independentid
commented
7 months ago Simplified the text to:
When using Asynchronous SCIM Requests (see Section 2.5.1.1), and a
location returned in a SCIM Accepted response is a URI for retrieving
the event result, the URI SHOULD be protected requiring an HTTP
Authorization header or some other form of client authentication.I decided less was more. This is beause the decision to encrypt the SET or not is handled elsewhere.
The described operation in the final paragraph lacks specificity.
The SCIM Accepted response SHOULD require authorization, but as written it precludes the use of mTLS for authentication (and thus authorization) of the caller.
In the converse case, as written the SET is encrypted and therefore can only be decrypted by the correct endpoint. But this leaves open the possibility of the URl not requiring authN/authZ ("the retrieval endpont should be protected"). The language is non-specific (does protected mean authorizing the client or the use of TLS or both?).