SCIM server: updating attribute values causes NullReferenceExceptions on future reads

[RoystonS]

SimpleIdServer assembly version: 4.0.7

I've just been diagnosing an issue where, after adding a mobile phone number to an existing User and re-provisioning the user (from an Entra directory), attempts to fetch that user trigger NullReferenceExceptions from that point onward:

fail: SimpleIdServer.Scim.Api.UsersController[0]
      Object reference not set to an instance of an object.
      System.NullReferenceException: Object reference not set to an instance of an object.
         at SimpleIdServer.Scim.Domains.SCIMRepresentationAttribute.ComputeValueIndex()
         at SimpleIdServer.Scim.Domains.SCIMRepresentation.BuildHierarchicalAttributes(IEnumerable`1 attributes)
         at SimpleIdServer.Scim.Domains.SCIMRepresentation.get_HierarchicalAttributes()
         at SimpleIdServer.Scim.Domain.SCIMRepresentationExtensions.ToResponse(SCIMRepresentation representation, String location, Boolean isGetRequest, Boolean includeStandardAttributes, Boolean addEmptyArray, Boolean mergeExtensionAttributes)
         at SimpleIdServer.Scim.Api.BaseApiController.InternalGet(String id, GetSCIMResourceRequest parameter, CancellationToken cancellationToken)

If I specify the mobile phone number when doing the initial provisioning of the user, it's all fine; it's only an issue if the mobile phone number is patched.

I don't quite understand what's going on with the 'ComputeValueIndex' and 'ComputedValueIndex' stuff, but one thing I've observed is that if I provision a user initially with a mobile phone of 12345, their SCIMRepresentationAttribute 'ComputedValueIndex' database column has a value of 12345. If I provision the user initially without a mobile phone and add the mobile phone later, their SCIMRepresentationAttribute 'ComputedValueIndex' database column value is null.

From the server logs, this is the SCIM change that Entra is making to us:

start to get 'f9f3c232-e7a8-4408-bec2-46d0f4cb2a1f'
SimpleIdServer.Scim.Api.UsersController: Information: patch resource 'f9f3c232-e7a8-4408-bec2-46d0f4cb2a1f' : '{"Operations":[{"op":0,"path":"phoneNumbers[type eq \"mobile\"].value","value":"12345"}],"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"]}'

[RoystonS]

I've switched to the very latest SimpleIdServer source to help diagnose this. I can see that the NullReference exception is actually coming from the first line of ComputeValueIndex: the value of SchemaAttribute is actually null in my case for the attribute with a full path of 'phoneNumbers'. Looking in the database, the SCIMRepresentationAttribute has a null SchemaAttributeId column value.

(Does it ever make sense for that to be null?)

[simpleidserver]

Hello,

The SchemaAttributeId is getting erased because the navigation properties are not considered in the BulkInsertAsync instruction :(. The issue has been resolved in the master branch. Could you please try again?

Kind Regards,

SID

[RoystonS]

Yes, that looks much happier. The SchemaAttributeId is no longer getting into the database as null, and the ComputedValueIndex (whatever that is) is also being populated now, so reads work happily.

Thank you for the rapid fix!

If SchemaAttributeId is always a required value, would it be worth tweaking the definition of it so that nulls can't get into the database? e.g.

public void Configure(EntityTypeBuilder<SCIMRepresentationAttribute> builder)
{
    ...
    builder.Property(a => a.SchemaAttributeId).IsRequired();
    ...
}

?

---

Btw, I'm currently attempting to add multi-tenant support for SCIM. I've seen the existing 'shadow property' example, but it requires copying quite a bit of CommandRepository/QueryRepository code. I've just about managed to make a set of code work that only: 1) subclasses the ScimDbContext (to filter on tenant and add tenant during writes) 2) subclasses RepresentationHelper so that I can make the attributes marked as SCIMSchemaAttributeUniqueness.SERVER and SCIMSchemaAttributeUniqueness.GLOBAL have slightly different behaviour (i.e. per-instance and global, respectively)

i.e. I've not had to make any changes to, or any copies of, any of the repositories, which is really nice.

Doing this would be a little easier if there was an extra protected constructor on ScimDbContext to allow easy subclassing, and if RepresentationHelper.CheckUniqueness were marked virtual. Would you be willing to accept small PRs along those lines?

[simpleidserver]

Hello,

Certainly, the SchemaAttributeId can be designated as a required property in the Entity Framework Configuration.

I would appreciate it if you could submit a pull request with your suggested modifications to simplify the ScimShadowProperty sample project :)