Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Non descriptive error message for SCIM Roles v2 patch operation #20334

Closed
Yasasr1 opened this issue May 7, 2024 · 1 comment · Fixed by wso2-extensions/identity-inbound-provisioning-scim2#559

Comments

@Yasasr1
Copy link
Contributor

Yasasr1 commented May 7, 2024

Describe the issue:
Following patch request was sent to remove a group assigned to a specific role

curl --location --request PATCH 'https://localhost:9443/t/carbon.super/scim2/v2/Roles/985b6750-0290-412e-a8ca-9e3256ea65d5' \
--header 'Access-Control-Allow-Origin: https://localhost:9443/t/carbon.super/console' \
--header 'Accept: application/json, text/plain, */*' \
--header 'Referer;' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--header 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36' \
--header 'Content-Type: application/json' \
--data-raw '{
    "Operations": [
        {
            "op": "remove",
            "path": "groups[display eq PRIMARY/testGroup]"
        }
    ],
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ]
}'

Following error response was received for this request

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:Error"
    ],
    "scimType": "Error while resolving the group name for the given group Ids in the tenantDomain: carbon.super",
    "detail": "Request is unparsable, syntactically incorrect, or violates schema.",
    "status": "400"
}

above group testGroup is an existing group in the IS. According to the implementation [1], this operation only supports resolving the group by group ID from the value in the request. eg:

{
            "op": "remove",
            "path": "groups[value eq gfllt84e-9fhfkd-670-hfj45-947216]"
}

So when the group display name is sent in the request, a proper error messege should be displayed that describes the issue correctly. Also, scimType should not contain the error description and according to the spec [2] should contain one of the given values

[1] - https://github.com/wso2-extensions/identity-inbound-provisioning-scim2/blob/master/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMRoleManagerV2.java#L1219
[2] - https://datatracker.ietf.org/doc/html/rfc7644#:~:text=Table%209%3A%20SCIM%20Detail%20Error%20Keyword%20Values

How to reproduce:
Try to remove a group assigned to a role with the above patch request

Expected behavior:
More descriptive error messege should be disaplayed and should be in the format specified in the specification.

Environment information :

  • Product Version: IS 7.0
  • OS: Mac
@BimsaraBodaragama
Copy link
Member

I'm working on this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment