Empty schemas attribute

[mwexcell]

Communicating between Keycloak (using scim2 storage) and Atlassian Guard, it looks like verifySchemasInResponse (in Scim2Protocol) doesn't like the response from Atlassian:

2024-09-27 15:14:57,662 ERROR [dev.suvera.keycloak.scim2.storage.storage.ScimClient2] (executor-thread-2) Scim2ClientBuilder failed: dev.suvera.scim2.schema.ex.ScimException: Empty schemas attribute found for Schemas, Expected value is one of [urn:ietf:params:scim:schemas:core:2.0:Schema] at dev.suvera.scim2.schema.util.Scim2Protocol.verifySchemasInResponse(Scim2Protocol.java:495) at dev.suvera.scim2.schema.util.Scim2Protocol.buildSchemas(Scim2Protocol.java:135) at dev.suvera.scim2.schema.util.Scim2Protocol.(Scim2Protocol.java:70) at dev.suvera.scim2.client.Scim2ClientImpl.init(Scim2ClientImpl.java:139) at dev.suvera.scim2.client.Scim2ClientImpl.(Scim2ClientImpl.java:61) at dev.suvera.scim2.client.Scim2ClientBuilder.build(Scim2ClientBuilder.java:45) at dev.suvera.keycloak.scim2.storage.storage.ScimClient2.(ScimClient2.java:86) at dev.suvera.keycloak.scim2.storage.storage.SkssStorageProviderFactory.validateConfiguration(SkssStorageProviderFactory.java:74) at org.keycloak.models.jpa.RealmAdapter.importComponentModel(RealmAdapter.java:2153) at org.keycloak.models.jpa.RealmAdapter.addComponentModel(RealmAdapter.java:2133) at org.keycloak.models.cache.infinispan.RealmAdapter.addComponentModel(RealmAdapter.java:1636) at org.keycloak.services.resources.admin.ComponentResource.create(ComponentResource.java:141) at org.keycloak.services.resources.admin.ComponentResource$quarkusrestinvoker$create_7e172be4a2fcda86fd144ea65603abec3fc1e6e8.invoke(Unknown Source) at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29) at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141) at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147) at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582) at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538) at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29) at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Thread.java:1583)

[suvera]

as per https://datatracker.ietf.org/doc/html/rfc7643#section-3

The "schemas" attribute is a REQUIRED attribute and is an array of Strings containing URIs that are used to indicate the namespaces of the SCIM schemas that define the attributes present in the current JSON structure.

Some SCIM implementations don't take it seriously. I don't have access what has "Atlassian Guard" implemented and what's not.

could you please check these URL's and make sure they adhere to https://datatracker.ietf.org/doc/html/rfc7644#section-4

Discovery

To simplify interoperability, SCIM provides three end points to discover supported features and specific attribute details:

• GET /ServiceProviderConfig Specification compliance, authentication schemes, data models.

• GET /ResourceTypes An endpoint used to discover the types of resources available.

• GET /Schemas Introspect resources and attribute extensions.

[suvera]

@mwexcell in addition to above reply, I am able to create a Trial account on Atlassian.

(Please upgrade sdk version to 1.0.3 for fixes)

• Able to make it work after loosening some SCIM 2 checks.
• But still Atlassian is not following the SCIM 2.0 standard. Please raise bug(s) if you are a Customer for them.

Due to these bugs this plugin still throws some validations after creating the User, post-create-response validations. But User is created in Atlassian fyi.

Bug - 1:

Their SCHEMA Discovery API says that USER has extension "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", But that is not being used instead they use some HIDDEN extension called "urn:scim:schemas:extension:atlassian-external:1.0".

They have to add this definition in the SCHEMA Discovery API . Otherwise clients could not understand hidden schemas.

https://api.atlassian.com/scim/directory/aaaaaaaaaaaaaaaaaaaaa/ResourceTypes

"schemaExtensions": [
    {
        "schema": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
        "required": false
    }
],

I see that hidden extension is returned in the User creation response like below.

"urn:scim:schemas:extension:atlassian-external:1.0": {
    "atlassianAccountId": "xxxxxxxxxxxx"
},

Bug - 2:

• They need to add "schemas" field for all their SCHEMA Discovery API (Important)
• And It's best practice to add Schema definitions for all built-in resources too, that includes
  1. urn:ietf:params:scim:schemas:core:2.0:ResourceType
  2. urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig
  3. urn:ietf:params:scim:schemas:core:2.0:Schema