IETF Logo Mail Archive

Re: [scim] [External Sender] Re: Error extensibility in SCIM - meeting follow up

"Sehgal, Anjali" <anjalisg@amazon.com> Thu, 25 January 2024 18:43 UTC

Return-Path: <prvs=7479972b9=anjalisg@amazon.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78C0CC14F68E for <scim@ietfa.amsl.com>; Thu, 25 Jan 2024 10:43:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.002
X-Spam-Level:
X-Spam-Status: No, score=-7.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yY0WryakweG4 for <scim@ietfa.amsl.com>; Thu, 25 Jan 2024 10:43:03 -0800 (PST)
Received: from smtp-fw-9102.amazon.com (smtp-fw-9102.amazon.com [207.171.184.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C6D6C14F682 for <scim@ietf.org>; Thu, 25 Jan 2024 10:43:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1706208183; x=1737744183; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=S/LdI4JjG1pNXskgR5Z07mnzxQHP451PZTNPysq/C/Q=; b=hXv8K81cjo2iWJGnxhgBdStQlWbYyNaDMm89fIrNYlUuYkrBckh7hEQb BaGqBzVuVk07nBwBR+kzsGgvVehs4r1iPlXlZRrMm+/qu+UMoHhjSG1qU vK/Fe2VzLsKiXSgEyi7L8nRAD1t59gcxfEu6smp9Frd9SD3qCWWkOxmZe 4=;
X-IronPort-AV: E=Sophos;i="6.05,216,1701129600"; d="scan'208,217";a="392526342"
Thread-Topic: [scim] [External Sender] Re: Error extensibility in SCIM - meeting follow up
Received: from pdx4-co-svc-p1-lb2-vlan3.amazon.com (HELO email-inbound-relay-pdx-2a-m6i4x-1cca8d67.us-west-2.amazon.com) ([10.25.36.214]) by smtp-border-fw-9102.sea19.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2024 18:43:03 +0000
Received: from smtpout.prod.us-east-1.prod.farcaster.email.amazon.dev (pdx2-ws-svc-p26-lb5-vlan3.pdx.amazon.com [10.39.38.70]) by email-inbound-relay-pdx-2a-m6i4x-1cca8d67.us-west-2.amazon.com (Postfix) with ESMTPS id 5C8BA8076E; Thu, 25 Jan 2024 18:43:02 +0000 (UTC)
Received: from EX19MTAUEA001.ant.amazon.com [10.0.0.204:61328] by smtpin.naws.us-east-1.prod.farcaster.email.amazon.dev [10.0.32.35:2525] with esmtp (Farcaster) id ea58c3c3-e3f6-4790-b67a-aa0f51c60341; Thu, 25 Jan 2024 18:43:01 +0000 (UTC)
X-Farcaster-Flow-ID: ea58c3c3-e3f6-4790-b67a-aa0f51c60341
Received: from EX19D014UEA004.ant.amazon.com (10.252.134.202) by EX19MTAUEA001.ant.amazon.com (10.252.134.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.40; Thu, 25 Jan 2024 18:43:01 +0000
Received: from EX19D014UEA003.ant.amazon.com (10.252.134.168) by EX19D014UEA004.ant.amazon.com (10.252.134.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1118.40; Thu, 25 Jan 2024 18:43:01 +0000
Received: from EX19D014UEA003.ant.amazon.com ([fe80::e4e7:1c85:21fb:5422]) by EX19D014UEA003.ant.amazon.com ([fe80::e4e7:1c85:21fb:5422%3]) with mapi id 15.02.1118.040; Thu, 25 Jan 2024 18:43:01 +0000
From: "Sehgal, Anjali" <anjalisg@amazon.com>
To: Jennifer Schreiber <jennifer.winer=40workday.com@dmarc.ietf.org>, Phillip Hunt <phil.hunt@independentid.com>
CC: "scim@ietf.org" <scim@ietf.org>
Thread-Index: AQHaT7xvwdSFum68b0aP65zprMRadrDqiVkA
Date: Thu, 25 Jan 2024 18:43:01 +0000
Message-ID: <DEE370CC-F84A-485D-BFC0-B69079FE7748@amazon.com>
References: <CY4PR06MB34132DAEE819AB18D45EC76996722@CY4PR06MB3413.namprd06.prod.outlook.com> <F7CB06C8-F9E7-48DC-9BD7-6F13FC3EF779@independentid.com> <CY4PR06MB34133336A19829AB8EF4BF05967A2@CY4PR06MB3413.namprd06.prod.outlook.com>
In-Reply-To: <CY4PR06MB34133336A19829AB8EF4BF05967A2@CY4PR06MB3413.namprd06.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.252.135.210]
Content-Type: multipart/alternative; boundary="_000_DEE370CCF84A485DBFC0B69079FE7748amazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/z0EYaoRt3OKEMqxjVoECHiwTn80>
Subject: Re: [scim] [External Sender] Re: Error extensibility in SCIM - meeting follow up
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jan 2024 18:43:07 -0000

Just to add on to that discussion,

I want to understand what’s the view on Error Schema Extensions.
Suppose a SCIM server wants to improve on error messages returned how should they go about it?

  1.  Update the description with new error? This can break existing SCIM clients who may have built some logic around the text returned.
  2.  Release a new API version?
  3.  Add a schema extension and allow SCIM clients to gradually transfer to using the extended error schema description field?

If there are any other mechanisms, please feel free to add.

Thanks
Anjali.

From: scim <scim-bounces@ietf.org> on behalf of Jennifer Schreiber <jennifer.winer=40workday.com@dmarc.ietf.org>
Date: Thursday, January 25, 2024 at 1:29 PM
To: Phillip Hunt <phil.hunt@independentid.com>
Cc: "scim@ietf.org" <scim@ietf.org>
Subject: RE: [EXTERNAL] [COURRIEL EXTERNE] [scim] [External Sender] Re: Error extensibility in SCIM - meeting follow up


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le contenu ne présente aucun risque.


Hi Phil – no prob.

This makes sense theoretically. I still have two use case:

  *   A support tech would use an errorCode or additional error details (such as a timestamp, correlation id, longform error detail etc.) to communicate with the SCIM server support human to debug.
  *   A SCIM client may want metrics on the errors often occurring for their requests where SCIM detail would be too granular.

I am mostly finding that the current SCIM error message is too vague, making challenging for the SCIM client to easily (machine or human) debug what is going on with their failed requests. We’ve had to rely on concatenating the error detail to put more relevant information into the response which is less than ideal.



From: Phillip Hunt <phil.hunt@independentid.com>
Date: Monday, January 22, 2024 at 2:52 PM
To: Jennifer Schreiber <jennifer.winer@workday.com>
Cc: scim@ietf.org <scim@ietf.org>
Subject: [External Sender] Re: [scim] Error extensibility in SCIM - meeting follow up
Jennifer,

Sorry for not getting back to this sooner. This is important.

First, I will just zero in on your example (this may not answer your question about extending errors):

In SCIM, the expected behavior is to ignore read-only attribute updates in most cases. The best description of this is probably within the SCIM PUT.  The intent was that a relatively simply client (eg. javascript) could do a GET, change a value, and then do PUT to put the reosurce back. The value of PUT was to avoid having to pay attention to mutability.

The mutability error does apply to PATCH when the intent by the client is to “target" a read-only attribute.

With that said, if a client (or more likely a support tech) wants to know why an attribute isn’t updating, the schema endpoint is supposed to report the actual mutability.

==> the reason this was done was that the collective experience of the WG at the time was that X.500 and LDAP were far too fragile by throwing errors on everything didn’t line up perfectly.  The consensus at the time was to follow Postel’s Law (aka the Robustness Principle), which boiled down meant that SCIM servers should accept requests that are understood (but not perfect), and the client must accept the response (disclosure:  I understand many in the IETF have ‘moved on’ from favouring ‘robustness'.

This use case is an example where this robustness plays out. A client doing a PUT has a bunch of attriibutes that can’t be modified but one or two that can. The server accepts the requests and updates the modified fields.  The final state is returned to the client which tells the client what was actually accepted.

—> In this way SCIM avoids the need for a lot of complex signalling and error reporting.

Let me know if this answers your question.  Or did you still have another use case for a detailed error?

Phil
phil.hunt@independentid.com





On Jan 17, 2024, at 8:29 AM, Jennifer Schreiber <jennifer.winer=40workday.com@dmarc.ietf.org> wrote:

Thanks everyone for a great discussion yesterday at the meeting. We discussed error handling as relevant to scim events draft and RFC 7644.

Mainly, the big question that came up:
Is there any extensibility method for the error messages ("urn:ietf:params:scim:api:messages:2.0:Error"), similar to Section 3.3 of RFC 7643<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/rfc7643*section-3.3__;Iw!!Iz9xO38YGHZK!6D6SrM5Foas-icEjP3y9gveFMQZmfYweHP_NT89JpkM3IiHNprSv_u1objVF30Hks_nADJD9soHVSaKjusq67NXECuUiPg$>? Can error messages, as well as the other scim messages defined in Section 8.2 of RFC 7644<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/rfc7644*section-8.2__;Iw!!Iz9xO38YGHZK!6D6SrM5Foas-icEjP3y9gveFMQZmfYweHP_NT89JpkM3IiHNprSv_u1objVF30Hks_nADJD9soHVSaKjusq67NUEork4lw$> be extended?

Section 3.12 of RFC 7644<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/rfc7644*section-3.12__;Iw!!Iz9xO38YGHZK!6D6SrM5Foas-icEjP3y9gveFMQZmfYweHP_NT89JpkM3IiHNprSv_u1objVF30Hks_nADJD9soHVSaKjusq67NU-hbJA7w$> is a bit vague about the matter.

This came up for my internally, as the error message is not meeting my implementation needs. We're requiring an additional field, errorCode. Anjali also mentioned the need for an jsonPath field.

During the meeting, we talked through a couple ideas (that I will review in the next meeting) such as below, but we kept coming back to the same extensibility question. I wanted to open up the discussion here prior to the meeting.

```
   {
     "schemas": ["urn:ietf:params:scim:api:messages:2.0:Error", "urn:ietf:params:scim:api:extension:messages:2.0:AdvancedError"],
     "scimType":"mutability"
     "detail":"Attribute 'id' is readOnly",
     "status": "400"
     "urn:ietf:params:scim:api:extension:messages:2.0:AdvancedError": {
         "errorCode": "ABC-1235"
     }
   }
```

Thanks,
Jen
_______________________________________________
scim mailing list
scim@ietf.org<mailto:scim@ietf.org>
https://www.ietf.org/mailman/listinfo/scim<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/scim__;!!Iz9xO38YGHZK!6D6SrM5Foas-icEjP3y9gveFMQZmfYweHP_NT89JpkM3IiHNprSv_u1objVF30Hks_nADJD9soHVSaKjusq67NUjA2dxdw$>

v2.23.0 | Report a Bug | By Email