SCIM userName in PATCH operation

Question

I have implemented user provisioning/deprovisioning with SCIM like so :

users_controller.rb

class Scim::UsersController < Scim::ScimController
  before_action :set_scim_provider

  def index

    startIndex = params[:startIndex].to_i
    startIndex = 1 if startIndex < 1# if the user send a startIndex < 1, it is bad data, we don't take it.

    itemsPerPage = params[:count].to_i
  
    if itemsPerPage < 1 || itemsPerPage > @scim_provider.max_results
      itemsPerPage = @scim_provider.default_number_of_results
    end

    scim_users = @scim_provider.identity_provider.communaute_accesses.from_scim

    if params["filter"]
      parser = Scim::QueryFilter::Parser.new
      rpn_array = parser.parse(params["filter"])
      tree = parser.tree
      if tree.length == 3 and tree[0]== 'eq' and tree[1] == 'userName'
        userName = tree[2]
        scim_users = scim_users.where(provider_identifier: userName.delete('"'))
      else
        fail 'e'
      end

    end

    

    paginated_users = scim_users.order(:created_at).offset(startIndex - 1).limit(itemsPerPage)

    r = {
      "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
      "totalResults": scim_users.size,
      "Resources": paginated_users.map { |ca| @scim_provider.representation_for_user(ca) },
      "startIndex": startIndex,
      "itemsPerPage": itemsPerPage
    }

    render_json_result(r, 200)

  end

  def create
    if @scim_provider.identity_provider.communaute_accesses.from_scim.find_by(provider_identifier: @body_params['userName'])
      render_409_conflict("uniqueness")
    else
      ca = @scim_provider.identity_provider.communaute_accesses.find_by(provider_identifier: @body_params['userName'], communaute_id: @scim_provider.identity_provider.communaute.id)
      if ca.nil?
        ca = @scim_provider.identity_provider.communaute_accesses.create(provider_identifier: @body_params['userName'], communaute_id: @scim_provider.identity_provider.communaute.id)
      end
      ca.update_last_raw_value("scim", @body_string)
      ca.extract_values_from_scim
      
      ca.queue_send
    end

    render_json_result(@scim_provider.representation_for_user(ca), 201)
  end

  def show
    user = @scim_provider.identity_provider.communaute_accesses.from_scim.find_by(provider_identifier: @body_params['userName'])
    if user
      render_json_result(@scim_provider.representation_for_user(user), 200)
    else  
      render_404_not_found(params[:id])
    end
  end

  def update
    ca = @scim_provider.identity_provider.communaute_accesses.from_scim.find_by(provider_identifier: @body_params['userName'])
    uc = UserCommunaute.find_by(provider_identifier: @body_params['userName'])

    ca.update_last_raw_value("scim", @body_string)
    ca.extract_values_from_scim

    unless ca.nil?
      if ca.pending?
        ca.update_last_raw_value("scim", @body_string)
        ca.update(active: false)

        if ca.active == false 
          fail "Unable to delete this user because of activeness" if ca.active == true
          ca.destroy!
        end

        render_json_result(@scim_provider.representation_for_communaute_access_patch(ca), 200) 
      end
    end

    unless uc.nil?
      uc.update(active: @body_params['active'])
      if uc.active == false
        uc.user.communaute_accesses.from_scim.destroy_all
        uc.user.user_communautes.from_scim.destroy_all
        render_json_result(@scim_provider.representation_for_user_communaute_patch(uc), 200)
      end
    end
  end

end

Explanations:

When updating a user, SCIM sends a PATCH request like this: {"schemas"=>["urn:ietf:params:scim:api:messages:2.0:PatchOp"], "Operations"=>[{"op"=>"Replace", "path"=>"active", "value"=>"False"}]} (@body_params in the code)

Which is what i am expecting. But, for a while, i was receiving the userName also in the body response during the PATCH operation.

This is how I fetch the correct user in my DB.

---

Actual result: I don't receive the userName anymore when SCIM hits my update action.

---

Expected results: Being able to receive information about the user during the PATCH operation to fetch the userName and find the right user in my database.

---

I have tried almost everything. When SCIM hits the index action, which it does everytime before going anywhere else, it does return me a userName et everything ends up as a 200 OK. Then, when passing through update, it sends me nothing. What I have tried last is to isolate the userName as an instance variable in the index action to fetch it after in the update like so:

# index
...
if params["filter"]
      parser = Scim::QueryFilter::Parser.new
      rpn_array = parser.parse(params["filter"])
      tree = parser.tree
      if tree.length == 3 and tree[0]== 'eq' and tree[1] == 'userName'
        @user_name = tree[2]
        scim_users = scim_users.where(provider_identifier: @user_name.delete('"'))
      else
        fail 'e'
      end
    end
...

# update

def update
    ca = @scim_provider.identity_provider.communaute_accesses.from_scim.find_by(provider_identifier: @user_name)
    uc = UserCommunaute.find_by(provider_identifier: @user_name)

    ca.update_last_raw_value("scim", @body_string)
    ca.extract_values_from_scim
...

But, @user_name in update seems to disappear as its value is nil.

---

I am deprovisioning from Azure Active Directory and Okta in a production environment. Mapping is ok in both platforms. Provisioning is working like a charm.

Answer 1

Please refer to https://developer.okta.com/docs/reference/scim/scim-20/#update-a-specific-user-patch for PATCH /Users/{userId}. Could you not make use of the userId in the url to identify the user ?