scim icon indicating copy to clipboard operation
scim copied to clipboard
verified publisher icon elimity-com

Question: should `meta` attribute object be returned in the response from the /ResourceTypes discovery endpoint?

Open seikenberry9 opened this issue 1 year ago • 2 comments

We are building a SCIM server using this library. When compliance testing it with scim2-compliance-test-utility, the following error is returned from the /ResourcesTypes endpoint: error: object has missing required properties (["meta"]).

Should the meta attribute object be included in the response? For reference, the response from our /ResourcesTypes endpoint:

{
  "Resources": [
    {
      "description": "User Account",
      "endpoint": "/Users",
      "id": "User",
      "name": "User",
      "schema": "urn:ietf:params:scim:schemas:core:2.0:User",
      "schemaExtensions": [
        {
          "required": true,
          "schema": "urn:ietf:params:scim:schemas:extension:companyname:2.0:User"
        }
      ],
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:ResourceType"
      ]
    },
    {
      "description": "Group",
      "endpoint": "/Groups",
      "id": "Group",
      "name": "Group",
      "schema": "urn:ietf:params:scim:schemas:core:2.0:Group",
      "schemaExtensions": [],
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:ResourceType"
      ]
    }
  ],
  "itemsPerPage": 100,
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "startIndex": 1,
  "totalResults": 2
}

seikenberry9 avatar Sep 17 '24 20:09 seikenberry9

No, the meta attribute object does not need to be included in the response.

Based on what I found, the following specifications seem to be related to the meta attribute of ResourceType.

Each SCIM resource (Users, Groups, etc.) includes the following common attributes. With the exception of the "ServiceProviderConfig" and "ResourceType" server discovery endpoints and their associated resources, these attributes MUST be defined for all resources, including any extended resource types. https://datatracker.ietf.org/doc/html/rfc7643#section-3.1

As described above, it seems that the resource in question is not required to have the meta attribute.

Additionally, in the ResourceType section, there is no mention of whether the meta attribute should or should not be included. cf. https://datatracker.ietf.org/doc/html/rfc7643#section-6

However, in the examples, the meta attribute is included. cf. https://datatracker.ietf.org/doc/html/rfc7643#section-8.6

Based on the above, a possible interpretation could be that for ResourceType, the inclusion of meta is optional. I'm happy to be corrected if I've overlooked anything.

ivixvi avatar Dec 30 '24 13:12 ivixvi

There seems to be at least one validator who sees this differently even upon asking: https://github.com/suvera/scim2-compliance-test-utility/issues/6 However, I found their argument for it a bit odd, and replied about it.

I'm not sure if any actual SCIM clients require the meta attribute. If one is found that does it would certainly be good to add. Until then, it's a nice to have at best.

Valodim avatar Jul 03 '25 10:07 Valodim