0

I'm testing my SCIM implementation as a Service provider. I saw that Okta and Jumpcloud send a PATCH request with the attributes «id» for the operation «replace» :

PATCH /Groups/3322
{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "replace",
            "value": {
                "id": "3322",
                "displayName": "Test"
            }
        }
    ]
}

The SCIM specifications are :

It MUST be a stable, non-reassignable identifier that does not change when the same resource is returned in subsequent requests.  The value of the "id" attribute is always issued by the service provider and MUST NOT be specified by the client.

https://www.rfc-editor.org/rfc/rfc7643#section-3.1

Even if it's the same value, I return "400 Bad Request", because "ID" is supposed to be read-only. Should I just ignore the attribute "id"? Is it a valid request?

I expect links that explain if it's valid or not.

Philip Zwei
  • 23
  • 7

1 Answers1

1

https://datatracker.ietf.org/doc/html/rfc7644#page-34

Each operation against an attribute MUST be compatible with the attribute's mutability and schema as defined in Sections 2.2 and 2.3 of [RFC7643]. For example, a client MUST NOT modify an attribute that has mutability "readOnly" or "immutable". However, a client MAY "add" a value to an "immutable" attribute if the attribute had no previous value. An operation that is not compatible with an attribute's mutability or schema SHALL return the appropriate HTTP response status code and a JSON detail error response as defined in Section 3.12.

Zollnerd
  • 725
  • 4
  • 5