SimpleIdServer icon indicating copy to clipboard operation
SimpleIdServer copied to clipboard
verified publisher icon simpleidserver

[SCIM] Groups members are immutable

Open danflomin opened this issue 3 years ago • 1 comments

Hello,

I have a question regarding updating by PUT a group.

If I do the following then no exceptions occur and the display is not changed:

  1. Add a user
  2. Add a group
  3. Add user to group by PUT members: [{value: 'some-value', display: 'some-display'}]
  4. Update group members by PUT members: [{value: 'some-value', display: 'hello'}]

If I do the following the following then an exception occurs:

  1. Add 2 users
  2. Add a group
  3. Add users to group by PUT members: [{value: 'some-value', display: 'some-display'}, {value: 'some-other-value', display: 'some-other-display'}]
  4. Update group members by PUT members: [{value: 'some-value', display: 'hello'}, {value: 'some-other-value', display: 'some-other-display'}]

What is the reason for this? Is one of these cases indicates of a bug?

Thanks

danflomin avatar Jul 10 '22 08:07 danflomin

Hello,

Group endpoint By default, the attribute members.display is not present in the urn:ietf:params:scim:schemas:core:2.0:Group SCIM schema. For more information please refer to the RFC 7643 : https://datatracker.ietf.org/doc/html/rfc7643). Therefore, when an HTTP PUT request is executed to assign a User to a Group then an exception is thrown because the attribute "members.display" doesn't exist in the SCIM Schema.

User endpoint When the following HTTP PUT request is sent then no exception is thrown because the attribute groups.display is present with the mutability READONLY (Schema : urn:ietf:params:scim:schemas:core:2.0:User) Because of its mutability, its value cannot be updated.

{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "id":"2819c223-7f76-453a-919d-413861904646",
  "externalId":"dschrute",
  "name":{
    "formatted": "Mr. Dwight K Schrute, III",
    "familyName": "Schrute",
    "givenName": "Dwight",
    "middleName": "Kurt",
    "honorificPrefix": "Mr.",
    "honorificSuffix": "III"
  },
  "displayName": "displayName",
  "userName":"dschrute265",
  "groups" : [
	"value": "{{GUID}}",
	"display": "GROUP"
  ]
}

In SimpleIdServer implementation the display property is updated when SCIMAttributeMappingRules are executed.

simpleidserver avatar Jul 10 '22 16:07 simpleidserver