Closed jiaoyang28 closed 1 month ago
LesterLian
commented
1 month ago A proposal of change is to add "$" to the word part of the pattern, as in this commit: https://github.com/LesterLian/scimmy/commit/909fccbbbc3683504c0d19f0f9f6887c9b47508c.
This will allow leading "$" in a word. I'm not sure if we need to be more strict and match "$ref" only.
sleelin
commented
1 month ago Hi @jiaoyang28, thanks for raising the issue!
This one's a little tricky, as the protocol specification contains several contradictions regarding attribute naming.
In RFC7643§2.1 it specifies that attribute names must begin with an ALPHA symbol, but may subsequently contain zero or more of the special characters$,-, and _. Technically speaking, the specification then breaks its own naming rule by defining several attributes named $ref. The rules for attribute naming in filters from RFC7644§3.4.2.2 are again different, omitting the $ special character entirely!
As it's unclear which behaviour is meant to be correct in this case, I have decided to relax the naming rules and make the behaviour consistent between the SCIMMY.Types.Attribute class and the SCIMMY.Types.Filter class. Specifically, the rule will now permit attribute names that begin with the $ and - special characters, as well as the existing _a-zA-Z0-9 (ECMA RegEx \w) permitted characters. I believe this has the least likelihood of introducing compatibility issues with existing projects using non-conformant attribute names.
The fix for this issue will be included in release 1.2.3, which I am working to complete now.
While integrate with the Entra provisioning service, we found that the remove group member with the Entra sample request would trigger invalid filter exception.
The request body is as shown in this link: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/use-scim-to-provision-users-and-groups#update-group-remove-members
The exception is as:
The root cause seems to be the '$ref' as the attribute name of the filter.