independentid
commented
1 year ago In the latest update to 02, I put in some general guidelines. This does not need to be a SCIM endpoint. For example, the URL returned could be to an OpenID SSF server that supports retrieval of SETs by txn. The only requirement is that the SCIM service provider be able to calculate the URL.
During the July 6 call, the idea was raised whether the completion of an async request could be checked by polling an endpoint identified in ScimServiceProviderConfig. This would enable a client who is not linked into an event stream, to check for request completion directly.
Proposal: The endpoint url would end with a txn value whereupon an HTTP GET would return the Security Event Token corresponding to the identified txn.
HTTP GET https://scim.example.com/txn/
As with SCIM, the endpoint will likely require an authorization header to retrieve the event.
Other issues: How long would the service provider be obliged to keep the event available?