search

FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
90 stars 12 forks source link

Review SCIM Server validation controls #2689

Closed jobannon closed 6 months ago

jobannon commented 6 months ago

Problem

Currently we rely on the SCIM Client to validate that their data is complete before provisioning a user into FusionAuth when FA is acting as the SCIM Server.

Solution

Need to review the SCIM spec as it relates to validation. If allowed by the specification, we could validate the schema that is in place or we could offer a "validation lambda" that would review the incoming request and not provision is user/group upon failed validation.

Alternatives/workarounds

In a request converter lambda FusionAuth will allow for a exception to be thrown. The effect is that the user will not be provisioned in FusionAuth (acting as the SCIM Server). It is not clear yet as to the allowances in the SCIM specification for this failure to be carried upstream back to the SCIM Client. Currently, if you fail a "SCIM related [request or response converter]" lambda we will return an error to the SCIM Client. This error does not contain enough information for the integrator to take immediate action (only that a provisioning error occurred with the SCIM Server).

Additional context

Additional validation was requested from a customer -- additional review of the SCIM specification will require finding out:

  1. How does the upstream SCIM client receive a failing to provision error (do they need a certain Error Schema, etc)?
  2. Will a SCIM Client know what to do with a provisioning error resulting from a validation error?
  3. Does the SCIM specification allow for the SCIM Server to enforce validation of the schema or are other validation methods encouraged?

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

runely commented 6 months ago

The SCIM specification states that validation is always performed by an intended receiver (SCIM Server), as specified by the SCIM specifications: https://datatracker.ietf.org/doc/html/rfc7643#section-2

1

Passing errors back to the SCIM Client is specified in the SCIM specifications: https://datatracker.ietf.org/doc/html/rfc7644#section-3.7.3

2

In Microsoft Entra ID, the failing resource will be retried in the next sync cycle: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/how-provisioning-works#errors-and-retries

jobannon commented 6 months ago

Closing in favor of the better details captured on this successor issue -https://github.com/FusionAuth/fusionauth-issues/issues/2695

mooreds commented 6 months ago

Which issue @jobannon ?

jobannon commented 6 months ago

https://github.com/FusionAuth/fusionauth-issues/issues/2695