Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix SCIM filter to ensure we can always return an exact match when using userName eq "user@example.com" #2455

Closed
1 task
robotdan opened this issue Sep 7, 2023 · 1 comment
Closed
1 task

Fix SCIM filter to ensure we can always return an exact match when using userName eq "user@example.com" #2455

robotdan opened this issue Sep 7, 2023 · 1 comment
Assignees
@robotdan
Labels
bug Something isn't working SCIM
Projects
FusionAuth Issues
Milestone
1.49.0

Comments

@robotdan
Copy link
Member

robotdan commented Sep 7, 2023
edited

Description

We are currently converting the SCIM filter parameter to an Elasticsearch query string. Because we index the username field as text the value is tokenized and as such we cannot perform an exact match unless we also tokenize the input to match all tokens generated by Elasticsearch.

For example, if you have a user with an email of erlich.bachman@piedpiper.com and separate user with a username of erlich.bachman, then the SCIM filter query userName eq "erlich.bachman@piedpiper.com" would return both users.

The reason for this is that this SCIM filter is translated to email:"erlich.bachman@piedpiper.com" OR username:"erlich.bachman@piedpiper.com".

Because Elasticsearch has tokenized the username field, there are two tokens erlich and bachman. The input to this query is then also tokenized, and the query username:"erlich.bachman@piedpiper.com" ends up match the second user with a username of erlich.bachman.

One option is to add a sub term on the username field in the index so we can optionally use a keyword search.

A common pattern is to add this config, and then username.exact would be the field to use if you want an exact match instead of a general text search.

The current Elasticsearch schema for the username field is:

  "username": {
    "type": "text",
    "fielddata": true,
  }

The modification would look like this:

  "username": {
    "type": "text",
    "fielddata": true,
    "fields": {
      "raw": {
        "type": "exact"
      }
    }
  }

Tasks

  • Mention re-index in the release notes. Only those that require this change should re-index, or if you do re-index you should be aware of the system impact.

Related

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.
@robotdan robotdan added the SCIM label Sep 7, 2023
@robotdan robotdan mentioned this issue Sep 7, 2023
Open
@robotdan robotdan modified the milestones: 1.48.0, 1.49.0 Oct 19, 2023
@robotdan robotdan self-assigned this Oct 19, 2023
@robotdan robotdan added this to In progress in FusionAuth Issues Oct 19, 2023
@robotdan
Copy link
Member Author

Internal:

@robotdan robotdan mentioned this issue Jan 23, 2024
Closed
@robotdan robotdan moved this from In progress to Code complete in FusionAuth Issues Jan 23, 2024
@robotdan robotdan moved this from Code complete to Delivered in FusionAuth Issues Jan 26, 2024
@robotdan robotdan added the bug Something isn't working label Mar 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@robotdan robotdan

Labels
bug Something isn't working SCIM
Projects
FusionAuth Issues
  
Delivered
Milestone
1.49.0
Development

No branches or pull requests
2 participants
@robotdan @andrewpai