdhPJxQ9oLJ8IBJpsCKjJz2dgUTmGT1Tw12x+vklzK+tsC6xwQlh65tVCVKulyYCHtLBT2GIAuuayuI08kJ4uOrYFA=
X-Received: by 2002:a17:907:6d1f:b0:6fc:309f:8363 with SMTP id sa31-20020a1709076d1f00b006fc309f8363mr5264824ejc.655.1652223825889; Tue, 10 May 2022 16:03:45 -0700 (PDT)
MIME-Version: 1.0
References: <CAGUsYPzB2HGN7M--oof99BpCJYaEKL5w6fa-3SvAmM_v_Sbv+g@mail.gmail.com> <1CD92F57-E326-4720-8ED3-B161C15DF95B@independentid.com> <CAGUsYPz+VE-5DTxxVfxcr2O0zO4ZcMsxk2eZ3UVqa9NqXhtoig@mail.gmail.com> <23AC1401-D0C4-4337-9254-5F353406F363@independentid.com>
In-Reply-To: <23AC1401-D0C4-4337-9254-5F353406F363@independentid.com>
From: Shelley <randomshelley@gmail.com>
Date: Tue, 10 May 2022 18:03:34 -0500
Message-ID: <CAGUsYPwD_OW2jBcCeBUMeTrq2sB=71LGbQLSfgLaY1OoMcTw2w@mail.gmail.com>
To: Phillip Hunt <phil.hunt@independentid.com>
Cc: scim@ietf.org
Content-Type: multipart/alternative; boundary="0000000000003b4e6d05deb05668"
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/t1hKfsnouKxGamTHS5VOypPmAl4>
Subject: Re: [scim] Multi-Valued Attribute "Value" Requirement
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 May 2022 23:03:52 -0000

I *think *the SCIM client is intending to delete all phone numbers; they
only manage zero or one phone number, and when there is no phone number,
they send the "phoneNumbers" attribute with a single phone number object
that has no "value" subattribute.

"phoneNumbers": [
  {
    "value": null,
    "type": null
  }
]

Our implementation already does require the "value" subattribute for
multi-valued attributes, including "phoneNumbers", so we are failing fast
here, which is still my preference. However, the SCIM client is using the
SCIM core spec for their basis on allowing null "value" subattributes to be
sent since it doesn't explicitly require it (although we do). As such, with
their current implementation, they are unable to successfully send users
that have no phone numbers to us, which is why we were (reluctantly)
considering lifting this restriction.

If I'm understanding correctly, you agree that the client *should not *be
sending this data (although the spec is somewhat ambiguous in this regard)
and would advise SPs to require "value" subattributes to eliminate any
ambiguity in handling this scenario?


On Tue, May 10, 2022 at 5:43 PM Phillip Hunt <phil.hunt@independentid.com>
wrote:

> Shelley,
>
> This looks like the SCIM client has a serious bug and is failing to map
> the number correctly and is not intending to delete all values. As a
> service provider, to be careful, I would change the phoneNumbers value
> attribute schema to be required. This would cause the operation to fail. I
> think following the “null” or “empty set” rule might risk deleting data
> that was not intended.
>
> Phillip Hunt
> @independentid
> phil.hunt@independentid.com
>
>
>
>
> On May 10, 2022, at 1:30 PM, Shelley <randomshelley@gmail.com> wrote:
>
> Thanks for the feedback.
>
> *> Is the clients sending all of the numbers at once?  Or are these meant
>> as individual examples?  *
>>
>
> The client is not sending all of those values in a single "phoneNumbers"
> array; the example was just to illustrate several value-less "phoneNumbers"
> that SCIM implementations would need to handle, and to help provide
> different examples in case each may be interpreted differently.
>
> *> I would look to Section 3.3 (Create) and 3.5.1 (Put) and also 7643 Sec
>> 2.5, where “null” (or [] in the case of multi-values) means to override
>> existing or default values to assert them as null.  Doing so inside of a MV
>> attribute makes a little less sense. *
>>
>
> Correct, those sections don't really speak directly to sub-attributes. For
> reference, on a POST or PUT our implementation does accept any of the
> following, inline with the RFC:
>
>    - "phoneNumbers": null
>    - "phoneNumbers": []
>    - omission of the multi-valued attribute
>
> *> The ugliness of this example does show why making “value” as required
>> in phoneNumbers for the next iteration of 7643 might be a good idea.  :-)*
>>
>
> Is there somewhere that we can log this to keep track of this for
> inclusion in the next RFC?
>
> In the meantime, I'm still curious as to how other server implementations
> and clients handle this scenario. My first preference would be to continue
> requiring the "value" subattribute in these cases, but if we need to make
> changes for broader compatibility with such clients, I'm assuming we should
> just ignore the value-less multi-valued attributes? And/or are others
> actually persisting and returning these valueless objects (e.g. with just
> the "type"/"primary" subattributes)?
>
>
> On Tue, May 10, 2022 at 3:02 PM Phillip Hunt <phil.hunt@independentid.com>
> wrote:
>
>> Shelley,
>>
>> I would look to Section 3.3 (Create) and 3.5.1 (Put) and also 7643 Sec
>> 2.5, where “null” (or [] in the case of multi-values) means to override
>> existing or default values to assert them as null.  Doing so inside of a MV
>> attribute makes a little less sense.
>>
>> Is the clients sending all of the numbers at once?  Or are these meant as
>> individual examples?
>>
>> For a SCIM PUT operation, sending “phoneNumbers”: [],  or “phoneNumbers”:
>> [{}] would likely result in reseting the phoneNumbers value to unasserted
>> removing any existing values. In the case of create, it overrides any
>> default values that would otherwise be generated.   This is useful because
>> some servers might default work number to a company 1-800 number. Using
>> “null” allows clients to override to say no number for this person.
>>
>> The ugliness of this example does show why making “value” as required in
>> phoneNumbers for the next iteration of 7643 might be a good idea.  :-)
>>
>> Phillip Hunt
>> @independentid
>> phil.hunt@independentid.com
>>
>>
>>
>>
>> On May 10, 2022, at 12:41 PM, Shelley <randomshelley@gmail.com> wrote:
>>
>> How should a SCIM server implementation interpret and manage multi-valued
>> attributes that are sent without values?
>>
>> For example, if a SCIM client sends any of the following phone numbers:
>>
>> "phoneNumbers": [
>>   {},
>>   {
>>     "value": null
>>   },
>>   {
>>     "value": null,
>>     "type": null
>>   },
>>   {
>>     "value": null,
>>     "primary": true
>>   },
>>   {
>>     "type": "work",
>>     "primary": false
>>   }
>> ]
>>
>> Should the SCIM server accept, ignore, or reject some/all of these phone
>> numbers? The spec does not strictly require the "value", but it seems quite
>> ambiguous to send a phone number without a phone number, for example.
>>
>> In our SCIM 1.1 and 2.0 server implementations, we have marked the
>> "value" subattribute for all supported multi-valued attributes as
>> "required" in our schema, documentation, and functionality. After 11 years,
>> we have just now encountered a SCIM client that sends multi-valued
>> attributes without value subattributes, however, to which we return a 400
>> error. We have documented the "value" subattribute as required in the
>> schema we return from the "Schemas" endpoint:
>>
>> {
>>   "name": "value",
>>   "type": "string",
>>   "multiValued": false,
>>   "description": "The phone number.",
>>   "required": true,
>>   "caseExact": false,
>>   "mutability": "readWrite",
>>   "returned": "default",
>>   "uniqueness": "none"
>> }
>>
>> However, the SCIM specification does not explicitly require it in the
>> example schema nor in the RFC text.
>>
>> In my opinion, since the "value" is "the significant value", it *should*
>> be required for the multi-valued attributes that support it, and SCIM
>> clients should simply omit the object if there is no enclosed value.
>> Without a value, the object seems invalid/incomplete/ambiguous. In lieu of
>> that, is our next best bet just to completely ignore any valueless
>> multi-valued attributes, regardless of whether any other subattributes are
>> provided? How do other SCIM providers and consumers handle this?
>> _______________________________________________
>> scim mailing list
>> scim@ietf.org
>> https://www.ietf.org/mailman/listinfo/scim
>>
>>
>>
>

v2.23.0 | Report a Bug | By Email