Skip to content

Adding Members to Groups

Jump to bottom
Pascal Knüppel edited this page Jul 19, 2021 · 1 revision

In the last time there have been several issues about adding members to groups. So this page shall explain how it works and what to expect when adding members to groups.

By definition of RFC7643 a group might have any valid SCIM-resource as a member. In RFC7643 are only users and groups directly mentions though:

 members
      A list of members of the Group.  While values MAY be added or
      removed, sub-attributes of members are "immutable".  The "value"
      sub-attribute contains the value of an "id" attribute of a SCIM
      resource, and the "$ref" sub-attribute must be the URI of a SCIM
      resource such as a "User", or a "Group".  The intention of the
      "Group" type is to allow the service provider to support nested
      groups.  Service providers MAY require clients to provide a
      non-empty value by setting the "required" attribute characteristic
      of a sub-attribute of the "members" attribute in the "Group"
      resource schema.

So the scim-for-keycloak API needs to know which type of resource should be added to the group. We know that keycloak supports groups and users to be added to groups so the scim-for-keycloak API needs to make decisions which resource should be added to the group. This is done by either the type of $ref-attribute of the member-attribute while the type-attribute gets precedence to the $ref-attribute.

example with type-attribute:

{
  "schemas" : [ "urn:ietf:params:scim:schemas:core:2.0:Group" ],
  "displayName" : "myGroup",
  "members" : [ {
    "value" : "e9dae6bb-7d08-4483-b00f-4bac1466728e",
    "type" : "User"
  }, {
    "value" : "63f957f9-6218-4d97-bb69-6dfcbb291166",
    "type" : "Group"
  } ]
}

The user and group with the specified IDs will be added to the group if they do exist

example with $ref-attribute:

{
  "schemas" : [ "urn:ietf:params:scim:schemas:core:2.0:Group" ],
  "displayName" : "myGroup",
  "members" : [ {
    "value" : "e9dae6bb-7d08-4483-b00f-4bac1466728e",
    "$ref" : "http://localhost/scim/v2/Users/e9dae6bb-7d08-4483-b00f-4bac1466728e"
  }, {
    "value" : "63f957f9-6218-4d97-bb69-6dfcbb291166",
    "$ref" : "http://localhost/scim/v2/Groups/63f957f9-6218-4d97-bb69-6dfcbb291166"
  } ]
}

The user and group with the specified IDs in the value-attribute will be added to the group if they do exist. The specificied ID in the $ref-attribute is ignored. The resource type is determined by the part "/Users/${followed by an id}" or "/Groups/${followed by an id}".

example with both type and $ref-attribute:

{
  "schemas" : [ "urn:ietf:params:scim:schemas:core:2.0:Group" ],
  "displayName" : "myGroup",
  "members" : [ {
    "value" : "e9dae6bb-7d08-4483-b00f-4bac1466728e",
    "type" : "User",
    "$ref" : "http://localhost/scim/v2/Users/e9dae6bb-7d08-4483-b00f-4bac1466728e"
  }, {
    "value" : "63f957f9-6218-4d97-bb69-6dfcbb291166",
    "type" : "Group",
    "$ref" : "http://localhost/scim/v2/Groups/63f957f9-6218-4d97-bb69-6dfcbb291166"
  } ]
}

In this case the $ref-attribute is ignored completely and the type-attribute is used to determine the resource type that should be added as a member

Clone this wiki locally