[IS7 KM Connector][Passing End User Attributes to the Backend] - User attributes of SCIM 2.0 Extension schemas are not read during claim mapping

[senthuran16]

Description

When using the IS7 KM Connector [1] and performing the Passing End User Attributes to the Backend feature, only the user attributes that belong to the user resource schema (urn:ietf:params:scim:schemas:core:2.0:User) are mapped as local claims. User attributes of other extension schemas (eg: enterprise schemaurn:ietf:params:scim:schemas:extension:enterprise:2.0:User) are not being parsed.

In IS7, user attributes are present under the following SCIM 2.0 schemas:

• Core Schema: urn:ietf:params:scim:schemas:core:2.0
• User Schema: urn:ietf:params:scim:schemas:core:2.0:User
• Enterprise Schema: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

Example

Consider the following SCIM 2.0 dialect payload of a user's info, obtained via SCIM 2.0 Me GET

{
   "emails":[
      "[email protected]"
   ],
   "meta":{
      "location":"https://localhost:9444/scim2/Users/6f0aedde-d5a9-4d3c-b04b-d5715f92a4bd",
      "lastModified":"2024-03-15T08:15:56.154962Z",
      "resourceType":"User"
   },
   "schemas":[
      "urn:ietf:params:scim:schemas:core:2.0:User",
      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
      "urn:scim:wso2:schema"
   ],
   "roles":[
      {
         "display":"admin",
         "value":"aab3420a-9360-48fc-80b8-616163d1e303",
         "$ref":"https://localhost:9444/scim2/Roles/aab3420a-9360-48fc-80b8-616163d1e303"
      },
      {
         "display":"Administrator",
         "value":"cdf6749d-e734-4f28-913a-c2fb6ec25df3",
         "$ref":"https://localhost:9444/scim2/Roles/cdf6749d-e734-4f28-913a-c2fb6ec25df3"
      },
      {
         "display":"testrole",
         "value":"3647c757-0c96-444a-b1a4-edd460a003a3",
         "$ref":"https://localhost:9444/scim2/Roles/3647c757-0c96-444a-b1a4-edd460a003a3"
      },
      {
         "display":"myrole",
         "value":"1b4d5caa-0487-4337-93b8-0b73a339a499",
         "$ref":"https://localhost:9444/scim2/Roles/1b4d5caa-0487-4337-93b8-0b73a339a499"
      },
      {
         "display":"everyone",
         "value":"a6246174-02c3-4173-a45d-8d6a8ede1274",
         "$ref":"https://localhost:9444/scim2/Roles/a6246174-02c3-4173-a45d-8d6a8ede1274"
      }
   ],
   "name":{
      "givenName":"AdminFirstName",
      "familyName":"AdminLastName"
   },
   "groups":[
      {
         "display":"admin",
         "value":"219248d9-d00f-4138-91f6-c52bdc2b9b53",
         "$ref":"https://localhost:9444/scim2/Groups/219248d9-d00f-4138-91f6-c52bdc2b9b53"
      }
   ],
   "id":"6f0aedde-d5a9-4d3c-b04b-d5715f92a4bd",
   "userName":"admin",
   "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{
      "country":"Sri Lanka",
      "dateOfBirth":"1996-01-16"
   },
   "phoneNumbers":[
      {
         "type":"mobile",
         "value":"+94712345678"
      }
   ]
}

Claims mapped to local dialect, of the above user:

{
  "https://wso2.org/claims/apiname": "PizzaShackAPI",
  "https://wso2.org/claims/applicationtier": "10PerMin",
  "https://wso2.org/claims/mobile": "+94712345678",
  "https://wso2.org/claims/enduserTenantId": "-1234",
  "https://wso2.org/claims/groups": "219248d9-d00f-4138-91f6-c52bdc2b9b53",
  "https://wso2.org/claims/applicationUUId": "f8af8504-97a7-4d31-8842-ab7ff675ca22",
  "https://wso2.org/claims/subscriber": "admin",
  "https://wso2.org/claims/emailaddress": "[email protected]",
  "https://wso2.org/claims/lastname": "AdminLastName",
  "https://wso2.org/claims/applicationid": "25",
  "https://wso2.org/claims/usertype": "Application_User",
  "https://wso2.org/claims/apicontext": "/pizzashack/1.0.0",
  "https://wso2.org/claims/userid": "6f0aedde-d5a9-4d3c-b04b-d5715f92a4bd",
  "https://wso2.org/claims/username": "admin",
  "https://wso2.org/claims/version": "1.0.0",
  "https://wso2.org/claims/keytype": "PRODUCTION",
  "https://wso2.org/claims/location": "https://localhost:9444/scim2/Users/6f0aedde-d5a9-4d3c-b04b-d5715f92a4bd",
  "https://wso2.org/claims/applicationname": "FooApp17",
  "https://wso2.org/claims/enduser": "[email protected]",
  "https://wso2.org/claims/resourceType": "User",
  "https://wso2.org/claims/givenname": "AdminFirstName",
  "https://wso2.org/claims/modified": "2024-03-15T08:15:56.154962Z",
  "https://wso2.org/claims/tier": "Unlimited"
}

In the above, the following is not parsed:

"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{
      "country":"Sri Lanka",
      "dateOfBirth":"1996-01-16"
   },

Possible Solution

The schema is provided to the JSON decoder at [3], and extension schemas should be honoured at [3] as well.

[1] wso2-extensions/apim-km-wso2is#128
[2] https://apim.docs.wso2.com/en/4.1.0/deploy-and-publish/deploy-on-gateway/api-gateway/passing-enduser-attributes-to-the-backend-via-api-gateway/#passing-end-user-attributes-to-the-backend
[3] https://github.com/wso2-extensions/apim-km-wso2is/pull/128/files#diff-c2ba9f2ae75d4832fa3499e5fd69cab3ab8a49f64e78911f5a1af9ea787633f5R67

Steps to Reproduce

Refer the description of PR wso2-extensions/apim-km-wso2is#128

Affected Component

APIM

Version

4.3.0-alpha

Environment Details (with versions)

No response

Relevant Log Output

No response

Related Issues

No response

Suggested Labels

No response