Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: SCIM Client cannot call FusionAuth using EnterpriseUser Schema on JSON PATCH #2667

Closed
jobannon opened this issue Mar 1, 2024 · 1 comment
Closed

[Bug]: SCIM Client cannot call FusionAuth using EnterpriseUser Schema on JSON PATCH #2667

jobannon opened this issue Mar 1, 2024 · 1 comment
Assignees
@andrewpai
Labels
bug Something isn't working
Projects
FusionAuth Issues
Milestone
1.49.0

Comments

@jobannon
Copy link

jobannon commented Mar 1, 2024
edited by andrewpai

What happened?

  1. Create a SCIM connection from AzureAD to FusionAuth. In this case, FusionAuth is the SCIM server and AzureAD is the SCIM client.
  2. For testing purposes, it is most efficient to provision a user from Azure into FusionAuth. Use the default lambdas and converters that ship with FusionAuth.
  3. See that a new user is created in FusionAuth from the SCIM integration. In my test of this, the user was not created with any enterprise user information. A department was later added to the user which caused FusionAuth to exception.
  4. Go back to your AzureAD enterprise application and add a department field to the user. This meta information only lives in the SCIM enterprise user schema, howeve1r it's possible that any EnterpriseUser attribute could cause this behavior.
  5. Instruct AzureAD to update the user into any SCIM servers that might be listening.
  6. See that AzureAD attempts to provision the updated department information, but fails when FusionAuth returns a 500 error.
  7. This is the error that is printed to the FusionAuth logs
2024-03-01 06:18:40.026 PM ERROR org.primeframework.mvc.PrimeMVCRequestHandler - Error encountered
org.primeframework.mvc.PrimeException: The @JSONResponse field [response] in the action [class io.fusionauth.app.action.api.scim.resource.v2.UsersAction] is null. It cannot be null!
        at org.primeframework.mvc.action.result.JSONResult.execute(JSONResult.java:106)
        at org.primeframework.mvc.action.result.JSONResult.execute(JSONResult.java:55)
        at org.primeframework.mvc.action.result.DefaultResultInvocationWorkflow.perform(DefaultResultInvocationWorkflow.java:105)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
        at org.primeframework.mvc.message.DefaultMessageWorkflow.perform(DefaultMessageWorkflow.java:50)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
        at org.primeframework.mvc.scope.DefaultScopeStorageWorkflow.perform(DefaultScopeStorageWorkflow.java:60)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
        at org.primeframework.mvc.workflow.DefaultErrorWorkflow.perform(DefaultErrorWorkflow.java:44)
        at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
        at org.primeframework.mvc.workflow.DefaultMVCWorkflow.perform(DefaultMVCWorkflow.java:119)
        at org.primeframework.mvc.PrimeMVCRequestHandler.handle(PrimeMVCRequestHandler.java:73)
        at io.fusionauth.http.server.HTTPWorker.run(HTTPWorker.java:50)
        at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        at java.base/java.lang.Thread.run(Thread.java:833)

Also, notice for atleast that moment, the user is not updated in FusionAuth with the new department value (urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department) that the enterprise user was assigned.

Version

Latest - 1.48.3

Affects Versions

No response

Additional context

Release notes

SCIM PATCH requests fail when adding a new field that is namespaced under a previously nonexistent extension schema.
@jobannon jobannon added the bug Something isn't working label Mar 1, 2024
@jobannon jobannon added this to the 1.51.0 milestone Mar 1, 2024
@andrewpai andrewpai modified the milestones: 1.51.0, 1.50.0, 1.49.0 Mar 5, 2024
@andrewpai andrewpai added this to In progress in FusionAuth Issues Mar 6, 2024
@andrewpai andrewpai self-assigned this Mar 6, 2024
@andrewpai
Copy link

andrewpai commented Mar 6, 2024
edited

Internal:

@robotdan robotdan moved this from In progress to Code complete in FusionAuth Issues Mar 6, 2024
robotdan added a commit to FusionAuth/fusionauth-site that referenced this issue Mar 6, 2024
@robotdan
Sync with fusionauth-app
25e47bd 
- FusionAuth/fusionauth-issues#2667
@robotdan robotdan moved this from Code complete to Delivered in FusionAuth Issues Mar 6, 2024
@robotdan robotdan closed this as completed Mar 6, 2024
@jobannon jobannon changed the title [Bug]: SCIM Client cannot call FusionAuth using EnterpriseUser Schema on PATCH [Bug]: SCIM Client cannot call FusionAuth using EnterpriseUser Schema on JSON PATCH Apr 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andrewpai andrewpai

Labels
bug Something isn't working
Projects
FusionAuth Issues
  
Delivered
Milestone
1.49.0
Development

No branches or pull requests
3 participants
@robotdan @andrewpai @jobannon