[scim] Thoughts on the SCIM Cursor Based Pagination draft

"Saxe, Dean" <deansaxe@amazon.com> Mon, 05 December 2022 21:25 UTC

Return-Path: <prvs=331e4a712=deansaxe@amazon.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 678DFC152571 for <scim@ietfa.amsl.com>; Mon, 5 Dec 2022 13:25:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.597
X-Spam-Status: No, score=-14.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id MsuC9mga0Nuk for <scim@ietfa.amsl.com>; Mon, 5 Dec 2022 13:25:50 -0800 (PST)
Received: from smtp-fw-80007.amazon.com (smtp-fw-80007.amazon.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7B47C14F72C for <scim@ietf.org>; Mon, 5 Dec 2022 13:25:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1670275550; x=1701811550; h=from:to:subject:date:message-id:mime-version; bh=fhPGwQd91ouNTzmv3bW+NTDUR4jAGU7RBfYP8Q5k8GQ=; b=UlgYW/XAG/tbc5M5XHyd2BLIw+eoR6H/pH1qDexxs9PkGshGBj2FPft9 /J4L/sPq8wLHmBcNEWinyZwTpRS1IgIKCuxWhMjL7J0inuv9BWrz/S+0S XIOPJedrh7Zb3kWGaFUD778VUyQMVmEUoTd0lfytag5D1CgwZLYupEMoX M=;
X-IronPort-AV: E=Sophos;i="5.96,220,1665446400"; d="scan'208,217";a="158158706"
Received: from pdx4-co-svc-p1-lb2-vlan3.amazon.com (HELO email-inbound-relay-pdx-2b-m6i4x-189d700f.us-west-2.amazon.com) ([]) by smtp-border-fw-80007.pdx80.corp.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 Dec 2022 21:25:49 +0000
Received: from EX13MTAUWC002.ant.amazon.com (pdx1-ws-svc-p6-lb9-vlan3.pdx.amazon.com []) by email-inbound-relay-pdx-2b-m6i4x-189d700f.us-west-2.amazon.com (Postfix) with ESMTPS id 851A14168B for <scim@ietf.org>; Mon, 5 Dec 2022 21:25:48 +0000 (UTC)
Received: from EX19D003UWC003.ant.amazon.com ( by EX13MTAUWC002.ant.amazon.com ( with Microsoft SMTP Server (TLS) id 15.0.1497.42; Mon, 5 Dec 2022 21:25:47 +0000
Received: from EX19D003UWC004.ant.amazon.com ( by EX19D003UWC003.ant.amazon.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1118.20; Mon, 5 Dec 2022 21:25:47 +0000
Received: from EX19D003UWC004.ant.amazon.com ([fe80::38e:f9f6:c9f7:63fa]) by EX19D003UWC004.ant.amazon.com ([fe80::38e:f9f6:c9f7:63fa%4]) with mapi id 15.02.1118.020; Mon, 5 Dec 2022 21:25:47 +0000
From: "Saxe, Dean" <deansaxe@amazon.com>
To: "scim@ietf.org" <scim@ietf.org>
Thread-Topic: Thoughts on the SCIM Cursor Based Pagination draft
Thread-Index: AQHZCPAkQkacmWo1LEqi8+bno98wpQ==
Date: Mon, 05 Dec 2022 21:25:47 +0000
Message-ID: <1F3577A4-58B3-459C-9A75-010C772C382E@amazon.com>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/16.67.22111300
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_1F3577A458B3459C9A75010C772C382Eamazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/toMYTWRLIlRwxesX2Sj_R8Czkj0>
Subject: [scim] Thoughts on the SCIM Cursor Based Pagination draft
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Dec 2022 21:25:54 -0000

Since IETF115 last month, I have had multiple conversations regarding the need for a cursor-based pagination mechanism in SCIM. The discussions were driven by the challenges of using index-based pagination mechanisms with large data sets. Through this work it has become clear to me that cursor-based pagination is a significant improvement over the existing index-based mechanism. This is specifically called out in draft-peterson-scim-cursor-pagination-01<https://datatracker.ietf.org/doc/draft-peterson-scim-cursor-pagination/>: “Translating from an underlying cursor-based pagination pattern to the index-based pagination defined in Section of [RFC7644] ultimately requires the SCIM service provider to fully iterate the underlying cursor, store the results, and then serve indexed pages from the stored results. This task of "pagination translation" dramatically increases complexity and memory requirements for implementing a SCIM Service Provider, and may be an impediment to SCIM adoption for some applications and identity systems."

Beyond the implementation challenges posed by index-based pagination, cursor-based pagination addresses the need for strong read consistency in SCIM.  Further, this gap is addressed in the draft by building upon the existing primitives in the SCIM RFCs using RESTful APIs. The draft does not require existing servers or clients to change their implementation if the current patterns are sufficient. Servers that choose to enable cursor-based pagination may continue to support an index-based method. Importantly, the changes required in SCIM clients to enable support for the proposed cursor-based pagination are narrowly scoped.

Recognizing that there is also support for an event-based model as proposed in draft-ietf-scim-events-00<https://datatracker.ietf.org/doc/draft-ietf-scim-events/00/>, I want to be careful not to frame the discussion as an either-or proposition. None of the proposed changes for cursor-based pagination detract from the proposed event driven model. Instead, both models may be used by implementers, if necessary to meet the implementers’ use cases.

Based on this, I propose that the working group focuses on adopting the Internet-Draft for cursor-based pagination to meet the industry’s immediate needs with minimal protocol changes, while continuing to develop the event-based draft.

I invite other working group members to add their thoughts, as well.


Dean H. Saxe, CIDPRO<https://idpro.org/cidpro/> (he/him)
Senior Security Engineer, AWS Identity Trust Team | Amazon Web Services (AWS)
E: deansaxe@amazon.com<mailto:deansaxe@amazon.com> | M: 206-659-7293<tel:206-659-7293>