idnits 2.17.1 draft-hunt-idevent-scim-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 4 instances of too long lines in the document, the longest one being 3 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 20, 2016) is 2957 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hunt, Ed. 3 Internet-Draft Oracle 4 Intended status: Standards Track W. Denniss 5 Expires: September 21, 2016 Google 6 M. Ansari 7 Cisco 8 March 20, 2016 10 SCIM Event Extension 11 draft-hunt-idevent-scim-00 13 Abstract 15 This specification profiles the Identity Event Token specification to 16 define a set of identity events to be used with SCIM. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on September 21, 2016. 35 Copyright Notice 37 Copyright (c) 2016 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 2 53 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 2 54 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3 55 2. SCIM Events . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2.1. Common Event Attributes . . . . . . . . . . . . . . . . . 3 57 2.2. Disclosure Profiles . . . . . . . . . . . . . . . . . . . 4 58 2.3. SCIM Events . . . . . . . . . . . . . . . . . . . . . . . 4 59 2.3.1. urn:ietf:params:event:SCIM:add . . . . . . . . . . . 4 60 2.3.2. urn:ietf:params:event:SCIM:create . . . . . . . . . . 5 61 2.3.3. urn:ietf:params:event:SCIM:activate . . . . . . . . . 7 62 2.3.4. urn:ietf:params:event:SCIM:modify . . . . . . . . . . 8 63 2.3.5. urn:ietf:params:event:SCIM:deactivate . . . . . . . . 8 64 2.3.6. urn:ietf:params:event:SCIM:delete . . . . . . . . . . 8 65 2.3.7. urn:ietf:params:event:SCIM:remove . . . . . . . . . . 9 66 2.3.8. urn:ietf:params:event:SCIM:password . . . . . . . . . 9 67 3. Security Considerations . . . . . . . . . . . . . . . . . . . 11 68 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 69 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 70 5.1. Normative References . . . . . . . . . . . . . . . . . . 12 71 5.2. Informative References . . . . . . . . . . . . . . . . . 13 72 Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 13 73 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 13 74 Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 13 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 77 1. Introduction and Overview 79 This specification profiles the Identity Event Token [idevent-token] 80 to define events for SCIM Protocol [RFC7644]. 82 1.1. Notational Conventions 84 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 85 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 86 document are to be interpreted as described in [RFC2119]. These 87 keywords are capitalized when used to unambiguously specify 88 requirements of the protocol or application features and behavior 89 that affect the interoperability and security of implementations. 90 When these words are not capitalized, they are meant in their 91 natural-language sense. 93 For purposes of readability examples are not URL encoded. 94 Implementers MUST percent encode URLs as described in Section 2.1 of 95 [RFC3986]. 97 Throughout this documents all figures MAY contain spaces and extra 98 line-wrapping for readability and space limitations. Similarly, some 99 URI's contained within examples, have been shortened for space and 100 readability reasons. 102 1.2. Definitions 104 This specification uses definitions from the specification 105 [idevent-token]. 107 2. SCIM Events 109 SCIM events JSON objects that are encoded in JWT form as per 110 [idevent-token]. An event includes a eventUri which indicates the 111 type of event and the event specific attributes. An event also 112 includes standard JWT attributes "iss", "aud", "jti", and "iat" which 113 indicates the event publisher (issuer), the the event feeds 114 (audience), a token identifier, and the date of issue (iat). 116 2.1. Common Event Attributes 118 The following attributes are defined for all events defined in 119 Section 2.3 or any schema defined within the uri namespace 120 "urn:ietf:params:events:SCIM". 122 id 123 An optional multi-valued SCIM "id" value of the affected 124 resource(s) as defined in Section 3.1 [RFC7643]. If provided the 125 identifiers MUST correspond to the values referenced in 126 "resourceUris". 128 attributes 129 A multi-valued list of affected SCIM attributes. Each attribute 130 listed may be a fully-qualified attribute name or an attribute 131 "path" as defined in Figure 7 of Section 3.3.2 of [RFC7644] 133 values 134 A JSON object structure containing the affected attributes and 135 their associated values. If the "values" attribute is supplied, 136 the event message MUST be encrypted. Service providers SHOULD 137 take care to ensure that eligible subscribers are able to see 138 attribute values. Alternatively, subscribers MAY use the 139 resourceURIs to retrieve the final attribute values. When doing 140 so, the SCIM service provider can then assess the subscribers 141 right to obtain the actual attribute values. 143 For a password change event, in maximal disclosure mode ( see 144 Section 2.2), the clear text password attribute value MAY be 145 included in the values"values" attribute. 147 2.2. Disclosure Profiles 149 SCIM events are intended to disclose the minimum amount of 150 information required to provide co-ordination between asynchronous 151 systems. This has the effect of eliminating most error signaling 152 conditions and simplifies privacy and security considerations. 154 For each event type, the following levels of disclosure are defined, 155 for which different security considerations may apply: 157 Minimal 158 In general, the main information content is the event description 159 itself. The event contents typically includes only REQUIRED 160 attributes. Because no data content is exchanged, encryption of 161 the event message is not required. 163 Default 164 In general the default information is exchanged. This includes 165 the "sub" attribute and a list of affected SCIM attributes. 166 Typically attribute values are not provided. Encryption of the 167 event message is typically not required unless otherwise stated. 169 Maximal 170 In maximal mode, all data involved in the state change is 171 exchanged. To prevent leakage of information, implementers SHOULD 172 encrypt events that convey attributes about resources. This 173 profile should typically be used when co-ordinating information 174 between tightly-coupled systems that are part of a common 175 administrative domain. 177 In the case of "minimal" and "default" disclosures, a subscriber MAY 178 use a follow-up SCIM GET (see Section 3.4 [RFC7644] to obtain the 179 current state of the resource (sub) following the event. While this 180 may be seen as costly (as a second call), using SCIM GET enables 181 simpler error signalling, access control, distribution enforcement by 182 the event publisher. 184 2.3. SCIM Events 186 2.3.1. urn:ietf:params:event:SCIM:add 187 The specified resource URI was added to the feed. An add does not 188 indicate a resource is new or has been recently created. For 189 example, an existing user has had a new role (e.g. CRM_User) added 190 to their profile which has caused their resource to join a feed. 192 The following is an example of a minimal disclosure Add Event 193 message(it has been modified for readability): 195 { 196 "jti": "6164f3bbf6ff41a88dc94f18cb0620e8", 197 "eventUris":[ 198 "urn:ietf:params:event:SCIM:add" 199 ], 200 "iat": 1458505044, 201 "iss":"https://scim.example.com", 202 "aud":[ 203 "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" 204 ], 205 "sub": "https://scim.example.com/Users/2b2f880af6674ac284bae9381673d462", 206 } 208 Figure 1: Example SCIM Add Event 210 2.3.2. urn:ietf:params:event:SCIM:create 211 The new resource URI has been created at the service provider and has 212 been added to the feed. When a CREATE event is sent, a corresponding 213 ADD event is not issued. In "minimal" disclosure mode, event 214 specific data is returned. In "default" disclosure, the "attributes" 215 attribute is returned disclosing what attributes were created at the 216 publisher. In "maximal" disclosure mode, set of values reflecting 217 the final state of the resource at the service provider are provided 218 in the "values" attribute and MUST be encrypted as a JWE (see 219 [idevent-token]). 221 The following is an example SCIM Create event message(it has been 222 modified for readability) and uses maximal disclosure: 224 { 225 "jti": "4d3559ec67504aaba65d40b0363faad8", 226 "eventUris":[ 227 "urn:ietf:params:event:SCIM:create" 228 ], 229 "iat": 1458496404, 230 "iss":"https://scim.example.com", 231 "aud":[ 232 "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754", 233 "https://scim.example.com/Feeds/5d7604516b1d08641d7676ee7" 234 ], 235 "sub": "https://scim.example.com/Users/44f6142df96bd6ab61e7521d9", 236 "urn:ietf:params:event:SCIM:create":{ 237 "attributes":["id","name","userName","password","emails"], 238 "values":{ 239 "emails":[ 240 {"type":"work","value":"jdoe@example.com"} 241 ], 242 "password":"not4u2no", 243 "userName":"jdoe", 244 "id":"44f6142df96bd6ab61e7521d9", 245 "name":{ 246 "givenName":"John", 247 "familyName":"Doe" 248 } 249 } 250 } 251 } 253 Figure 2: Example SCIM Create Event (Maximal Disclosure) 255 In the above example, the user "jdoe" is created with values an email 256 address, an initial password, and a name. Note that when raw data is 257 sent, it is advisable to protect the event using JWE (see Section 2.2 258 [idevent-token]). 260 The following is an example SCIM Create event message(it has been 261 modified for readability) and uses default disclosure: 263 { 264 "jti": "4d3559ec67504aaba65d40b0363faad8", 265 "eventUris":[ 266 "urn:ietf:params:event:SCIM:create" 267 ], 268 "iat": 1458496404, 269 "iss":"https://scim.example.com", 270 "aud":[ 271 "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754", 272 "https://scim.example.com/Feeds/5d7604516b1d08641d7676ee7" 273 ], 274 "sub": "https://scim.example.com/Users/44f6142df96bd6ab61e7521d9", 275 "urn:ietf:params:event:SCIM:create":{ 276 "attributes":["id","name","userName","password","emails"], 277 } 278 } 280 The event above notifies the subscriber which attributes are 281 available from the SCIM event publisher, but does not convey the 282 actual information. The subscriber MAY retrieve that information by 283 performing a SCIM GET to the "sub" value specified. 285 Figure 3: Example SCIM Create Event (Default Disclosure) 287 2.3.3. urn:ietf:params:event:SCIM:activate 288 The specified resource (e.g. User) has been activated. This 289 optional event is used to indicate a high-level change in state as 290 agreed between the publisher and subscriber. For example, an 291 activated resource is one that can now have an active session (may 292 log in) from a security perspective (may log in). Typically this 293 event discloses only minimal information. 295 The following is an example of a minimal disclosure Activate Event 296 message(it has been modified for readability): 298 { 299 "jti": "6164f3bbf6ff41a88dc94f18cb0620e8", 300 "eventUris":[ 301 "urn:ietf:params:event:SCIM:activate" 302 ], 303 "iat": 1458505044, 304 "iss":"https://scim.example.com", 305 "aud":[ 306 "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" 307 ], 308 "sub": "https://scim.example.com/Users/2b2f880af6674ac284bae9381673d462", 309 } 311 Figure 4: Example SCIM Activate Event 313 2.3.4. urn:ietf:params:event:SCIM:modify 314 The specified resource has been updated (e.g. one or more attributes 315 has changed). As with the create event, this event MAY be expressed 316 in minimal, default, and maximal modes. 318 2.3.5. urn:ietf:params:event:SCIM:deactivate 319 The specified resource (e.g. User) has been deactivated and 320 disabled. The exact meaning must be agreed to by a SCIM publisher 321 and its corresponding subscriber. Typically this means the sub may 322 no longer have an active security session. As with the activate 323 event, this event has minimal disclosure requirements. 325 2.3.6. urn:ietf:params:event:SCIM:delete 326 The specified resource has been deleted from the SCIM publisher. The 327 resource is also removed from the feed. When a DELETE is sent, a 328 corresponding REMOVE is not issued. A delete event has minimal 329 disclosure profile only. 331 The following is an example of a minimal disclosure Delete Event 332 message(it has been modified for readability): 334 { 335 "jti": "6164f3bbf6ff41a88dc94f18cb0620e8", 336 "eventUris":[ 337 "urn:ietf:params:event:SCIM:delete" 338 ], 339 "iat": 1458505044, 340 "iss":"https://scim.example.com", 341 "aud":[ 342 "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" 343 ], 344 "sub": "https://scim.example.com/Users/2b2f880af6674ac284bae9381673d462", 345 } 347 Figure 5: Example SCIM Delete Event 349 2.3.7. urn:ietf:params:event:SCIM:remove 350 The specified resource has been removed from the feed. Removal does 351 not indicate that the resource was deleted or otherwise deactivated. 352 This event has minimal disclosure. 354 The following is an example of a minimal disclosure Remove Event 355 message(it has been modified for readability): 357 { 358 "jti": "6164f3bbf6ff41a88dc94f18cb0620e8", 359 "eventUris":[ 360 "urn:ietf:params:event:SCIM:remove" 361 ], 362 "iat": 1458505044, 363 "iss":"https://scim.example.com", 364 "aud":[ 365 "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" 366 ], 367 "sub": "https://scim.example.com/Users/2b2f880af6674ac284bae9381673d462", 368 } 370 Figure 6: Example SCIM Remove Event 372 2.3.8. urn:ietf:params:event:SCIM:password 373 The specified resource (e.g. User) has changed its password or the 374 password has been reset. When the password has changed, the 375 "attributes" attribute is supplied with the value "password". 377 The following is a non-normative example showing a password change 378 event using minimal disclosure: 380 { 381 "jti": "3d0c3cf797584bd193bd0fb1bd4e7d30", 382 "eventUris":[ 383 "urn:ietf:params:event:SCIM:password" 384 ], 385 "iat": 1458496025, 386 "iss": "https://scim.example.com", 387 "aud":[ 388 "https://jhub.example.com/Feeds/98d52461fa5bbc879593b7754", 389 "https://jhub.example.com/Feeds/5d7604516b1d08641d7676ee7" 390 ], 391 "sub": 392 "https://scim.example.com/Users/44f6142df96bd6ab61e7521d9", 393 } 395 Figure 7: Example SCIM Password Change Event 397 The password event MAY be extended to conveys a password reset, the 398 event MAY include an additional eventUri value of 399 "urn:ietf:params:event:extension:example.com:password" which includes 400 the attribute "resetAttempts". "resetAttempts" indicates the current 401 number of reset attempts since the last successful login by the 402 subject. 404 The following is a non-normative example showing a password reset 405 event: 407 { 408 "jti": "3d0c3cf797584bd193bd0fb1bd4e7d30", 409 "eventUris":[ 410 "urn:ietf:params:event:SCIM:password", 411 "urn:ietf:params:event:extension:example.com:password" 412 ], 413 "iat": 1458496025, 414 "iss": "https://scim.example.com", 415 "aud":[ 416 "https://jhub.example.com/Feeds/98d52461fa5bbc879593b7754", 417 "https://jhub.example.com/Feeds/5d7604516b1d08641d7676ee7" 418 ], 419 "sub": 420 "https://scim.example.com/Users/44f6142df96bd6ab61e7521d9", 421 "urn:ietf:params:event:SCIM:password":{ 422 "id":"44f6142df96bd6ab61e7521d9", 423 }, 424 "urn:ietf:params:event:extension:example.com:password":{ 425 "resetAttempts":4 426 } 427 } 429 Figure 8: Example SCIM Password Reset Event 431 3. Security Considerations 433 [[TO BE COMPLETED]] 435 4. IANA Considerations 437 This section registers the schema extensions found in Section 2.3 in 438 the "Event" registry as per Section 4.2 [idevent-token]. 440 Schema URI: See Section 2.3. 442 Schema Name: See corresponding names under Section 2.3. 444 Intented ResourceType: N/A. Events are not intended to be persisted 445 in SCIM. 447 Purpose: See each description in Section 2.3. 449 Single-valued Attributes: None. 451 Multi-valued Attributes: All schemas in this specification share the 452 same attributes. See Section 2.1. 454 Summary of schema URI registrations: 456 +---------------------------------------+-------------+-------------+ 457 | Schema URI | Name | Reference | 458 +---------------------------------------+-------------+-------------+ 459 | urn:ietf:params:event:SCIM:add | Resource | Section 2.3 | 460 | | added to | | 461 | | Feed Event | | 462 | urn:ietf:params:event:SCIM:remove | Resource | Section 2.3 | 463 | | Removal | | 464 | | From Feed | | 465 | | Event | | 466 | urn:ietf:params:event:SCIM:create | New | Section 2.3 | 467 | | Resource | | 468 | | Event | | 469 | urn:ietf:params:event:SCIM:modify | Resource | Section 2.3 | 470 | | Modified | | 471 | | Event | | 472 | urn:ietf:params:event:SCIM:delete | Resource | Section 2.3 | 473 | | Deleted | | 474 | | Event | | 475 | urn:ietf:params:event:SCIM:activate | Resource | Section 2.3 | 476 | | Activated | | 477 | | Event | | 478 | urn:ietf:params:event:SCIM:deactivate | Resource | Section 2.3 | 479 | | Deactivated | | 480 | | Event | | 481 | urn:ietf:params:event:SCIM:password | Password | Section 2.3 | 482 | | Change | | 483 | | Event | | 484 +---------------------------------------+-------------+-------------+ 486 5. References 488 5.1. Normative References 490 [idevent-subscription] 491 Oracle Corporation, "Identity Event Subscription Protocol 492 (work in progress)". 494 [idevent-token] 495 Oracle Corporation, "Identity Event Token (work in 496 progress)". 498 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 499 Requirement Levels", BCP 14, RFC 2119, 500 DOI 10.17487/RFC2119, March 1997, 501 . 503 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 504 Resource Identifier (URI): Generic Syntax", STD 66, 505 RFC 3986, DOI 10.17487/RFC3986, January 2005, 506 . 508 [RFC7643] Hunt, P., Ed., Grizzle, K., Wahlstroem, E., and C. 509 Mortimore, "System for Cross-domain Identity Management: 510 Core Schema", RFC 7643, DOI 10.17487/RFC7643, September 511 2015, . 513 5.2. Informative References 515 [RFC7644] Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E., 516 and C. Mortimore, "System for Cross-domain Identity 517 Management: Protocol", RFC 7644, DOI 10.17487/RFC7644, 518 September 2015, . 520 Appendix A. Contributors 522 Appendix B. Acknowledgments 524 The editor would like to thank the participants in the the SCIM 525 working group and the id-event list for their support of this 526 specification. 528 Appendix C. Change Log 530 Draft 00 - PH - First Draft 532 Authors' Addresses 534 Phil Hunt (editor) 535 Oracle Corporation 537 Email: phil.hunt@yahoo.com 539 William Denniss 540 Salesforce.com 542 Email: wdenniss@google.com 543 Morteza Ansari 544 Cisco 546 Email: morteza.ansari@cisco.com