simpleidserver
GET /Users returns 403 instead of 200 when using filters using multiple conditions and dashes
Performing a GET operation on /Users using a "filter" with 2 conditions in which the first condition passes for some users and the second condition has a dash character, makes the request return error 403 Forbidden, instead of the expected result returning the matching users in a 200 response as it should.
Filter example:
userName sw "user" and userName ew "-us"
To reproduce it, it seems that you need to have users that passes the first condition (starts with "user" for the mentioned example), the second condition doesn't matter if it passes or not, just by having the dash at the beginning of the string used to filter makes it fail. Also notice that if you remove the first filter, it works normally.
Example of curl request:
curl -X GET "https://company.com/scim/Users?filter=%20userName%20sw%20%22user%22%20and%20userName%20ew%20%22urname%22%20" -H "accept: */*" -H "Authorization: Bearer ..."
Hello,
I tried to reproduce the bug with the latest version "2.0.17" but there is no error and the filter is properly working.
Can-you log and check the exception thrown by the library "Microsoft.AspNetCore.Authentication" ? The HTTP status 403 is returned when the [AuthorizeAttribute] is failing. Change the LogLevel verbosity to "Information" :
"Logging": {
"LogLevel": {
// ...
"Microsoft.AspNetCore.Authentication": "Information"
}
}
KR,
SID
@simpleidserver, I see in your screenshot that the result of that GET operation returned 0 results. In order to reproduce the error you need to have user data so that the filters are applied on that data, that's when it fails.
I checked again your scenario by using the version "2.0.17", enabling the authentication and using SQLServer and I obtained the expected result without any issue:
Can-you please check the configuration of the "Authentication" is correct and if you can find something in your logs ?