Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
Describe the issue:
The logical gate operators are case-sensitive. This leads to unexpected behavior when filtering users, where only the left part of the expression is taken into consideration if we use AND in all-caps, for example.
Go to the Claim Configuration page (Claims > List > http://wso2.org/claims), uncheck the 'Read only' checkbox for the 'Department' claim and enable 'Supported by Default' for the 'Account Locked' claim.
In the PRIMARY user store, create:
2 users with 'Account Locked' set to 'true' and 'Department' set to '123'
1 user with 'Account Locked' set to 'true' and 'Department' set to '456'
Run the cURL command below:
curl --location --request GET 'https://localhost:9443/scim2/Users?filter=urn%3Aietf%3Aparams%3Ascim%3Aschemas%3Aextension%3Aenterprise%3A2.0%3AUser%3AaccountLocked%20eq%20%22true%22%20AND%20urn%3Aietf%3Aparams%3Ascim%3Aschemas%3Aextension%3Aenterprise%3A2.0%3AUser%3Adepartment%20eq%20%22123%22' \
--header 'Authorization: Basic ******'
JayaShakthi97
commented
3 months ago
Describe the issue: The logical gate operators are case-sensitive. This leads to unexpected behavior when filtering users, where only the left part of the expression is taken into consideration if we use AND in all-caps, for example.
As per the SCIM API specification [1]:
"Attribute names and attribute operators used in filters are case insensitive."
How to reproduce: Here is a quick summary of how to reproduce:
<IS_HOME>/repository/conf/deployment.tomlfile:http://wso2.org/claims), uncheck the 'Read only' checkbox for the 'Department' claim and enable 'Supported by Default' for the 'Account Locked' claim.[1] https://datatracker.ietf.org/doc/html/draft-ietf-scim-api-13#section-3.2.2.2