SCIM validator: What is the `DELETE /Groups/Id` validation looking for to pass?

Brandur 0 Reputation points
2024-06-07T19:52:22.55+00:00

I'm using Microsoft's SCIM validator, and I've gotten most of it passing now, but I'm down to one test that fails and without explaining why exactly.

The test is DELETE /Groups/Id on the substep GET filter on deleted Group should not return any Groups. It deletes a group, then tries to fetch the group after deletion, but is unhappy that my API is returning a 404 in such a situation.

GET https://3c71-208-52-28-191.ngrok-free.app/vendor/scim/v2/organizations/matjsvug6vb7javsjsugxbjtiy/Groups/toj33fwyyrcnrga4h2maveyqx4 1.1
Host: 3c71-208-52-28-191.ngrok-free.app

Response Received Response Status: 404 NotFound

{
  "detail": "Resource gzzowxsplzbyxfebhcbwdtp3ze not found",
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:Error"
  ],
  "status": "404"
}

(Screenshot below.)

This is specifically covered in the SCIM spec in section 3.6 [2], and 404 is the mandated response code.

I don't understand what the validator is expecting here, and it doesn't tell me.

I tried throwing a whole bunch of stuff at the wall to see if I could get it passing via trial and error:

  • Return 400 status code.
  • Return 410 (gone) status code.
  • Return 200 OK containing resource.
  • Return 204 (no content).
  • Return 200 with empty response.
  • Return 200 with empty JSON object ({}) response.

None of these did the trick.

A very broad problem with the validator is that in case of a failure, it won't tell you what the problem is — just that there is one. I was able to fix most problems via trial and error, but this thing would be infinitely easier to use with better error diagnostics.

[1] https://scimvalidator.microsoft.com/ [2] https://datatracker.ietf.org/doc/html/rfc7644#section-3.6

failure

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,181 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Brandur 0 Reputation points
    2024-06-07T21:48:43.0133333+00:00

    Never mind — this turned out to have nothing to do with the "group get" request which is supposed to be a 404. The validator was making a follow up "group list" request that was doing the wrong thing on my end, but showing the wrong request in the informational pane.


  2. Shweta Mathur 28,926 Reputation points Microsoft Employee
    2024-06-11T08:11:20.68+00:00

    Hi @Brandur ,

    Thanks for reaching out.

    The SCIM specification mandates that a 404-response code should be returned when a deleted resource is requested.

    I'm glad that you were able to figure out your issue and thank you for posting so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

    User's image

    Thanks

    0 comments No comments