search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
741 stars 719 forks source link

SCIM Outbound Provisioning flow triggers even if SCIM request failed #12074

Open isuruirj opened 3 years ago

isuruirj commented 3 years ago

Describe the issue: According to the current implementation, outbound provisioning is triggered in pre-events [1]. Following are the pre-events that have been used.

The issue is, if the SCIM request fails by any other listener or even from the userstore level, the user will be outbound provisioned.

Expected behavior: Outbound provisioning has to be triggered in the post events.

[1] - https://github.com/wso2/carbon-identity-framework/blob/v5.20.106/components/provisioning/org.wso2.carbon.identity.provisioning/src/main/java/org/wso2/carbon/identity/provisioning/listener/DefaultInboundUserProvisioningListener.java

AnuradhaSK commented 2 years ago

Ideally, outbound provisioning should be handled in two phases:

piraveena commented 2 years ago

@AnuradhaSK / @kayathiri4 Do we have anything pending on this?

kayathiri4 commented 2 years ago

We have handled the following pre-events:

doPreAddUser doPreSetUserClaimValues doPreDeleteUserClaimValues doPreDeleteUserClaimValue doPreAddRole doPreDeleteRole

For the above events, we have added an error-listener to revert the outbound provisioning changes if the scim requests failed.

doPreDeleteUser is not handled with the above fix as we need the credentials to onboard the user again. And it is not the best approach.

Anyway, all these events should be handled as per the comment https://github.com/wso2/product-is/issues/12074#issuecomment-1035847291 in future.