SimpleIdServer icon indicating copy to clipboard operation
SimpleIdServer copied to clipboard

Published 20 hours ago verified publisher icon simpleidserver

Patch Entitlements through User endpoint

Open Biggo89 opened this issue 3 years ago • 6 comments

Hello, I have implemented a new Entitlements Resource exactly how has been done for Groups Resource, so to add an entitlements to a specific user we call Entitlements endpoint patching members attribute.

In my application I have a third part that want patch entitlements through Users endpoint, see below schema for expected request and response:

image image

I tried to change some Configurations on SCIMAttributeMapping and UserSchema like below:

UserSchema

image

SCIMAttributeMapping

image

But it doesn't work as expected, below the result after some tests:

Patch User

image

Get User

image

Get Entitlements

image

Can you give me the reason why it is not working as expected since the behavior is not matching the schema I linked on top?

Biggo89 avatar Jun 10 '21 15:06 Biggo89

Hello,

Your configuration is almost correct :). If you want to assign "entitlements" to a user, you must execute a PATCH operation against the "Entitlements" resource and not against the "User" resource. The behavior is similar to "groups" assignment. Groups are assigned to users by executing HTTP PATCH operations against the "Groups" endpoint (for more information you can refer to the RFC : https://datatracker.ietf.org/doc/html/rfc7644#section-3.5.2.1).

Modifications made on the C# project :

I made the following modifications to have a working example :

  1. Create entitlement schema :

         var entitlementSchema = Builder.SCIMSchemaBuilder.Create("urn:entitlement", "Entitlement", "Entitlements", string.Empty, true)
         .AddStringAttribute("displayName")
         .AddComplexAttribute("members", opt =>
         {
             opt.AddStringAttribute("value");
             opt.AddStringAttribute("$ref");
             opt.AddStringAttribute("type");
         }, multiValued: true)
         .Build();

  2. Create custom user resource :

         var customUserSchema = Builder.SCIMSchemaBuilder.Create("urn:customuser", "CustomUser", "CustomUsers", string.Empty, true)
         .AddStringAttribute("userName", required: true)
         .AddComplexAttribute("entitlements", opt =>
         {
             opt.AddStringAttribute("value", mutability: SCIMSchemaAttributeMutabilities.READONLY);
             opt.AddStringAttribute("$ref", mutability: SCIMSchemaAttributeMutabilities.READONLY);
             opt.AddStringAttribute("type", mutability: SCIMSchemaAttributeMutabilities.READONLY);
         }, multiValued: true)
         .Build();

  3. Add two new controllers : CustomUserController & CustomResourcesController

  4. Add a new Attribute mapping :

             new SCIMAttributeMapping
         {
             Id = Guid.NewGuid().ToString(),
             SourceAttributeId = customUserSchema.Attributes.First(a => a.Name == "entitlements").Id,
             SourceResourceType = "CustomUsers",
             SourceAttributeSelector = "entitlements",
             TargetResourceType = "Entitlements",
             TargetAttributeId = entitlementSchema.Attributes.First(a => a.Name == "members").SubAttributes.First(a => a.Name == "value").Id
         }

The project SimpleIdServer.Scim.Startup (branch release/1.2.2) has been updated with those changes (please check here).

You can run the SimpleIdServer.Scim.Startup project and execute the following HTTP REQUESTS :

  1. Create custom user
HTTP POST : http://localhost:60002/CustomUsers
{
    "schemas": ["urn:customuser"],
    "userName": "userName14a4979b3984"
}
  1. Add entitlement
HTTP POST : http://localhost:60002/Entitlements
{
    "schemas": ["urn:entitlement"],
    "displayName": "firstEntitlement"
}
  1. Assign entitlement
HTTP PATCH : http://localhost:60002/Entitlements/{{entitlementId}}
{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "add",
            "path": "members",
            "value": [
                {
                    "value": "{{customUserId}}"
                }
            ]
        }
    ]
}
  1. Get user :

HTTP GET : http://localhost:60002/CustomUsers/{{customUserId}}

simpleidserver avatar Jun 11 '21 13:06 simpleidserver

So, just to summarize, you are telling me that is not possible an implementation where I can add a member to an entitlement against user endpoint?

Biggo89 avatar Jun 11 '21 13:06 Biggo89

There is probably an issue in the "AttributeReferenceEnricher", i'm going to fix it. Sorry for the inconvenience

simpleidserver avatar Jun 11 '21 14:06 simpleidserver

The issue should be fixed in the branch "release/1.2.2", can-you please run the project SimpleIdServer.Scim.Startup & check if it's working as expected ? Entitlements can be added via the Users endpoint.

simpleidserver avatar Jun 11 '21 15:06 simpleidserver

Hello, we tried the fix and we found another issue. If the user has more than one entitlements only the first one has $ref and display property filled. We found this piece of code, that takes the first element of entitlements:

image

the result is:

image

Can you check please?

gabrielemilan avatar Jun 16 '21 13:06 gabrielemilan

Hello,

The bug is fixed in the branch "release/1.2.2"

simpleidserver avatar Jun 17 '21 08:06 simpleidserver