suvera / scim2-sdk

SCIM 2.0 JAVA development kit
MIT License
16 stars 5 forks source link

Empty schemas attribute #7

Open mwexcell opened 1 month ago

mwexcell commented 1 month ago

Communicating between Keycloak (using scim2 storage) and Atlassian Guard, it looks like verifySchemasInResponse (in Scim2Protocol) doesn't like the response from Atlassian:

2024-09-27 15:14:57,662 ERROR [dev.suvera.keycloak.scim2.storage.storage.ScimClient2] (executor-thread-2) Scim2ClientBuilder failed: dev.suvera.scim2.schema.ex.ScimException: Empty schemas attribute found for Schemas, Expected value is one of [urn:ietf:params:scim:schemas:core:2.0:Schema] at dev.suvera.scim2.schema.util.Scim2Protocol.verifySchemasInResponse(Scim2Protocol.java:495) at dev.suvera.scim2.schema.util.Scim2Protocol.buildSchemas(Scim2Protocol.java:135) at dev.suvera.scim2.schema.util.Scim2Protocol.(Scim2Protocol.java:70) at dev.suvera.scim2.client.Scim2ClientImpl.init(Scim2ClientImpl.java:139) at dev.suvera.scim2.client.Scim2ClientImpl.(Scim2ClientImpl.java:61) at dev.suvera.scim2.client.Scim2ClientBuilder.build(Scim2ClientBuilder.java:45) at dev.suvera.keycloak.scim2.storage.storage.ScimClient2.(ScimClient2.java:86) at dev.suvera.keycloak.scim2.storage.storage.SkssStorageProviderFactory.validateConfiguration(SkssStorageProviderFactory.java:74) at org.keycloak.models.jpa.RealmAdapter.importComponentModel(RealmAdapter.java:2153) at org.keycloak.models.jpa.RealmAdapter.addComponentModel(RealmAdapter.java:2133) at org.keycloak.models.cache.infinispan.RealmAdapter.addComponentModel(RealmAdapter.java:1636) at org.keycloak.services.resources.admin.ComponentResource.create(ComponentResource.java:141) at org.keycloak.services.resources.admin.ComponentResource$quarkusrestinvoker$create_7e172be4a2fcda86fd144ea65603abec3fc1e6e8.invoke(Unknown Source) at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29) at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141) at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147) at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582) at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538) at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29) at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Thread.java:1583)

suvera commented 1 month ago

as per https://datatracker.ietf.org/doc/html/rfc7643#section-3

The "schemas" attribute is a REQUIRED attribute and is an array of Strings containing URIs that are used to indicate the namespaces of the SCIM schemas that define the attributes present in the current JSON structure. Screenshot 2024-09-29 at 4 53 47 PM

Some SCIM implementations don't take it seriously. I don't have access what has "Atlassian Guard" implemented and what's not.

could you please check these URL's and make sure they adhere to https://datatracker.ietf.org/doc/html/rfc7644#section-4

Discovery

To simplify interoperability, SCIM provides three end points to discover supported features and specific attribute details:

suvera commented 1 month ago

@mwexcell in addition to above reply, I am able to create a Trial account on Atlassian.

(Please upgrade sdk version to 1.0.3 for fixes)

Due to these bugs this plugin still throws some validations after creating the User, post-create-response validations. But User is created in Atlassian fyi.

Bug - 1:

Their SCHEMA Discovery API says that USER has extension "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", But that is not being used instead they use some HIDDEN extension called "urn:scim:schemas:extension:atlassian-external:1.0".

They have to add this definition in the SCHEMA Discovery API . Otherwise clients could not understand hidden schemas.

https://api.atlassian.com/scim/directory/aaaaaaaaaaaaaaaaaaaaa/ResourceTypes

"schemaExtensions": [
    {
        "schema": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
        "required": false
    }
],

I see that hidden extension is returned in the User creation response like below.

"urn:scim:schemas:extension:atlassian-external:1.0": {
    "atlassianAccountId": "xxxxxxxxxxxx"
},

Bug - 2: