search

simpleidserver / SimpleIdServer

OpenID, OAuth 2.0, SCIM2.0, UMA2.0, FAPI, CIBA & OPENBANKING Framework for ASP.NET Core
https://simpleidserver.com/
Apache License 2.0
737 stars 99 forks source link

[SCIM] Remove member from Group remove all members #164

Closed gabrielemilan closed 3 years ago

gabrielemilan commented 3 years ago

Hello,

I found an issue on remove groups members.

This is the case: image

Then I remove one member: image

Result is: image

The remove operation removes all members from specific group.

Can you check on your side?

Thanks.

simpleidserver commented 3 years ago

Hello,

Your PATCH request is not correct. You must execute the following request to remove a user from a group:

{
"schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ], "Operations": [ { "op": "remove", "path": "members[value eq {{userId}}]" } ] }

image

gabrielemilan commented 3 years ago

Sorry you right, my fault :-)

Thanks.

gabrielemilan commented 3 years ago

Sorry again, we tried this patch: image And didn't work.

It is documented here at page 37 https://datatracker.ietf.org/doc/html/rfc7644#section-3.5.2.2

Can you have a look?

Thanks

simpleidserver commented 3 years ago

Hello,

The second request is not going to work because according to the RFC, when a "remove" operation is executed then only the property "path" is take into account (please refer to the page 39 of the RFC : https://datatracker.ietf.org/doc/html/rfc7644#section-3.5.2.2) :

Scenario 1: If the target location (path) is a single-value attribute, the attribute and its associated value is removed, and the attribute SHALL be considered unassigned. For example :

{ "path" : "displayName" }

Scenario 2 : If the target location (path) is a multi-valued attribute and no filter is specified, the attribute and all values are removed, and the attribute SHALL be considered unassigned. (you are executing this scenario).

For example :

{ "path" : "members" }

Scenario 3: If the target location is a multi-valued attribute and a complex filter is specified comparing a "value", the values matched by the filter are removed. If no other values remain after removal of the selected values, the multi-valued attribute SHALL be considered unassigned.

For example :

{ "path" : "members[id eq 'id']" }

In the example you mentioned (page 37), an "add" operation is executed and not a "remove" operation.

PATCH /Groups/acbf3ae7-8463-...-9b4da3f908ce Host: example.com Accept: application/scim+json Content-Type: application/scim+json Authorization: Bearer h480djs93hd8 If-Match: W/"a330bc54f0671c9"

{ "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], "Operations":[ { "op":"add", "path":"members", "value":[ { "display": "Babs Jensen", "$ref": "https://example.com/v2/Users/2819c223...413861904646", "value": "2819c223-7f76-453a-919d-413861904646" } ] } ] }

kresimirlesic commented 2 years ago

For anyone curious, azure sends requests in this format, which appears to not be according to the RFC

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
      {
      "op": "remove",
      "path": "{{userId}}"
      }
  ]
}