[scim] Extension Clarification Request
Chad Vincent <chad.vincent@crashplan.com> Fri, 21 October 2022 16:51 UTC
Return-Path: <chad.vincent@crashplan.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81A0BC1526E9 for <scim@ietfa.amsl.com>; Fri, 21 Oct 2022 09:51:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=crashplan-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X28K9G88lNmJ for <scim@ietfa.amsl.com>; Fri, 21 Oct 2022 09:51:12 -0700 (PDT)
Received: from mail-oi1-x233.google.com (mail-oi1-x233.google.com [IPv6:2607:f8b0:4864:20::233]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93A21C1526E8 for <scim@ietf.org>; Fri, 21 Oct 2022 09:51:12 -0700 (PDT)
Received: by mail-oi1-x233.google.com with SMTP id n83so3809085oif.11 for <scim@ietf.org>; Fri, 21 Oct 2022 09:51:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=crashplan-com.20210112.gappssmtp.com; s=20210112; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=QJbWZwlGg6uDcH5gWBXFWZZTruoyTVxNHePiHt0OWJQ=; b=Men0WK1L/0K02tv+4OI2fCD56YpQADOgIFPWNRSgS5JSChN8dxBChgOfNWG5Rd89Re njcP7R6n0kmSji6qPzZQXaV6CP92iPUdD6I5r0LeZ5FZ17pDj0AixF1wsxIBQudCoLE6 dhuSfNE7TTQe+E40R+twGHgHgNEFvm7cOERUdlM2ME2aEmWvKUi+/p+bYqE1PL1bo4DK 1dGcCFZ7UOET2z+4WR5iIu42hPOmnntKdzgZJr5IGxZ4r9H2UuxQPW4xZPNi/ccMmJdh OvsUGV14Ey8JXuVzATFoDSvzUqV6y1LgqvEWzD8BKdaTLrNrHelmJV3DzYKqKCCIEbNu QrQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=QJbWZwlGg6uDcH5gWBXFWZZTruoyTVxNHePiHt0OWJQ=; b=FPIpYjfz/sMp1HX5ALA+aGH7JGCT6EVMgtvK4/MdBL+52CeXce+LPZ4zq7HdYxdkwq ZuHC1/D21oCil5dKCMzKhB77N0UlbFlt5238y1+RgB5tcoI0PxlDaiBuW4UvBayP0zxH um4jBpYYOydBzuABzGt56iqsoy5r8GC/kjBct1GuainuaUoWw5f+jLHVjlgjlo9iLi3U IBcU4oD/C403nkfSjWNEvfetKuaBb6g+soGhboo1fHYhJPe/9GN5T1W9VhHxH2evzBgG cy0+SIS8hPIs07hJQBRbsEpKjbbJG5lBu6M6RY69JDzHufbFNfBT+sgbE4N49xuMdMeF KmfA==
X-Gm-Message-State: ACrzQf1Ne91dtARwTBbnlPRZvAGFyQmJA1nrT5C62bt5Dc9n8B7i18LI 9IqU5g7onfp7jR5Wkfvv3sDrMf+u4gGRsbZNZsOp8mJbkyI=
X-Google-Smtp-Source: AMsMyM5KgkDmFrPHwroH8UQxqqrJJrxyFWO9qyfPHWIkPupCuohqc2ClHleGV/qCQ8rvqU7O7em/1ItT0lqOzDIl/FQ=
X-Received: by 2002:a05:6808:11c5:b0:34b:75dd:2ee9 with SMTP id p5-20020a05680811c500b0034b75dd2ee9mr10636947oiv.285.1666371070852; Fri, 21 Oct 2022 09:51:10 -0700 (PDT)
MIME-Version: 1.0
From: Chad Vincent <chad.vincent@crashplan.com>
Date: Fri, 21 Oct 2022 11:50:59 -0500
Message-ID: <CAKXu=h_4LR-VXiEozAA2OwSX-E==7NLcD4oVU1DKngyUfSGoGQ@mail.gmail.com>
To: scim@ietf.org
Content-Type: multipart/alternative; boundary="000000000000be167805eb8e3f2a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/zX-Gq_C_w-mTmG-HD4HInscYbFI>
Subject: [scim] Extension Clarification Request
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2022 16:51:13 -0000
If I could get clarification on this from an official source, it would be most helpful. A Service Provider responding to a SCIM request has a User with none of the fields in the Enterprise Extension set. Based on RFC 7643 Section 3, the "schemas" attribute is "used to indicate the namespaces of the SCIM schemas that define the attributes present in the current JSON structure." As there are no Enterprise Extension attributes present, the extension schema urn would not be included. However, later in the same paragraph it says that it, "MUST include a non-empty array with value(s) of the URIs *supported* (emphasis mine) by that representation." Section 3.3 is likewise not helpful in clarifying, as I am reading "Each value in the "schemas" attribute indicates additive schema that MAY exist in a SCIM resource representation." as being indicative of the particular representation/response, not the service provider as a whole. And in Section 6 it says that including the extensions in the Resource Type schema is optional. This comes up because we've identified an Identity Provider that will not add the extension and its attributes if the extension isn't already in the user when performing a GET. It will, however, include the extension on net-new user creation or update it if already present. Okta and Azure have no issue with seeing a User object without the Enterprise Extension and then adding one if they want to set one of those fields. The library we're using likewise doesn't include the schema if it's not present in the User. This has us reviewing our interpretation of the specification. So for a SCIM response where all the fields in an extension do not exist, is it correct to send just the root schema, include the extension schema in the "schemas" attribute, or include the extension schema in the "schemas" attribute *and* an empty extension attribute/object? Sample objects: -- No values -- { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "701984", "userName": "bjensen@example.com", "emails": [ { "value": "bjensen@example.com", "type": "work", "primary": true } ], "userType": "Employee", "title": "Tour Guide", "active":true, "meta": { "resourceType": "User", "created": "2010-01-23T04:56:22Z", "lastModified": "2011-05-13T04:42:34Z", "version": "W\/\"3694e05e9dff591\"", "location": "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" } } -- Schema but no Object -- { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "701984", "userName": "bjensen@example.com", "emails": [ { "value": "bjensen@example.com", "type": "work", "primary": true } ], "userType": "Employee", "title": "Tour Guide", "active":true, "meta": { "resourceType": "User", "created": "2010-01-23T04:56:22Z", "lastModified": "2011-05-13T04:42:34Z", "version": "W\/\"3694e05e9dff591\"", "location": "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" } } -- Empty object present -- { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "701984", "userName": "bjensen@example.com", "emails": [ { "value": "bjensen@example.com", "type": "work", "primary": true } ], "userType": "Employee", "title": "Tour Guide", "active":true, "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {}, "meta": { "resourceType": "User", "created": "2010-01-23T04:56:22Z", "lastModified": "2011-05-13T04:42:34Z", "version": "W\/\"3694e05e9dff591\"", "location": "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" } } -- Chad Vincent (he/him) | Software Engineer, Senior - CrashPlan chad.vincent@crashplan.com 400 S 4th St Suite 410 PMB 31083 Minneapolis, MN 55415-1419
- [scim] Extension Clarification Request Chad Vincent
- Re: [scim] Extension Clarification Request Phillip Hunt
- Re: [scim] [EXTERNAL] Re: Extension Clarification… Danny Zollner
- Re: [scim] [EXTERNAL] Extension Clarification Req… Phillip Hunt
- Re: [scim] [EXTERNAL] Extension Clarification Req… Danny Zollner