Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
Unexpected behaviour when invoking the `scim2/Users` endpoint with `count` value > 0 in and omitted `domain` value in multi-attribute filtering flow #20496
In the SCIM2 user multi-attribute filter flow, when a count parameter greater than 0 is passed without specifying a domain value, the result may be empty because the search is only conducted in the PRIMARY user store [1]. This is unlike the single-attribute search [2] or multi-attribute filtering without the count parameter [3][4], which iterate through the available user store domains. Example:
Request:
curl --location --request GET 'https://localhost:9443/scim2/Users?filter=urn%3Aietf%3Aparams%3Ascim%3Aschemas%3Aextension%3Aenterprise%3A2.0%3AUser%3AaccountLocked%20eq%20%22true%22%20and%20urn%3Aietf%3Aparams%3Ascim%3Aschemas%3Aextension%3Aenterprise%3A2.0%3AUser%3Adepartment%20eq%20%221234%22&count=1' \
--header 'Authorization: Basic YWRtaW46YWRtaW4='
Go to the Claim Configuration page (Claims > List > http://wso2.org/claims) and uncheck the 'Read only' checkbox for the 'Department' claim and enable 'Supported by Default' for the 'Account Locked' claim.
In the EXTERNAL user store, create:
2 users with 'Account Locked' set to 'true' and 'Department' set to '123'
1 user with 'Account Locked' set to 'true' and 'Department' set to '456'
Run the following cURL command:
curl --location --request GET 'https://localhost:9443/scim2/Users?filter=urn%3Aietf%3Aparams%3Ascim%3Aschemas%3Aextension%3Aenterprise%3A2.0%3AUser%3AaccountLocked%20eq%20%22true%22%20and%20urn%3Aietf%3Aparams%3Ascim%3Aschemas%3Aextension%3Aenterprise%3A2.0%3AUser%3Adepartment%20eq%20%22123%22&count=1' \
--header 'Authorization: Basic YWRtaW46YWRtaW4='
Notice the totalResult value of 2 although the result is empty:
Expected behavior:
In the multi-attribute filtering flow, if no domain is specified, the pagination/filtering should occur across all user stores (or until the limit threshold is reached).
Describe the issue:
In the SCIM2 user multi-attribute filter flow, when a
count
parameter greater than 0 is passed without specifying adomain
value, the result may be empty because the search is only conducted in the PRIMARY user store [1]. This is unlike the single-attribute search [2] or multi-attribute filtering without thecount
parameter [3][4], which iterate through the available user store domains. Example:We can see there's omitted results given the
totalResults
value.How to reproduce:
<IS_HOME>/repository/conf/deployment.toml
file:http://wso2.org/claims
) and uncheck the 'Read only' checkbox for the 'Department' claim and enable 'Supported by Default' for the 'Account Locked' claim.totalResult
value of2
although the result is empty:Expected behavior: In the multi-attribute filtering flow, if no
domain
is specified, the pagination/filtering should occur across all user stores (or until the limit threshold is reached).Environment information:
[1] https://github.com/wso2-extensions/identity-inbound-provisioning-scim2/blob/v1.5.46/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMUserManager.java#L1913-L1924 [2] https://github.com/wso2-extensions/identity-inbound-provisioning-scim2/blob/v1.5.46/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMUserManager.java#L1407-L1446 [3] https://github.com/wso2-extensions/identity-inbound-provisioning-scim2/blob/v1.5.127/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMUserManager.java#L1972-L1982 [4] https://github.com/wso2-extensions/identity-inbound-provisioning-scim2/blob/v1.5.127/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMUserManager.java#L1997-L2011