rfc9865.original   rfc9865.txt 
SCIM M. Peterson, Ed. Internet Engineering Task Force (IETF) M. Peterson, Ed.
Internet-Draft Entrust Request for Comments: 9865 Entrust
Updates: 7643, 7644 (if approved) D. Zollner Updates: 7643, 7644 D. Zollner
Intended status: Standards Track Independent Category: Standards Track Independent
Expires: 16 January 2026 A. Sehgal ISSN: 2070-1721 A. Sehgal
Amazon Web Services Amazon Web Services
15 July 2025 September 2025
Cursor-based Pagination of SCIM Resources Cursor-based Pagination of System of Cross-domain Identity Management
draft-ietf-scim-cursor-pagination-11 (SCIM) Resources
Abstract Abstract
This document updates RFC7643 and RFC7644 by defining additional SCIM This document updates RFCs 7643 and 7644 by defining additional
(System for Cross-Domain Identity Management) query parameters and System for Cross-Domain Identity Management (SCIM) query parameters
result attributes to allow use of cursor-based pagination in SCIM and result attributes to allow use of cursor-based pagination in SCIM
service providers that are implemented with existing code bases, service providers that are implemented with existing codebases,
databases, or APIs where cursor-based pagination is already well databases, or APIs where cursor-based pagination is already well
established. established.
Discussion Venues
This note is to be removed before publishing as an RFC.
Discussion of this document takes place on the System for Cross-
domain Identity Management Working Group mailing list
(scim@ietf.org), which is archived at
https://mailarchive.ietf.org/arch/browse/scim/.
Source for this draft and an issue tracker can be found at
https://github.com/ietf-scim-wg/draft-ietf-scim-cursor-pagination.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering This document is a product of the Internet Engineering Task Force
Task Force (IETF). Note that other groups may also distribute (IETF). It represents the consensus of the IETF community. It has
working documents as Internet-Drafts. The list of current Internet- received public review and has been approved for publication by the
Drafts is at https://datatracker.ietf.org/drafts/current/. Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Internet-Drafts are draft documents valid for a maximum of six months Information about the current status of this document, any errata,
and may be updated, replaced, or obsoleted by other documents at any and how to provide feedback on it may be obtained at
time. It is inappropriate to use Internet-Drafts as reference https://www.rfc-editor.org/info/rfc9865.
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 16 January 2026.
Copyright Notice Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction
1.1. Notational Conventions . . . . . . . . . . . . . . . . . 3 1.1. Notational Conventions
1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Definitions
2. Query Parameters and Response Attributes . . . . . . . . . . 4 2. Query Parameters and Response Attributes
2.1. Pagination errors . . . . . . . . . . . . . . . . . . . . 7 2.1. Pagination Errors
2.2. Sorting . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2. Sorting
2.3. Implementing Cursors as the Only Pagination Method . . . 7 2.3. Implementing Cursors as the Only Pagination Method
2.4. Implementing Both Cursors and Index Pagination . . . . . 8 2.4. Implementing Both Cursors and Index Pagination
3. Querying Resources using HTTP POST . . . . . . . . . . . . . 8 3. Querying Resources Using HTTP POST
4. Service Provider Configuration . . . . . . . . . . . . . . . 9 4. Service Provider Configuration
5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 5. Security Considerations
5.1. Threat Model and Security Environment . . . . . . . . . . 11 5.1. Threat Model and Security Environment
5.2. Confidentiality . . . . . . . . . . . . . . . . . . . . . 12 5.2. Confidentiality
5.3. Availability . . . . . . . . . . . . . . . . . . . . . . 13 5.3. Availability
5.4. Other Security References . . . . . . . . . . . . . . . . 13 5.4. Other Security References
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 6. IANA Considerations
7. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 14 7. References
8. Acknowledgments and Contributions . . . . . . . . . . . . . . 15 7.1. Normative References
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 7.2. Informative References
9.1. Normative References . . . . . . . . . . . . . . . . . . 15 Acknowledgments and Contributions
9.2. Informative References . . . . . . . . . . . . . . . . . 16 Authors' Addresses
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
The two common patterns for result pagination are index-based The two common patterns for result pagination are index-based
pagination and cursor-based pagination. Rather than attempt to pagination and cursor-based pagination. Rather than attempt to
compare and contrast the advantages and disadvantages of competing compare and contrast the advantages and disadvantages of competing
pagination patterns, this document simply recognizes that SCIM pagination patterns, this document simply recognizes that System for
(System for Cross-Domain Identity Management) service providers are Cross-Domain Identity Management (SCIM) service providers are
commonly implemented as an interoperability layer on top of already commonly implemented as an interoperability layer on top of already
existing application codebases, databases, and/or APIs that already existing application codebases, databases, and/or APIs that already
have a well established pagination pattern. have a well established pagination pattern.
Translating from an underlying cursor-based pagination pattern to the Translating from an underlying cursor-based pagination pattern to the
index-based pagination defined in Section 3.4.2.4 of [RFC7644] index-based pagination defined in Section 3.4.2.4 of [RFC7644]
ultimately requires the SCIM service provider to fully iterate the ultimately requires the SCIM service provider to fully iterate the
underlying cursor, store the results, and then serve indexed pages underlying cursor, store the results, and then serve indexed pages
from the stored results. This task of "pagination translation" from the stored results. This task of "pagination translation"
increases complexity and memory requirements for implementing a SCIM increases complexity and memory requirements for implementing a SCIM
service provider, and may be an impediment to SCIM adoption for some service provider, and may be an impediment to SCIM adoption for some
applications and identity systems. applications and identity systems.
This document defines a simple addition to the SCIM protocol that This document defines a simple addition to the SCIM protocol that
allows SCIM service providers to reuse underlying cursors without allows SCIM service providers to reuse underlying cursors without
expensive translation. Support for cursor-based pagination in SCIM expensive translation. Support for cursor-based pagination in SCIM
encourages broader cross-application identity management encourages broader cross-application identity management
interoperability by encouraging SCIM service provider implementations interoperability by encouraging SCIM service provider implementations
for applications and identity systems where cursor-based pagination for applications and identity systems where cursor-based pagination
is already well-established. is already well established.
This document updates RFCs 7643 and 7644 because it adds attributes This document updates RFCs 7643 and 7644 because it adds attributes
to existing structures from those documents, as described in this to existing structures from those documents, as described in
memo in Section 2. These changes are invoked when using the "cursor" Section 2. These changes are invoked when using the "cursor"
parameter when making SCIM search requests using GET or POST methods. parameter when making SCIM search requests using GET or POST methods.
1.1. Notational Conventions 1.1. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
1.2. Definitions 1.2. Definitions
This document uses the terms defined in section 1.2 of [RFC7643] This document uses the terms defined in Section 1.2 of [RFC7643].
2. Query Parameters and Response Attributes 2. Query Parameters and Response Attributes
The following table describes the URL pagination query parameters for The following table describes the URL pagination query parameters for
requesting cursor-based pagination: requesting cursor-based pagination:
+===========+=====================================================+ +===========+=====================================================+
| Parameter | Description | | Parameter | Description |
+===========+=====================================================+ +===========+=====================================================+
| cursor | The string value of the nextCursor attribute from a | | cursor | The string value of the nextCursor attribute from a |
| | previous result page. The cursor value MUST be | | | previous result page. The cursor value MUST be |
| | empty or omitted for the first request of a cursor- | | | empty or omitted for the first request of a cursor- |
| | paginated query. This value may only contain | | | paginated query. This value may only contain |
| | characters from the unreserved characters set | | | characters from the unreserved character set |
| | defined in section 2.3 of [RFC3986]. | | | defined in Section 2.3 of [RFC3986]. |
+-----------+-----------------------------------------------------+ +-----------+-----------------------------------------------------+
| count | Specifies the desired maximum number of query | | count | Specifies the desired maximum number of query |
| | results per page, e.g., 10. A negative value SHALL | | | results per page, e.g., 10. A negative value SHALL |
| | be interpreted as "0". A value of "0" indicates | | | be interpreted as "0". A value of "0" indicates |
| | that no resource results are to be returned except | | | that no resource results are to be returned except |
| | for "totalResults". When specified, the service | | | for "totalResults". When specified, the service |
| | provider MUST NOT return more although it MAY | | | provider MUST NOT return more, although it MAY |
| | return fewer results. If unspecified, the maximum | | | return fewer, results. If unspecified, the maximum |
| | number of returned is set by the service provider. | | | number returned is set by the service provider. |
+-----------+-----------------------------------------------------+ +-----------+-----------------------------------------------------+
Table 1: Query Parameters Table 1: Query Parameters
The following table describes cursor-based pagination attributes The following table describes cursor-based pagination attributes
returned in a paged query response: returned in a paged query response:
+================+================================================+ +================+================================================+
| Element | Description | | Element | Description |
+================+================================================+ +================+================================================+
skipping to change at page 5, line 30 skipping to change at line 175
| | OPTIONAL. previousCursor MUST NOT be returned | | | OPTIONAL. previousCursor MUST NOT be returned |
| | with the first page. | | | with the first page. |
+----------------+------------------------------------------------+ +----------------+------------------------------------------------+
Table 2: Response Attributes Table 2: Response Attributes
Cursor values are URL-safe strings that are opaque to the client. To Cursor values are URL-safe strings that are opaque to the client. To
retrieve another result page for a query, the client MUST query the retrieve another result page for a query, the client MUST query the
same service provider endpoint with all query parameters and values same service provider endpoint with all query parameters and values
being identical to the initial query with the exception of the cursor being identical to the initial query with the exception of the cursor
value which SHOULD be set to a nextCursor (or previousCursor) value value, which SHOULD be set to a nextCursor (or previousCursor) value
that was returned by the service provider in a previous response. that was returned by the service provider in a previous response.
For example, to retrieve the first 10 Users with userName starting For example, to retrieve the first 10 users with userName starting
with J, use an empty cursor and set the count to 10: with J, use an empty cursor and set the count to 10:
GET /Users?filter=userName%20sw%20J&cursor&count=10 GET /Users?filter=userName%20sw%20J&cursor&count=10
Host: example.com Host: example.com
Accept: application/scim+json Accept: application/scim+json
Authorization: Bearer U8YJcYYRMjbGeepD Authorization: Bearer U8YJcYYRMjbGeepD
The SCIM service provider in response to the query above returns The SCIM service provider in response to the query above returns
metadata regarding pagination similar to the following example metadata regarding pagination similar to the following example
(actual resources removed for brevity): (actual resources removed for brevity):
skipping to change at page 6, line 18 skipping to change at line 203
{ {
"totalResults":100, "totalResults":100,
"itemsPerPage":10, "itemsPerPage":10,
"nextCursor":"VZUTiyhEQJ94IR", "nextCursor":"VZUTiyhEQJ94IR",
"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"], "schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"Resources":[{ "Resources":[{
... ...
}] }]
} }
Given the example above, to request the next page or results, use the Given the example above, to request the next page of results, use the
same query parameters and values except set the cursor to the value same query parameters and values except set the cursor to the value
of nextCursor (VZUTiyhEQJ94IR): of nextCursor (VZUTiyhEQJ94IR):
GET /Users?filter=username%20sw%20J&cursor=VZUTiyhEQJ94IR&count=10 GET /Users?filter=username%20sw%20J&cursor=VZUTiyhEQJ94IR&count=10
Host: example.com Host: example.com
Accept: application/scim+json Accept: application/scim+json
Authorization: Bearer U8YJcYYRMjbGeepD Authorization: Bearer U8YJcYYRMjbGeepD
The service provider responds with: The service provider responds with:
skipping to change at page 6, line 47 skipping to change at line 232
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"], "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"Resources":[{ "Resources":[{
... ...
}] }]
} }
In the example above, the response includes the optional In the example above, the response includes the optional
previousCursor indicating that the service provider supports forward previousCursor indicating that the service provider supports forward
and reverse traversal of result pages. and reverse traversal of result pages.
As described in Section 3.4.1 of [RFC7644] service providers should As described in Section 3.4.1 of [RFC7644], service providers should
return an accurate value for totalResults which is the total number return an accurate value for totalResults, which is the total number
of resources for all pages. Service providers implementing cursor of resources for all pages. Service providers implementing cursor
pagination that are unable to estimate totalResults MAY choose to pagination that are unable to estimate totalResults MAY choose to
omit the totalResults attribute. omit the totalResults attribute.
2.1. Pagination errors 2.1. Pagination Errors
If a service provider encounters invalid pagination query parameters If a service provider encounters invalid pagination query parameters
(invalid cursor value, count value, etc), or other error conditions, (invalid cursor value, count value, etc) or other error conditions,
the service provider SHOULD return the appropriate HTTP response the service provider SHOULD return the appropriate HTTP response
status code and detailed JSON error response as defined in status code and detailed JSON error response as defined in
Section 3.12 of [RFC7644]. Section 3.12 of [RFC7644].
For HTTP status code 400 (Bad Request) responses, the following For HTTP status code 400 (Bad Request) responses, the following
detail error types are defined. These error types extend the list of detail error types are defined. These error types extend the list
error types defined in section 3.12 of [RFC7644], Table 9: SCIM defined in Table 9 ("SCIM Detail Error Keyword Values") of
Detail Error Keyword Values. Section 3.12 of [RFC7644]
+===============+==================================+===============+ +===============+==================================+===============+
| scimType | Description | Applicability | | scimType | Description | Applicability |
+===============+==================================+===============+ +===============+==================================+===============+
| invalidCursor | Cursor value is invalid. Cursor | GET (Section | | invalidCursor | Cursor value is invalid. Cursor | GET (Section |
| | value SHOULD be empty to request | 3.4.2 of | | | value SHOULD be empty to request | 3.4.2 of |
| | the first page and set to the | [RFC7644]) | | | the first page and set to the | [RFC7644]) |
| | nextCursor or previousCursor | | | | nextCursor or previousCursor | |
| | value for subsequent queries. | | | | value for subsequent queries. | |
+---------------+----------------------------------+---------------+ +---------------+----------------------------------+---------------+
skipping to change at page 7, line 50 skipping to change at line 283
2.2. Sorting 2.2. Sorting
If sorting is implemented as described Section 3.4.2.3 of [RFC7644], If sorting is implemented as described Section 3.4.2.3 of [RFC7644],
then cursor-paged results should be sorted. then cursor-paged results should be sorted.
2.3. Implementing Cursors as the Only Pagination Method 2.3. Implementing Cursors as the Only Pagination Method
A service provider MAY require cursor-based pagination to retrieve A service provider MAY require cursor-based pagination to retrieve
all results for a query by including a nextCursor value in the all results for a query by including a nextCursor value in the
response even when the query does not include the cursor parameter. response, even when the query does not include the cursor parameter.
For example: For example:
GET /Users GET /Users
Host: example.com Host: example.com
Accept: application/scim+json Accept: application/scim+json
The service provider may respond to the above query with a page The service provider may respond to the above query with a page
containing defaultPageSize results and a nextCursor value as shown in containing defaultPageSize results and a nextCursor value as shown in
the below example (Resources omitted for brevity): the below example (Resources omitted for brevity):
skipping to change at page 8, line 41 skipping to change at line 323
providers supporting both pagination methods MUST choose a default providers supporting both pagination methods MUST choose a default
pagination method to use when responding to requests that have not pagination method to use when responding to requests that have not
specified a pagination query parameter. specified a pagination query parameter.
Implementers of SCIM service providers that previously supported only Implementers of SCIM service providers that previously supported only
index-based pagination and are adding support for cursor-based index-based pagination and are adding support for cursor-based
pagination should use index as the default pagination method to avoid pagination should use index as the default pagination method to avoid
incompatibility with clients that expect index-based pagination incompatibility with clients that expect index-based pagination
behaviors when no pagination query parameters are specified. behaviors when no pagination query parameters are specified.
SCIM clients can query the service provider configuration (Section 4) SCIM clients can query the Service Provider Configuration (Section 4)
endpoint to determine if index-based, cursor-based or both types of endpoint to determine if index-based, cursor-based, or both types of
pagination are supported and which of these is the default. pagination are supported and which of these is the default.
3. Querying Resources using HTTP POST 3. Querying Resources Using HTTP POST
Section 3.4.3 of [RFC7644] defines how clients may execute queries Section 3.4.3 of [RFC7644] defines how clients may execute queries
without passing parameters on the URL by using the POST verb combined without passing parameters on the URL by using the POST verb combined
with the /.search path extension execute. When posting to /.search, with the /.search path extension execute. When posting to /.search,
the client would pass the parameters defined in Section 2 in the body the client would pass the parameters defined in Section 2 in the body
of the POST request. For example: of the POST request. For example:
POST /User/.search POST /User/.search
Host: example.com Host: example.com
Accept: application/scim+json Accept: application/scim+json
Authorization: Bearer U8YJcYYRMjbGeepD Authorization: Bearer U8YJcYYRMjbGeepD
{ {
"schemas": ["urn:ietf:params:scim:api:messages:2.0:SearchRequest"], "schemas": ["urn:ietf:params:scim:api:messages:2.0:SearchRequest"],
"attributes": ["displayName", "userName"], "attributes": ["displayName", "userName"],
"filter": "displayName sw \"smith\"", "filter": "displayName sw \"smith\"",
"cursor": "", "cursor": "",
"count": 10 "count": 10
} }
Which would return a result containing a nextCursor value which may Which would return a result containing a nextCursor value that may be
be used by the client in a subsequent call to return the next page of used by the client in a subsequent call to return the next page of
resources: resources:
HTTP/1.1 200 OK HTTP/1.1 200 OK
Content-Type: application/scim+json Content-Type: application/scim+json
{ {
"totalResults": 100, "totalResults": 100,
"itemsPerPage": 10, "itemsPerPage": 10,
"nextCursor": "VZUTiyhEQJ94IR", "nextCursor": "VZUTiyhEQJ94IR",
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"], "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"Resources": [{ "Resources": [{
... ...
}] }]
} }
4. Service Provider Configuration 4. Service Provider Configuration
The /ServiceProviderConfig resource defined in Section 4 of [RFC7644] The /ServiceProviderConfig resource defined in Section 4 of [RFC7644]
facilitates discovery of SCIM service provider features. A SCIM facilitates discovery of SCIM service provider features. A SCIM
service provider implementing cursor-based pagination SHOULD include service provider implementing cursor-based pagination SHOULD include
the following additional attribute in JSON document returned by the the following additional attribute in a JSON document returned by the
/ServiceProviderConfig endpoint: /ServiceProviderConfig endpoint:
pagination A complex type that indicates pagination configuration pagination A complex type that indicates pagination configuration
options. OPTIONAL. The following sub-attributes are defined: options. OPTIONAL.
cursor A Boolean value specifying support of cursor-based The following sub-attributes are defined:
pagination. REQUIRED.
index A Boolean value specifying support of index-based cursor A Boolean value specifying support of cursor-based
pagination. REQUIRED. pagination. REQUIRED.
defaultPaginationMethod A string value specifying the type of index A Boolean value specifying support of index-based pagination.
pagination that the service provider defaults to when the REQUIRED.
client has not specified which method it wishes to use.
Possible values are "cursor" and "index". OPTIONAL.
defaultPageSize Positive integer value specifying the default defaultPaginationMethod A string value specifying the type of
number of results returned in a page when a count is not pagination that the service provider defaults to when the client
specified in the query. OPTIONAL. has not specified which method it wishes to use. Possible values
are "cursor" and "index". OPTIONAL.
maxPageSize Positive integer specifying the maximum number of defaultPageSize Positive integer value specifying the default number
results returned in a page regardless of what is specified for of results returned in a page when a count is not specified in the
the count in a query. The maximum number of results returned query. OPTIONAL.
may be further restricted by other criteria. OPTIONAL.
cursorTimeout Positive integer specifying the minimum number of maxPageSize Positive integer specifying the maximum number of
seconds that a cursor is valid between page requests. Clients results returned in a page regardless of what is specified for the
waiting too long between cursor pagination requests may receive count in a query. The maximum number of results returned may be
an invalid cursor error response. No value being specified may further restricted by other criteria. OPTIONAL.
mean that there is no cursor timeout or that the cursor timeout
is not a static duration. OPTIONAL. cursorTimeout Positive integer specifying the minimum number of
seconds that a cursor is valid between page requests. Clients
waiting too long between cursor pagination requests may receive an
invalid cursor error response. No value being specified may mean
that there is no cursor timeout or that the cursor timeout is not
a static duration. OPTIONAL.
Service providers may choose not to advertise Service Provider Service providers may choose not to advertise Service Provider
Configuration information regarding default pagination method, page Configuration information regarding default pagination method, page
size or cursor validity. Clients MUST NOT interpret the lack of size, or cursor validity. Clients MUST NOT interpret the lack of
published Service Provider Configuration values to mean that no published Service Provider Configuration values to mean that no
defaults or limits on page sizes or cursor lifetimes exist, or that defaults or limits on page sizes or cursor lifetimes exist, or that
there is no default pagination method. Service providers may choose there is no default pagination method. Service providers may choose
not to publish values for the pagination sub-attributes for many not to publish values for the pagination sub-attributes for many
reasons. Examples include: reasons. Examples include:
* Service providers containing multiple resource types may have * Service providers containing multiple resource types may have
different values set for each resource type. different values set for each resource type.
* Default and maximum page size may be determined by factors besides * Default and maximum page size may be determined by factors besides
skipping to change at page 12, line 7 skipping to change at line 479
1. Unauthenticated and Authenticated Malicious Actors: These 1. Unauthenticated and Authenticated Malicious Actors: These
individuals or entities represent a malevolent threat. Their individuals or entities represent a malevolent threat. Their
objectives include unauthorized access to data, alteration, or objectives include unauthorized access to data, alteration, or
deletion through cursor-enabled queries. They may also seek to deletion through cursor-enabled queries. They may also seek to
deplete service provider resources deliberately, aiming to cause deplete service provider resources deliberately, aiming to cause
a denial-of-service state, thereby reducing service availability. a denial-of-service state, thereby reducing service availability.
2. Authenticated Benign Users: This category includes legitimate 2. Authenticated Benign Users: This category includes legitimate
users who, due to confusion or a lack of understanding, users who, due to confusion or a lack of understanding,
inadvertently engage in actions that consume service provider inadvertently engage in actions that consume service-provider
resources excessively. Such actions, while not ill-intended, can resources excessively. Such actions, while not ill intended, can
lead to unintended denial of service by overwhelming the service lead to unintended denial of service by overwhelming the service
provider's capacity. provider's capacity.
5.2. Confidentiality 5.2. Confidentiality
To ensure that confidential data remains appropriately secured: To ensure that confidential data remains appropriately secured:
* Implementers MUST ensure that pagination through results sets is * Implementers MUST ensure that pagination through results sets is
strictly confined to the data that the actor's current identity strictly confined to the data that the actor's current identity
has been authorized to access. This holds true even in cases has been authorized to access. This holds true even in cases
skipping to change at page 12, line 31 skipping to change at line 503
* Authorization checks MUST be continuously applied as an actor * Authorization checks MUST be continuously applied as an actor
navigates through the result set associated with a cursor. Under navigates through the result set associated with a cursor. Under
no circumstances should possession of a cursor be interpreted as no circumstances should possession of a cursor be interpreted as
granting any supplementary access privileges to the actor. granting any supplementary access privileges to the actor.
* When possible, service providers SHOULD invalidate all cursors * When possible, service providers SHOULD invalidate all cursors
corresponding to an actor immediately following a change in corresponding to an actor immediately following a change in
permissions. This ensures that any queries executed post- permissions. This ensures that any queries executed post-
permission change, utilizing old cursors, will be denied. As an permission change, utilizing old cursors, will be denied. As an
alternative approach, service provider may opt to retain the alternative approach, service providers may opt to retain the
existing cursors but must ensure that any metadata tied to the existing cursors but must ensure that any metadata tied to the
result set, such as record counts, is updated to reflect the new result set, such as record counts, is updated to reflect the new
permissions accurately. permissions accurately.
* In alignment with Section 2, cursor values are URL-Safe strings * In alignment with Section 2, cursor values are URL-safe strings
that are opaque to clients. Server providers should obfuscate that are opaque to clients. Service providers should obfuscate
cursors values to prevent clients from interpreting cursors or cursors values to prevent clients from interpreting cursors or
forging new cursors. Service providers should be able to easily forging new cursors. Service providers should be able to easily
detect forged cursor values and immediately return an detect forged cursor values and immediately return an
invalidCursor as described in Section 2.1 invalidCursor as described in Section 2.1.
* The service provider MUST handle error scenarios without exposing * The service provider MUST handle error scenarios without exposing
sensitive data. For instance, if an actor attempts to access a sensitive data. For instance, if an actor attempts to access a
page of results outside their authorized scope, or if a request is page of results outside their authorized scope, or if a request is
made for a non-existent page, the service provider should respond made for a non-existent page, the service provider should respond
with identical error messages, so as not to disclose any details with identical error messages, so as not to disclose any details
of the underlying data or the nature of the authorization failure. of the underlying data or the nature of the authorization failure.
It is acceptable, however, for the service provider to log It is acceptable, however, for the service provider to log
different messages to a log accessible by administrators or other different messages to a log accessible by administrators or other
authorized personnel. authorized personnel.
5.3. Availability 5.3. Availability
The concern for availability primarily stems from the potential for The concern for availability primarily stems from the potential for
Denial of Service (DoS) attacks. If the service provider elects to Denial-of-Service (DoS) attacks. If the service provider elects to
retain substantial data or metadata for each cursor, numerous initial retain substantial data or metadata for each cursor, numerous initial
queries that allocate cursors could strain and eventually exhaust queries that allocate cursors could strain and eventually exhaust
service provider resources. Such an attack could be orchestrated by service-provider resources. Such an attack could be orchestrated by
an attacker with malicious intent or could occur unintentionally as a an attacker with malicious intent or could occur unintentionally as a
result of client testing or bugs. result of client testing or bugs.
To mitigate risks, the following strategies are recommended for To mitigate risks, the following strategies are recommended for
service providers: service providers:
* Clients should authenticate to retrieve large result sets. * Clients should authenticate to retrieve large result sets.
Anonymous queries yielding numerous results, may return an HTTP Anonymous queries yielding numerous results may return an HTTP
status code 400 (Bad Request) with the error type "tooMany," as status code 400 (Bad Request) with the error type "tooMany," as
outlined in [RFC7644] section 3.12. outlined in Section 3.12 of [RFC7644].
* Implement rate limiting to control the volume and cadence of * Implement rate limiting to control the volume and cadence of
cursor requests. This approach should adhere to established cursor requests. This approach should adhere to established
standards for rate limiting, details of which can be found in standards for rate limiting; details can be found in [RFC6585].
[RFC6585].
* Allow administrator of the service provider to set a ceiling on * Allow administrator of the service provider to set a ceiling on
the number of cursors permissible at any given time or to specify the number of cursors permissible at any given time or to specify
a maxPageSize value. Guidance on configuring such values should a maxPageSize value. Guidance on configuring such values should
be documented in the implementation administrator/installation be documented in the implementation administrator/installation
guide. guide.
* Cursor invalidation mechanisms (including mechanisms triggered by * Cursor invalidation mechanisms (including mechanisms triggered by
permissions changes) must be designed to be resource-efficient to permissions changes) must be designed to be resource-efficient to
prevent them from being exploited for DoS attacks. prevent them from being exploited for DoS attacks.
5.4. Other Security References 5.4. Other Security References
Using URIs to describe and locate resources has its own set of Using URIs to describe and locate resources has its own set of
security considerations discussed in Section 7 of [RFC3986]. security considerations, as discussed in Section 7 of [RFC3986].
Implementations should also refer to [BCP195] and [RFC9110] for Implementations should also refer to [BCP195] and [RFC9110] for
additional security considerations that are relevant for underlying additional security considerations that are relevant for underlying
TLS and HTTP protocols. TLS and HTTP protocols.
6. IANA Considerations 6. IANA Considerations
This specification requests IANA to amends the SCIM Server-Related IANA has amended the "System for Cross-domain Identity Management
Schema URIs registry established by [RFC7643]. (SCIM) Schema URIs" registry group established by [RFC7643] as
described below.
For the urn:ietf:params:scim:api:messages:2.0:ListResponse, add
Section 2 of this document to the References column.
For the urn:ietf:params:scim:api:messages:2.0:SearchRequest, add
Section 2 of this document to the References column.
For the urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig,
add Section 4 of this document to the References column.
7. Change Log
RFC Editor: Please remove this section in the release version of the
document.
-08
* Fix several typos and wording consistencies
* Add reference to RFC7644 in Security Considerations
* Adjust indenting and wording to clarify the definition of the
pagination attribute in serviceProviderConfig
* Reference RFC section 2.3 (not section 2.2) for unreserved
characters
* Reference section RFC 7644 3.4.3 (not section 3.4.2.4 ) for POST
query
* Added updates 7644, 7643
* Changed IANA considerations to add sections of this document to
References column of SCIM Schema URIs for Data Resources impacted
by this document
-07
* Minor grammar change
* Add informative reference to BCP195 and RFC9110
-05
* Various updates in response to WG/IETF Last Call feedback
-04
* Added IANA Considerations section
* Added Security Considerations section
* Added Backwards Compatibility Considerations section
-03
* Minor grammatical/typo fixes, rename + changes to maxPageSize SCP
definition
-02
* Typos/semantics, acknowledgements, expansion of cursorTimeout SCP
definition
-01
* Updated after Httpdir review.
-00
* Adopted by SCIM WG.
8. Acknowledgments and Contributions
The authors would like to acknowledge the contribution of Paul Lanzi
(IDenovate) in leading the writing of security considerations
section.
The authors would also like to acknowledge the following individuals IANA has updated the "SCIM Schema URIs for Data Resources" registry
who provided valuable feedback while reviewing the document: as follows:
* Aaron Parecki - Okta * For the urn:ietf:params:scim:api:messages:2.0:ListResponse,
Section 2 of this document has been added to the References
column.
* David Brossard - Axiomatics * For the urn:ietf:params:scim:api:messages:2.0:SearchRequest,
Section 2 of this document has been added to the References
column.
* Dean H. Saxe - Independent IANA has updated the "SCIM Server-Related Schema URIs" registry as
follows:
* Pamela Dingle - Microsoft * For the
urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig,
Section 4 of this document has been added to the References
column.
9. References 7. References
9.1. Normative References 7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005, RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/rfc/rfc3986>. <https://www.rfc-editor.org/info/rfc3986>.
[RFC6585] Nottingham, M. and R. Fielding, "Additional HTTP Status [RFC6585] Nottingham, M. and R. Fielding, "Additional HTTP Status
Codes", RFC 6585, DOI 10.17487/RFC6585, April 2012, Codes", RFC 6585, DOI 10.17487/RFC6585, April 2012,
<https://www.rfc-editor.org/rfc/rfc6585>. <https://www.rfc-editor.org/info/rfc6585>.
[RFC7643] Hunt, P., Ed., Grizzle, K., Wahlstroem, E., and C. [RFC7643] Hunt, P., Ed., Grizzle, K., Wahlstroem, E., and C.
Mortimore, "System for Cross-domain Identity Management: Mortimore, "System for Cross-domain Identity Management:
Core Schema", RFC 7643, DOI 10.17487/RFC7643, September Core Schema", RFC 7643, DOI 10.17487/RFC7643, September
2015, <https://www.rfc-editor.org/rfc/rfc7643>. 2015, <https://www.rfc-editor.org/info/rfc7643>.
[RFC7644] Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E., [RFC7644] Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E.,
and C. Mortimore, "System for Cross-domain Identity and C. Mortimore, "System for Cross-domain Identity
Management: Protocol", RFC 7644, DOI 10.17487/RFC7644, Management: Protocol", RFC 7644, DOI 10.17487/RFC7644,
September 2015, <https://www.rfc-editor.org/rfc/rfc7644>. September 2015, <https://www.rfc-editor.org/info/rfc7644>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
9.2. Informative References 7.2. Informative References
[BCP195] Best Current Practice 195, [BCP195] Best Current Practice 195,
<https://www.rfc-editor.org/info/bcp195>. <https://www.rfc-editor.org/info/bcp195>.
At the time of writing, this BCP comprises the following: At the time of writing, this BCP comprises the following:
Moriarty, K. and S. Farrell, "Deprecating TLS 1.0 and TLS Moriarty, K. and S. Farrell, "Deprecating TLS 1.0 and TLS
1.1", BCP 195, RFC 8996, DOI 10.17487/RFC8996, March 2021, 1.1", BCP 195, RFC 8996, DOI 10.17487/RFC8996, March 2021,
<https://www.rfc-editor.org/info/rfc8996>. <https://www.rfc-editor.org/info/rfc8996>.
Sheffer, Y., Saint-Andre, P., and T. Fossati, Sheffer, Y., Saint-Andre, P., and T. Fossati,
"Recommendations for Secure Use of Transport Layer "Recommendations for Secure Use of Transport Layer
Security (TLS) and Datagram Transport Layer Security Security (TLS) and Datagram Transport Layer Security
(DTLS)", BCP 195, RFC 9325, DOI 10.17487/RFC9325, November (DTLS)", BCP 195, RFC 9325, DOI 10.17487/RFC9325, November
2022, <https://www.rfc-editor.org/info/rfc9325>. 2022, <https://www.rfc-editor.org/info/rfc9325>.
[RFC9110] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, [RFC9110] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP Semantics", STD 97, RFC 9110, Ed., "HTTP Semantics", STD 97, RFC 9110,
DOI 10.17487/RFC9110, June 2022, DOI 10.17487/RFC9110, June 2022,
<https://www.rfc-editor.org/rfc/rfc9110>. <https://www.rfc-editor.org/info/rfc9110>.
Acknowledgments and Contributions
The authors would like to acknowledge the contribution of Paul Lanzi
(IDenovate) in leading the writing of the Security Considerations
section.
The authors would also like to acknowledge the following individuals
who provided valuable feedback while reviewing the document:
Aaron Parecki
Okta
David Brossard
Axiomatics
Dean H. Saxe
Independent
Pamela Dingle
Microsoft
Authors' Addresses Authors' Addresses
Matt Peterson (editor) Matt Peterson (editor)
Entrust Entrust
Email: matt.peterson@entrust.com Email: matt.peterson@entrust.com
Danny Zollner Danny Zollner
Independent Independent
Email: danny@zollnerd.com Email: danny@zollnerd.com
 End of changes. 64 change blocks. 
233 lines changed or deleted 174 lines changed or added

This html diff was produced by rfcdiff 1.48.