SCIM2.0 PATCH in WSO2 Identity Server(IS)
Find different flavors of PATCH operations under one hood
I thought to write this blog because I’ve seen many developers in the community are struggling to form the PATCH payload properly.
RFC 7644 3.5.2. Modifying with PATCH describes this fact more than enough. Here I’ll make the content in such a way that you can grab it within few minutes.
What is SCIM PATCH?
- Optional function to support by SCIM service providers.
- Can update one or more attributes of a SCIM resource.
- Supported operations:
add
,replace
,remove
This is the structure of a PATCH payload.
Form your PATCH request payload
You have to think of only two things.
- What type of attribute I’m going to update?
- What sort of update do I want (add/ replace/ remove)?
What type of attribute I’m going to update?
According to SCIM RFC 7643, there are 4 main attribute types. For more details, you can refer Let’s understand SCIM 2.0 — Core Schema.
- Simple Singular Attributes
- Complex Singular Attributes
- Simple Multi-Valued Attributes
- Complex Multi-Valued Attributes
What sort of update do I want (add/ replace/ remove)?
There are only three types of update operations.
- add — add a new value.
- replace — replace the existing value.
- remove — delete the existing value.
I choose Identity Server 5.11.0 for this blog. For simplicity following section shows the individual operations instead of the entire PATCH request payload. Here we go!!
1. Simple Singular Attribute
Here I have selected nickname
from User core schema and urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:country
from Enterprise user schema.
Since path
is an optional param for add
and replace
operations, I have added samples with/without path.
1.1 add
The first example is to add a simple singular attribute namednickName
in User Core Schema without the path
param and with path
param.
This example is to add a simple singular attribute named country
in Enterprise User Schema, without the path
param and with path
param.
1.2 replace
This example is to replace a simple singular attribute namednickName
in User Core Schema without the path
param and with path
param.
This example is to replace a simple singular attribute named country
in Enterprise User Schema, without the path
param and with path
param.
1.3 remove
This is how simple singular attributes need to be removed.
2. Complex Singular Attribute
Here I have selected name
from User core schema which has sub-attributes such as givenName
, familyName
etc. andurn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager
from Enterprise user schema which has displayName
, value
, ref
as us attributes.
2.1 add
2.2 replace
2.3 remove
If the path
contains the complex attribute, it removes all sub-attribute values. (NOTE: There is a special case for the name attribute. Though “path”: “name” is given, it doesn’t remove familyName.)
If you just want to delete a sub-attribute of the complex attribute, use the format attribute.subattribute
as shown below.
3. Simple Multi-Valued Attribute
This type of attribute is not found in the core schemas of SCIM specification. However, there is a capability to add simple multivalued attributes to our extended schemas. Here I have given examples based on hypothetical attributes called devices. You can add such attributes by following the blog “How to add SCIM Extended Attributes in WSO2 Identity Server”
3.1 add
3.2 replace
3.3 remove
4. Complex Multi-Valued Attribute
Here I have selected emails
from User core schema which can have multiple emails types such as home
, work
, other
. Each email attribute has sub-attributes such as value
, type
, primary
.
4.1 add
4.2 replace
If you want to replace one object’s sub-attribute value filter out that and do the replace operation.
4.3 remove
Find the postman collection here: https://app.getpostman.com/run-collection/066316335c2bbaba3c60
Next time, Don’t make any mistakes in your PATCH request. 😉👊