search

Captain-P-Goldfish / SCIM-SDK

a scim implementation as described in RFC7643 and RFC7644
https://github.com/Captain-P-Goldfish/SCIM/wiki
BSD 3-Clause "New" or "Revised" License
122 stars 38 forks source link

AuthenticationScheme primary attribute is not returned when /ServiceProviderConfig is called #748

Closed Afira-Zahari-i2 closed 1 month ago

Afira-Zahari-i2 commented 1 month ago

My service provider builder has the following AuthenticationScheme

   final AuthenticationScheme authScheme =
       AuthenticationScheme.builder()
           .name("Bearer")
           .description("Authentication scheme using the OAuth Bearer Token Standard")
           .specUri("http://www.rfc-editor.org/info/rfc6750")
           .primary(true) // This field is not returned
           .type("oauthbearertoken")
           .build();

When I call the /ServiceProviderConfig endpoint, the response is missing the primary attribute

   "authenticationSchemes": [
       {
           "name": "Bearer",
           "description": "Authentication scheme using the OAuth Bearer Token Standard",
           "specUri": "http://www.rfc-editor.org/info/rfc6750",
           "type": "oauthbearertoken"
       }
   ],
Colvin-Cowie-i2 commented 1 month ago

Ah, I think our confusion also stems from https://datatracker.ietf.org/doc/html/rfc7643#section-8.5 including this example (though it is non-normative). I agree that the specification of authenticationSchemes itself doesn't mention primary, and it also doesn't make much sense to have a primary auth method.

    "authenticationSchemes": [
      {
        "name": "OAuth Bearer Token",
        "description":
          "Authentication scheme using the OAuth Bearer Token Standard",
        "specUri": "http://www.rfc-editor.org/info/rfc6750",
        "documentationUri": "http://example.com/help/oauth.html",
        "type": "oauthbearertoken",
        "primary": true
      }, 
     {
        "name": "HTTP Basic",
        "description":
          "Authentication scheme using the HTTP Basic Standard",
        "specUri": "http://www.rfc-editor.org/info/rfc2617",
        "documentationUri": "http://example.com/help/httpBasic.html",
        "type": "httpbasic"
       }
    ],
Captain-P-Goldfish commented 1 month ago

Sorry. I checked again and you are right. I am currently fixing it :-)

Colvin-Cowie-i2 commented 1 month ago

Oh, I do find the this spec quite ambiguous. https://datatracker.ietf.org/doc/html/rfc7643#section-2.4 says for Multi-Valued Attributes If not otherwise defined, the default set of sub-attributes for a multi-valued attribute is as follows [...] primary

But the definition of authenticationSchemes does define the sub-attributes explicitly, so then that does mean that those defaults don't apply, doesn't it? 🤷

Captain-P-Goldfish commented 1 month ago

The examples below also show the primary-attribute in the JSON structure and I also think that the primary-attribute does make sense in the authentication schemes. So it is absolutely justified to add it here.