Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

SCIM Group POST and PUT member changes are hardcoded to only support Okta #2919

Open
1 task done
obrienmd opened this issue May 10, 2023 · 3 comments · May be fixed by #5231
Open
1 task done

SCIM Group POST and PUT member changes are hardcoded to only support Okta #2919

obrienmd opened this issue May 10, 2023 · 3 comments · May be fixed by #5231
Labels
bug

Comments

@obrienmd
Copy link

obrienmd commented May 10, 2023
edited
Loading

Steps To Reproduce

  1. In Bitwarden, set up a SCIM provider that isn't Okta
  2. The SCIM provider sends a group PUT request with "Members"
  3. In Bitwarden, the "Members" bit is ignored because of:

    server/bitwarden_license/src/Scim/Groups/PutGroupCommand.cs

    Line 46 in 5a850f4

    if (_scimContext.RequestScimProvider != ScimProviderType.Okta)

The initial POST has a similar issue.

It's possible that PATCH works, but the SCIM provider I'm using scans the SCIM endpoint for metadata on setup, and only uses PATCH for those providers that explicitly support it. It appears Bitwarden doesn't host metadata at the endpoint.

Expected Result

Both POST of a new group and PUT updates of a group would update membership.

Actual Result

Both POST of a new group and PUT updates of a group do not update membership.

Screenshots or Videos

No response

Additional Context

No response

Build Version

2023.4.3

Environment

Self-Hosted

Environment Details

OS: Docker host is Ubuntu 22.04
Environment: Docker self-hosted:beta and :dev
Hardware: VM on Epyc 7402 ~64GB allocated mem ~1TB allocated NVMe

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
@obrienmd obrienmd added the bug label May 10, 2023
@Krychaz
Copy link
Member

Krychaz commented May 10, 2023

Hello there,

It does indeed look like something worth taking a look at. I will pass this to our QA team.

@obrienmd obrienmd mentioned this issue May 10, 2023
Open
@eliykat
Copy link
Member

eliykat commented May 10, 2023
edited
Loading

As far as I can tell from the commit history, we support these operations primarily via the PATCH operation (which you've already spotted), and PUT/POST were only added to support Okta. Our other supported providers don't appear to use them.

That said, I'm not sure that we need to actively block the endpoint for other providers if they want to use it.

I'm not familiar with endpoint metadata, are you referring to the schemas endpoint? That seems like a helpful thing for us to add. I'll pass your feedback on to the team.

@obrienmd
Copy link
Author

Right - I'd love the option. I know it's commonly a PATCH op, and with ServiceProviderConfig, I think Authentik would likely use PATCH.

Re: the metadata endpoint, see Section 4 of SCIM RFC: https://datatracker.ietf.org/doc/html/rfc7644#section-4. ServiceProviderConfig is what I'm talking about here - it will explicitly tell SCIM clients that you support things like PATCH, which is an optional part of the spec (though, as you said, widely used and assumed).

@eliykat eliykat linked a pull request Jan 10, 2025 that will close this issue
[PM-13748] Remove SCIM provider type checks from group endpoints #5231
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[PM-13748] Remove SCIM provider type checks from group endpoints bitwarden/server
3 participants
@obrienmd @eliykat @Krychaz