[scim] Extension Clarification Request

Chad Vincent <chad.vincent@crashplan.com> Fri, 21 October 2022 16:51 UTC

Return-Path: <chad.vincent@crashplan.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81A0BC1526E9 for <scim@ietfa.amsl.com>; Fri, 21 Oct 2022 09:51:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=crashplan-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X28K9G88lNmJ for <scim@ietfa.amsl.com>; Fri, 21 Oct 2022 09:51:12 -0700 (PDT)
Received: from mail-oi1-x233.google.com (mail-oi1-x233.google.com [IPv6:2607:f8b0:4864:20::233]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93A21C1526E8 for <scim@ietf.org>; Fri, 21 Oct 2022 09:51:12 -0700 (PDT)
Received: by mail-oi1-x233.google.com with SMTP id n83so3809085oif.11 for <scim@ietf.org>; Fri, 21 Oct 2022 09:51:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=crashplan-com.20210112.gappssmtp.com; s=20210112; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=QJbWZwlGg6uDcH5gWBXFWZZTruoyTVxNHePiHt0OWJQ=; b=Men0WK1L/0K02tv+4OI2fCD56YpQADOgIFPWNRSgS5JSChN8dxBChgOfNWG5Rd89Re njcP7R6n0kmSji6qPzZQXaV6CP92iPUdD6I5r0LeZ5FZ17pDj0AixF1wsxIBQudCoLE6 dhuSfNE7TTQe+E40R+twGHgHgNEFvm7cOERUdlM2ME2aEmWvKUi+/p+bYqE1PL1bo4DK 1dGcCFZ7UOET2z+4WR5iIu42hPOmnntKdzgZJr5IGxZ4r9H2UuxQPW4xZPNi/ccMmJdh OvsUGV14Ey8JXuVzATFoDSvzUqV6y1LgqvEWzD8BKdaTLrNrHelmJV3DzYKqKCCIEbNu QrQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=QJbWZwlGg6uDcH5gWBXFWZZTruoyTVxNHePiHt0OWJQ=; b=FPIpYjfz/sMp1HX5ALA+aGH7JGCT6EVMgtvK4/MdBL+52CeXce+LPZ4zq7HdYxdkwq ZuHC1/D21oCil5dKCMzKhB77N0UlbFlt5238y1+RgB5tcoI0PxlDaiBuW4UvBayP0zxH um4jBpYYOydBzuABzGt56iqsoy5r8GC/kjBct1GuainuaUoWw5f+jLHVjlgjlo9iLi3U IBcU4oD/C403nkfSjWNEvfetKuaBb6g+soGhboo1fHYhJPe/9GN5T1W9VhHxH2evzBgG cy0+SIS8hPIs07hJQBRbsEpKjbbJG5lBu6M6RY69JDzHufbFNfBT+sgbE4N49xuMdMeF KmfA==
X-Gm-Message-State: ACrzQf1Ne91dtARwTBbnlPRZvAGFyQmJA1nrT5C62bt5Dc9n8B7i18LI 9IqU5g7onfp7jR5Wkfvv3sDrMf+u4gGRsbZNZsOp8mJbkyI=
X-Google-Smtp-Source: AMsMyM5KgkDmFrPHwroH8UQxqqrJJrxyFWO9qyfPHWIkPupCuohqc2ClHleGV/qCQ8rvqU7O7em/1ItT0lqOzDIl/FQ=
X-Received: by 2002:a05:6808:11c5:b0:34b:75dd:2ee9 with SMTP id p5-20020a05680811c500b0034b75dd2ee9mr10636947oiv.285.1666371070852; Fri, 21 Oct 2022 09:51:10 -0700 (PDT)
MIME-Version: 1.0
From: Chad Vincent <chad.vincent@crashplan.com>
Date: Fri, 21 Oct 2022 11:50:59 -0500
Message-ID: <CAKXu=h_4LR-VXiEozAA2OwSX-E==7NLcD4oVU1DKngyUfSGoGQ@mail.gmail.com>
To: scim@ietf.org
Content-Type: multipart/alternative; boundary="000000000000be167805eb8e3f2a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/zX-Gq_C_w-mTmG-HD4HInscYbFI>
Subject: [scim] Extension Clarification Request
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2022 16:51:13 -0000

If I could get clarification on this from an official source, it would be
most helpful.

A Service Provider responding to a SCIM request has a User with none of the
fields in the Enterprise Extension set.  Based on RFC 7643 Section 3, the
"schemas" attribute is "used to indicate the namespaces of the SCIM schemas
that define the attributes present in the current JSON structure."  As
there are no Enterprise Extension attributes present, the extension schema
urn would not be included.  However, later in the same paragraph it says
that it, "MUST include a non-empty array with value(s) of the URIs
*supported* (emphasis mine) by that representation."

Section 3.3 is likewise not helpful in clarifying, as I am reading "Each
value in the "schemas" attribute indicates additive schema that MAY exist
in a SCIM resource representation." as being indicative of the particular
representation/response, not the service provider as a whole.  And in
Section 6 it says that including the extensions in the Resource Type schema
is optional.

This comes up because we've identified an Identity Provider that will not
add the extension and its attributes if the extension isn't already in the
user when performing a GET.  It will, however, include the extension on
net-new user creation or update it if already present.  Okta and Azure have
no issue with seeing a User object without the Enterprise Extension and
then adding one if they want to set one of those fields.  The library we're
using likewise doesn't include the schema if it's not present in the User.
This has us reviewing our interpretation of the specification.

So for a SCIM response where all the fields in an extension do not exist,
is it correct to send just the root schema, include the extension schema in
the "schemas" attribute, or include the extension schema in the "schemas"
attribute *and* an empty extension attribute/object?

Sample objects:

-- No values --
{
  "schemas":
    ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "id": "2819c223-7f76-453a-919d-413861904646",
  "externalId": "701984",
  "userName": "bjensen@example.com",
  "emails": [
    {
      "value": "bjensen@example.com",
      "type": "work",
      "primary": true
    }
  ],
  "userType": "Employee",
  "title": "Tour Guide",
  "active":true,
  "meta": {
    "resourceType": "User",
    "created": "2010-01-23T04:56:22Z",
    "lastModified": "2011-05-13T04:42:34Z",
    "version": "W\/\"3694e05e9dff591\"",
    "location":
"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"
  }
}

-- Schema but no Object --
{
  "schemas":
    ["urn:ietf:params:scim:schemas:core:2.0:User",
      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
  "id": "2819c223-7f76-453a-919d-413861904646",
  "externalId": "701984",
  "userName": "bjensen@example.com",
  "emails": [
    {
      "value": "bjensen@example.com",
      "type": "work",
      "primary": true
    }
  ],
  "userType": "Employee",
  "title": "Tour Guide",
  "active":true,
  "meta": {
    "resourceType": "User",
    "created": "2010-01-23T04:56:22Z",
    "lastModified": "2011-05-13T04:42:34Z",
    "version": "W\/\"3694e05e9dff591\"",
    "location":
"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"
  }
}

-- Empty object present --
{
  "schemas":
    ["urn:ietf:params:scim:schemas:core:2.0:User",
      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
  "id": "2819c223-7f76-453a-919d-413861904646",
  "externalId": "701984",
  "userName": "bjensen@example.com",
  "emails": [
    {
      "value": "bjensen@example.com",
      "type": "work",
      "primary": true
    }
  ],
  "userType": "Employee",
  "title": "Tour Guide",
  "active":true,
  "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {},
  "meta": {
    "resourceType": "User",
    "created": "2010-01-23T04:56:22Z",
    "lastModified": "2011-05-13T04:42:34Z",
    "version": "W\/\"3694e05e9dff591\"",
    "location":
"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"
  }
}

-- 

Chad Vincent (he/him) | Software Engineer, Senior - CrashPlan

chad.vincent@crashplan.com

400 S 4th St Suite 410 PMB 31083 Minneapolis, MN 55415-1419