search

Captain-P-Goldfish / scim-for-keycloak

a third party module that extends keycloak by SCIM functionality
BSD 3-Clause "New" or "Revised" License
186 stars 48 forks source link

MS SCIM Validator error, boolean as string #87

Closed xgp closed 1 year ago

xgp commented 1 year ago

When using the MS SCIM validator here https://scimvalidator.microsoft.com/ I get a problem with adding a user that's related to a boolean being in string form.

Is there a way to work around this in code or configuration?

Here's the error: 

{
  "detail": "Found unsupported value in multivalued complex attribute '[{\"primary\":\"True\",\"display\":\"IY0KQJ70X0EK\",\"value\":\"9J3W97J8OSQQ\",\"type\":\"IRANX4GAM6FK\"}]'",
  "errors": {
    "fieldErrors": {
      "roles": [
        "Found unsupported value in multivalued complex attribute '[{\"primary\":\"True\",\"display\":\"IY0KQJ70X0EK\",\"value\":\"9J3W97J8OSQQ\",\"type\":\"IRANX4GAM6FK\"}]'",
        "Value of attribute 'urn:ietf:params:scim:schemas:core:2.0:User:roles.primary' is not of type 'boolean' but of type 'string' with value '\"True\"'"
      ]
    }
  },
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:Error"
  ],
  "status": 400
}

Here's the request:

{
  "active": true,
  "addresses": [
    {
      "type": "work",
      "formatted": "MSAFABQT85U4",
      "streetAddress": "868 Price Curve",
      "locality": "Y3OFNBNYENGJ",
      "region": "40Y2LPI2SHAR",
      "postalCode": "xd36 6dp",
      "primary": true,
      "country": "Saint Vincent and the Grenadines"
    }
  ],
  "displayName": "YTNKSSYY8FS8",
  "emails": [
    {
      "type": "work",
      "value": "kristy_oconnell@tromp.ca",
      "primary": true
    }
  ],
  "locale": "AHI2YRSSTLGW",
  "name": {
    "givenName": "Fiona",
    "familyName": "Shanna",
    "formatted": "Rafael",
    "middleName": "Faustino",
    "honorificPrefix": "Javon",
    "honorificSuffix": "Tony"
  },
  "nickName": "UF1DCX4ZIXUU",
  "phoneNumbers": [
    {
      "type": "work",
      "value": "(664)842-2284 x231",
      "primary": true
    },
    {
      "type": "mobile",
      "value": "(671)136-2434 x8135"
    },
    {
      "type": "fax",
      "value": "(367)472-6614"
    }
  ],
  "preferredLanguage": "TS3YY3OJ3ISJ",
  "profileUrl": "3P9OAWSEKT16",
  "roles": [
    {
      "primary": "True",
      "display": "IY0KQJ70X0EK",
      "value": "9J3W97J8OSQQ",
      "type": "IRANX4GAM6FK"
    }
  ],
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
  ],
  "timezone": "JFIJKBK7S9O9",
  "title": "OQKX30B0SU3R",
  "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
    "employeeNumber": "7W256T15K1UE",
    "department": "1ZYOB1QLCW1Z",
    "costCenter": "4Y58X8E639UL",
    "organization": "U7DLHWBMQE4D",
    "division": "5XNLJBQRI2DI"
  },
  "userName": "nicolas@lesch.name",
  "userType": "MBBFXHJ8EJO7"
}
xgp commented 1 year ago

Also, another, for a user PATCH:

Request:

{
  "Operations": [
    {
      "op": "replace",
      "path": "emails[type eq \"untyped\"].value",
      "value": "marguerite_lubowitz@mante.ca"
    },
    {
      "op": "replace",
      "path": "emails[type eq \"untyped\"].display",
      "value": "I27XLHK4TLTG"
    },
    {
      "op": "replace",
      "path": "emails[type eq \"untyped\"].primary",
      "value": true
    },
    {
      "op": "replace",
      "path": "phoneNumbers[type eq \"untyped\"].value",
      "value": "1-991-663-8763"
    },
    {
      "op": "replace",
      "path": "phoneNumbers[type eq \"untyped\"].display",
      "value": "(233)436-8890 x43220"
    },
    {
      "op": "replace",
      "path": "phoneNumbers[type eq \"untyped\"].primary",
      "value": "1-648-081-5815 x2534"
    },
    {
      "op": "replace",
      "path": "ims[type eq \"untyped\"].value",
      "value": "ALJ7NB0U3625"
    },
    {
      "op": "replace",
      "path": "ims[type eq \"untyped\"].display",
      "value": "VAE88FFVH24Z"
    },
    {
      "op": "replace",
      "path": "ims[type eq \"untyped\"].primary",
      "value": true
    },
    {
      "op": "replace",
      "path": "photos[type eq \"untyped\"].display",
      "value": "HK8T4HCWBHSN"
    },
    {
      "op": "replace",
      "path": "photos[type eq \"untyped\"].primary",
      "value": true
    },
    {
      "op": "replace",
      "path": "addresses[type eq \"untyped\"].formatted",
      "value": "RJZL3DFWSX3M"
    },
    {
      "op": "replace",
      "path": "addresses[type eq \"untyped\"].streetAddress",
      "value": "203 William Spring"
    },
    {
      "op": "replace",
      "path": "addresses[type eq \"untyped\"].locality",
      "value": "YPG6U4Y62YBL"
    },
    {
      "op": "replace",
      "path": "addresses[type eq \"untyped\"].region",
      "value": "KBH01PEGFB4O"
    },
    {
      "op": "replace",
      "path": "addresses[type eq \"untyped\"].postalCode",
      "value": "rz5 9oz"
    },
    {
      "op": "replace",
      "path": "addresses[type eq \"untyped\"].country",
      "value": "San Marino"
    },
    {
      "op": "replace",
      "path": "addresses[type eq \"untyped\"].primary",
      "value": true
    },
    {
      "op": "replace",
      "path": "groups[type eq \"untyped\"].value",
      "value": "LVY2CRZVPQ1C"
    },
    {
      "op": "replace",
      "path": "groups[type eq \"untyped\"].display",
      "value": "S1902RI36DWM"
    },
    {
      "op": "replace",
      "path": "entitlements[type eq \"untyped\"].value",
      "value": "MH2F7VCC2E5C"
    },
    {
      "op": "replace",
      "path": "entitlements[type eq \"untyped\"].primary",
      "value": true
    },
    {
      "op": "replace",
      "path": "roles[type eq \"untyped\"].value",
      "value": "J5J65R9GFGRU"
    },
    {
      "op": "replace",
      "path": "roles[type eq \"untyped\"].primary",
      "value": true
    },
    {
      "op": "replace",
      "path": "x509Certificates[type eq \"untyped\"].value",
      "value": "D0EINU3RIKLP"
    },
    {
      "op": "replace",
      "path": "x509Certificates[type eq \"untyped\"].primary",
      "value": false
    },
    {
      "op": "replace",
      "value": {
        "externalId": "b4027c7f-3364-40e2-8721-417cf8a1d563",
        "userName": "elza.cruickshank@dach.name",
        "name.formatted": "Gregoria",
        "name.familyName": "Kyleigh",
        "name.givenName": "Stanford",
        "name.middleName": "Norval",
        "name.honorificPrefix": "John",
        "name.honorificSuffix": "Walter",
        "displayName": "EJ32J8CFWNKC",
        "nickName": "ZRMV4MF1KZJW",
        "title": "QZTG6EQDRQPL",
        "userType": "PLZCH50V7U6Q",
        "preferredLanguage": "RIELRC95A12F",
        "locale": "5GY8Y9XNXTFT",
        "timezone": "IW7ZVVHJNLR3",
        "active": true,
        "password": "NB8VAD5IGUV3",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber": "0CNCYZKJIAW3",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:costCenter": "GUK6L75W3QY7",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization": "AA7UW5OE03YT",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division": "C6ANAVFC53ZK",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department": "JZ6XPUFR8V5N",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.displayName": "VYFA294OD19D"
      }
    }
  ],
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ]
}

Response:

{
  "detail": "No target found for path-filter 'emails[type eq \"untyped\"].value'",
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:Error"
  ],
  "scimType": "noTarget",
  "status": 400
}
Captain-P-Goldfish commented 1 year ago

it should be possible to fix this problem by changing the users-schema. In my opinion the behaviour is wrong though. A boolean node should not be handled like a string. But it should be possible to work around this by changing the roles.primary attribute to type string.

What are you expecting on the replace operation? The RFC clearly states how the replace action should be handled:

RFC7644 chapter 3.5.2.3

If the target location is a multi-valued attribute for which a
      value selection filter ("valuePath") has been supplied and no
      record match was made, the service provider SHALL indicate failure
      by returning HTTP status code 400 and a "scimType" error code of
      "noTarget".

from the look ms-azure is expecting another behaviour. This would require an explicit work around within the SCIM-SDK

xgp commented 1 year ago

@Captain-P-Goldfish Thanks for the pointer to the replace operation in the RFC. I couldn't find that, and I was going to send a report/bug to Azure.