Attribute named "pattern" in resource schema User under userName Attribute

[manju754]

We are trying to integrate keycloak with other SCIM provider with keycloak acting as SCIM Server and other provider as SCIM Client. SCIM Client has Users and Groups which needs to be provisioned to Keycloak as part of SCIM.

While we are establishing the connectivity between other provider and keycloak for SCIM Provisioning.

The Other provider is failing with invalid attribute named "pattern" in resource schema User under userName attribute.

I have pasted the sample userName definition for reference.

{ "id": "urn:ietf:params:scim:schemas:core:2.0:User", "name": "User", "description": "User Account", "attributes": [ { "name": "id", "type": "string", "multiValued": false, "description": "Unique identifier for the SCIM Resource as defined by the Service Provider.", "required": true, "caseExact": true, "mutability": "readOnly", "returned": "always", "uniqueness": "server" }, { "name": "externalId", "type": "string", "multiValued": false, "description": "A String that is an identifier for the resource as defined by the provisioning client.The service provider MUST always interpret the externalId as scoped to the provisioning domain.", "required": false, "caseExact": true, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "userName", "type": "string", "multiValued": false, "description": "A service provider's unique identifier for the user, typically\nused by the user to directly authenticate to the service provider.Each User MUST include a non-empty userName value. This identifier\nMUST be unique across the service provider's entire set of Users.", "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "server", *"pattern": "^(?!\s$).+"** },. ot

Is this the valid attribute from SCIM Resource Schema USER?

Does it adhere to RFC standards?

can you shed some light on this ??

[Captain-P-Goldfish]

This is actually not an attribute defined by SCIM. It is a customized attribute added by the underlying SCIM SDK that is used to limit the characters usable for the userName attribute. If this is causing a problem I will fix this for the enterprise version that is released soon. If you are able to build the project scim-for-keycloak project yourself you can fix it for the time being by adding this line of code:

class ScimConfiguration

ResourceType userResourceType = resourceEndpoint.registerEndpoint(new UserEndpointDefinition(new UserHandler()));
userResourceType.setFeatures(ResourceTypeFeatures.builder().autoFiltering(true).autoSorting(true).build());
ScimResourceTypeEntity userResourceTypeEntity = resourceTypeService.getOrCreateResourceTypeEntry(userResourceType);
resourceTypeService.updateResourceType(userResourceType, userResourceTypeEntity);
userResourceType.getSchemaAttribute(AttributeNames.RFC7643.USER_NAME).get().setPattern(null); <--- this line

[Captain-P-Goldfish]

I will also add a fix into the SCIM-SDK that the custom attributes will not be returned by default anymore

[manju754]

@Captain-P-Goldfish . Thanks for the Quick Reply :)

The other SCIM Provider has clearly said that removing this custom attribute will solve the problem.

I think it's better if we don't return the custom attributes by default.

Having said that, When can we expect this fix? If it's going to take 1 or 2 days, will wait for a fix else we will try to build our own jar with the fix you have provided.

[Captain-P-Goldfish]

I am currently not working anymore on the Open Source version. Which is why I tried to give you the fix from above. My goal is to provide an access for a free starter version until end of april. The enterprise version has still to wait due to organizational issues. Which version of Keycloak are you using? The starter kit will support version 18 to 20

The product is basically finished. It hangs simply on organization...

[manju754]

We are using the keycloak version 20.03

[manju754]

We tried building using maven with the fix you had provided above.

However, I am facing some issue while building the jar which states that the object we are expecting is not the object we are getting in "UserResourceType"

userResourceType.getSchemaAttribute(AttributeNames.RFC7643.USER_NAME).get().setPattern(null); <--- this line

Above line is causing the problem Getting below error while building using maven

[ERROR] /home/manju/dev-workspace/src/github.com/scim-for-keycloak/scim-for-keycloak-server/src/main/java/de/captaingoldfish/scim/sdk/keycloak/scim/ScimConfiguration.java:[86,21] method getSchemaAttribute in class de.captaingoldfish.scim.sdk.common.resources.base.ScimObjectNode cannot be applied to given types; [ERROR] required: no arguments [ERROR] found: java.lang.String [ERROR] reason: actual and formal argument lists differ in length

Can you shed some light on this? and help us in building the jar with the fix

[Captain-P-Goldfish]

sorry. Seems like a copy paste error hit us here:

userResourceType.getMainSchema().getSchemaAttribute(AttributeNames.RFC7643.USER_NAME).setPattern(null)

the line can be fixed like this

The method getSchemaAttribute is directly available from the userResourceType in a later version of the SCIM SDK. That's how this copy-paste error happened.

[manju754]

After I build the new jar with the fix this is the issue I am facing

2023-04-25 17:04:39,258 INFO [de.captaingoldfish.scim.sdk.server.schemas.ResourceTypeFactory] (executor-thread-6) Resource schema with id 'urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig' is already registered. The new instance is not equal to the old schema document. The old document is being replaced by the new one 2023-04-25 17:04:39,293 INFO [de.captaingoldfish.scim.sdk.server.schemas.ResourceTypeFactory] (executor-thread-6) Resource schema with id 'urn:ietf:params:scim:schemas:core:2.0:ResourceType' is already registered. The new instance is not equal to the old schema document. The old document is being replaced by the new one 2023-04-25 17:04:39,303 INFO [de.captaingoldfish.scim.sdk.server.schemas.ResourceTypeFactory] (executor-thread-6) Resource schema with id 'urn:ietf:params:scim:schemas:core:2.0:Schema' is already registered. The new instance is not equal to the old schema document. The old document is being replaced by the new one 2023-04-25 17:04:39,361 INFO [de.captaingoldfish.scim.sdk.keycloak.services.ScimResourceTypeService] (executor-thread-6) no database entry found for resource type User. Entry will be created 2023-04-25 17:04:39,372 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-6) Uncaught server error: java.lang.NullPointerException at java.base/java.util.regex.Pattern.(Pattern.java:1427) at java.base/java.util.regex.Pattern.compile(Pattern.java:1069) at de.captaingoldfish.scim.sdk.common.schemas.SchemaAttribute.setPattern(SchemaAttribute.java:668) at de.captaingoldfish.scim.sdk.keycloak.scim.ScimConfiguration.createNewResourceEndpoint(ScimConfiguration.java:85) at de.captaingoldfish.scim.sdk.keycloak.scim.ScimConfiguration.getScimEndpoint(ScimConfiguration.java:64) at de.captaingoldfish.scim.sdk.keycloak.scim.AbstractEndpoint.(AbstractEndpoint.java:34) at de.captaingoldfish.scim.sdk.keycloak.scim.ScimEndpoint.(ScimEndpoint.java:58) at de.captaingoldfish.scim.sdk.keycloak.provider.ScimEndpointProvider.getResource(ScimEndpointProvider.java:40) at org.keycloak.services.resources.RealmsResource.resolveRealmExtension(RealmsResource.java:298) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.jboss.resteasy.core.ResourceLocatorInvoker.constructLocator(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.resolveTargetFromLocator(ResourceLocatorInvoker.java:87) at org.jboss.resteasy.core.ResourceLocatorInvoker.resolveTarget(ResourceLocatorInvoker.java:76) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:137) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161) at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247) at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73) at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151) at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82) at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42) at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284) at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173) at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140) at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:84) at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:71) at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284) at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173) at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140) at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:430) at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:408) at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284) at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173) at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140) at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$0(QuarkusRequestFilter.java:82) at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576) at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478) at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29) at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Thread.java:829)

2023-04-25 17:04:43,989 INFO [de.captaingoldfish.scim.sdk.server.schemas.ResourceTypeFactory] (executor-thread-4) Resource schema with id 'urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig' is already registered. The new instance is not equal to the old schema document. The old document is being replaced by the new one 2023-04-25 17:04:43,996 INFO [de.captaingoldfish.scim.sdk.server.schemas.ResourceTypeFactory] (executor-thread-4) Resource schema with id 'urn:ietf:params:scim:schemas:core:2.0:ResourceType' is already registered. The new instance is not equal to the old schema document. The old document is being replaced by the new one 2023-04-25 17:04:44,004 INFO [de.captaingoldfish.scim.sdk.server.schemas.ResourceTypeFactory] (executor-thread-4) Resource schema with id 'urn:ietf:params:scim:schemas:core:2.0:Schema' is already registered. The new instance is not equal to the old schema document. The old document is being replaced by the new one

[Captain-P-Goldfish]

I am sorry for that. This was a bug in the SCIM SDK. I fixed it and provided a new release that should have everything fixed what is causing problems to you. https://github.com/Captain-P-Goldfish/scim-for-keycloak/releases/tag/kc-20-b1

[manju754]

Thanks @Captain-P-Goldfish That works like a Charm :)