SCIM Source provisioning - add user to group failes: Method "PATCH" not allowed #11249
Description
Describe the bug
We are currently testing the SCIM Source feature and try to provision user and groups to our authentik test instance
The user provisioning works for creation & update
the group provisioning works for creation only
If a user is added to a group, this SCIM update fails with the error 'Method "PATCH" not allowed.'
We sync from OneLogin via SCIM v2 Enterprise App
To Reproduce
Steps to reproduce the behavior:
- setup SCIM Source in authentik & onelogin
- provision user who syncs with a group
Expected behavior
the user will be added to the groups via scim source provisioning
Logs
nginx log:
1.2.3.4 - - [05/Sep/2024:14:43:14 +0000] "GET /source/scim/onelogin/v2/Users?filter=userName+eq+%22onelogin-test-user01%22& HTTP/1.1" 200 964 "-" "application/json" "-" "-" "/source/scim/onelogin/v2/Users?filter=userName+eq+%22onelogin-test-user01%22&"
1.2.3.4 - - [05/Sep/2024:14:43:15 +0000] "PUT /source/scim/onelogin/v2/Users/e90ef750-39cc-4062-8c35-ab6375bc455e? HTTP/1.1" 200 832 "-" "application/json" "{\x22schemas\x22:[\x22urn:scim:schemas:core:2.0\x22,\x22urn:scim:schemas:extension:enterprise:2.0\x22],\x22userName\x22:\x22onelogin-test-user01\x22,\x22name\x22:{\x22familyName\x22:\x22 User 01\x22,\x22givenName\x22:\x22AAA Test\x22,\x22formatted\x22:\x22AAA Test User 01\x22},\x22emails\x22:[{\x22value\x22:\x22onelogin-test-user01@tdtest.com\x22,\x22type\x22:\x22work\x22,\x22primary\x22:true}],\x22title\x22:\x22Test Engineer\x22,\x22urn:scim:schemas:extension:enterprise:2.0\x22:{\x22department\x22:\x22Abteilung 1\x22,\x22oneloginid\x22:\x22118021270\x22,\x22manager\x22:{\x22value\x22:\x22\x22,\x22displayName\x22:\x22 \x22}},\x22active\x22:true}" "-" "/source/scim/onelogin/v2/Users/e90ef750-39cc-4062-8c35-ab6375bc455e?"
1.2.3.4 - - [05/Sep/2024:14:43:15 +0000] "PATCH /source/scim/onelogin/v2/Groups/080cf9f3-0912-44e4-ab91-0d467b154db1? HTTP/1.1" 405 42 "-" "application/json" "{\x22schemas\x22:[\x22urn:ietf:params:scim:api:messages:2.0:PatchOp\x22],\x22Operations\x22:[{\x22path\x22:\x22members\x22,\x22op\x22:\x22add\x22,\x22value\x22:[{\x22value\x22:\x22e90ef750-39cc-4062-8c35-ab6375bc455e\x22}]}]}" "-" "/source/scim/onelogin/v2/Groups/080cf9f3-0912-44e4-ab91-0d467b154db1?"
1.2.3.4 - - [05/Sep/2024:14:43:15 +0000] "PATCH /source/scim/onelogin/v2/Groups/a3d0173c-e821-4f44-aa09-75779a242e52? HTTP/1.1" 405 42 "-" "application/json" "{\x22schemas\x22:[\x22urn:ietf:params:scim:api:messages:2.0:PatchOp\x22],\x22Operations\x22:[{\x22path\x22:\x22members\x22,\x22op\x22:\x22add\x22,\x22value\x22:[{\x22value\x22:\x22e90ef750-39cc-4062-8c35-ab6375bc455e\x22}]}]}" "-" "/source/scim/onelogin/v2/Groups/a3d0173c-e821-4f44-aa09-75779a242e52?"
authentik trace log - docker logs:
{"event":"tracing request to backend","headers":{"Accept-Encoding":["gzip, deflate, br, zstd"],"Accept-Language":["en-US,en;q=0.9,de;q=0.8"],"Cache-Control":["no-cache"],"Connection":["upgrade"],"Cookie":["authentik_csrf=Tc3; authentik_session=eyJh.pNS"],"Origin":["https://authentik.tdservice.net"],"Pragma":["no-cache"],"Sec-Websocket-Extensions":["permessage-deflate; client_max_window_bits"],"Sec-Websocket-Key":["QWf=="],"Sec-Websocket-Version":["13"],"Upgrade":["websocket"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"],"X-Forwarded-For":["1.2.3.4"],"X-Forwarded-Proto":["https"]},"level":"trace","logger":"authentik.router","timestamp":"2024-09-05T14:42:53Z","url":"http://localhost:8000/ws/client/"}
{"domain_url": null, "event": "/ws/client/", "level": "info", "logger": "authentik.asgi", "pid": 95278, "remote": "1.2.3.4", "schema_name": "public", "scheme": "ws", "timestamp": "2024-09-05T14:42:53.973961", "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"}
{"event":"hello'd","level":"trace","logger":"authentik.outpost.ak-api-controller","loop":"ws-health","timestamp":"2024-09-05T14:42:54Z"}
{"cidr":"172.99.0.0/16","event":"Setting proxy headers","level":"trace","remoteAddr":"172.99.0.1","timestamp":"2024-09-05T14:42:56Z"}
{"event":"tracing request to backend","headers":{"Accept-Encoding":["gzip, deflate, br, zstd"],"Accept-Language":["en-US,en;q=0.9,de;q=0.8"],"Cache-Control":["no-cache"],"Connection":["upgrade"],"Cookie":["authentik_csrf=Tc3; authentik_session=eyJh.pNS"],"Origin":["https://authentik.tdservice.net"],"Pragma":["no-cache"],"Sec-Websocket-Extensions":["permessage-deflate; client_max_window_bits"],"Sec-Websocket-Key":["O9C=="],"Sec-Websocket-Version":["13"],"Upgrade":["websocket"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"],"X-Forwarded-For":["1.2.3.4"],"X-Forwarded-Proto":["https"]},"level":"trace","logger":"authentik.router","timestamp":"2024-09-05T14:42:56Z","url":"http://localhost:8000/ws/client/"}
{"domain_url": null, "event": "/ws/client/", "level": "info", "logger": "authentik.asgi", "pid": 96531, "remote": "1.2.3.4", "schema_name": "public", "scheme": "ws", "timestamp": "2024-09-05T14:42:56.972789", "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"}
{"event":"hello'd","level":"trace","logger":"authentik.outpost.ak-api-controller","loop":"ws-health","timestamp":"2024-09-05T14:43:04Z"}
{"cidr":"172.99.0.0/16","event":"Setting proxy headers","level":"trace","remoteAddr":"172.99.0.1","timestamp":"2024-09-05T14:43:12Z"}
{"event":"tracing request to backend","headers":{"Accept-Encoding":["gzip, deflate, br, zstd"],"Accept-Language":["en-US,en;q=0.9,de;q=0.8"],"Cache-Control":["no-cache"],"Connection":["upgrade"],"Cookie":["authentik_csrf=Tc3; authentik_session=eyJh.pNS"],"Origin":["https://authentik.tdservice.net"],"Pragma":["no-cache"],"Sec-Websocket-Extensions":["permessage-deflate; client_max_window_bits"],"Sec-Websocket-Key":["upB=="],"Sec-Websocket-Version":["13"],"Upgrade":["websocket"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"],"X-Forwarded-For":["1.2.3.4"],"X-Forwarded-Proto":["https"]},"level":"trace","logger":"authentik.router","timestamp":"2024-09-05T14:43:12Z","url":"http://localhost:8000/ws/client/"}
{"domain_url": null, "event": "/ws/client/", "level": "info", "logger": "authentik.asgi", "pid": 95278, "remote": "1.2.3.4", "schema_name": "public", "scheme": "ws", "timestamp": "2024-09-05T14:43:12.974370", "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"}
{"event":"hello'd","level":"trace","logger":"authentik.outpost.ak-api-controller","loop":"ws-health","timestamp":"2024-09-05T14:43:14Z"}
{"cidr":"172.99.0.0/16","event":"Setting proxy headers","level":"trace","remoteAddr":"172.99.0.1","timestamp":"2024-09-05T14:43:14Z"}
{"event":"tracing request to backend","headers":{"Authorization":["Bearer secret"],"Content-Type":["application/scim+json"],"User-Agent":[""],"X-Forwarded-For":["5.6.7.8"],"X-Forwarded-Proto":["https"]},"level":"trace","logger":"authentik.router","timestamp":"2024-09-05T14:43:14Z","url":"http://localhost:8000/source/scim/onelogin/v2/Users?filter=userName+eq+%22onelogin-test-user01%22&"}
{"auth_via": "unauthenticated", "domain_url": "authentik.tdservice.net", "event": "/source/scim/onelogin/v2/Users?filter=userName+eq+%22onelogin-test-user01%22&", "host": "authentik.tdservice.net", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 95278, "remote": "5.6.7.8", "request_id": "ab550b4e9f2c45c2864500f469b46bb2", "runtime": 29, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-09-05T14:43:14.293478", "user": "ak-source-scim-4bbaea0b-65bf-4cd4-aad8-5f0da180ce30", "user_agent": ""}
{"cidr":"172.99.0.0/16","event":"Setting proxy headers","level":"trace","remoteAddr":"172.99.0.1","timestamp":"2024-09-05T14:43:14Z"}
{"event":"tracing request to backend","headers":{"Authorization":["Bearer secret"],"Content-Length":["474"],"Content-Type":["application/scim+json"],"User-Agent":[""],"X-Forwarded-For":["5.6.7.8"],"X-Forwarded-Proto":["https"]},"level":"trace","logger":"authentik.router","timestamp":"2024-09-05T14:43:14Z","url":"http://localhost:8000/source/scim/onelogin/v2/Users/e90ef750-39cc-4062-8c35-ab6375bc455e?"}
{"action": "model_updated", "auth_via": "unauthenticated", "client_ip": "5.6.7.8", "context": {"asn": {"as_org": "AMAZON-02", "asn": 16509, "network": "52.24.0.0/13"}, "geo": {"city": "Frankfurt am Main", "continent": "EU", "country": "DE", "lat": 50.1187, "long": 8.6842}, "http_request": {"args": {}, "method": "PUT", "path": "/source/scim/onelogin/v2/Users/e90ef750-39cc-4062-8c35-ab6375bc455e", "request_id": "d363450884e9408b9791f08a009df003", "user_agent": ""}, "model": {"app": "authentik_core", "model_name": "user", "name": "AAA Test User 01", "pk": 7}}, "domain_url": "authentik.tdservice.net", "event": "Created Event", "host": "authentik.tdservice.net", "level": "info", "logger": "authentik.events.models", "pid": 95278, "request_id": "d363450884e9408b9791f08a009df003", "schema_name": "public", "timestamp": "2024-09-05T14:43:15.078349", "user": {"email": "", "pk": 6, "username": "ak-source-scim-4bbaea0b-65bf-4cd4-aad8-5f0da180ce30"}}
{"auth_via": "unauthenticated", "domain_url": "authentik.tdservice.net", "event": "Task published", "host": "authentik.tdservice.net", "level": "info", "logger": "authentik.root.celery", "pid": 95278, "request_id": "d363450884e9408b9791f08a009df003", "schema_name": "public", "task_id": "3335a1d25b954574887b444f9118c42e", "task_name": "authentik.events.tasks.event_notification_handler", "timestamp": "2024-09-05T14:43:15.110007"}
{"auth_via": "unauthenticated", "domain_url": "authentik.tdservice.net", "event": "/source/scim/onelogin/v2/Users/e90ef750-39cc-4062-8c35-ab6375bc455e", "host": "authentik.tdservice.net", "level": "info", "logger": "authentik.asgi", "method": "PUT", "pid": 95278, "remote": "5.6.7.8", "request_id": "d363450884e9408b9791f08a009df003", "runtime": 602, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-09-05T14:43:15.117802", "user": "ak-source-scim-4bbaea0b-65bf-4cd4-aad8-5f0da180ce30", "user_agent": ""}
{"cidr":"172.99.0.0/16","event":"Setting proxy headers","level":"trace","remoteAddr":"172.99.0.1","timestamp":"2024-09-05T14:43:15Z"}
{"event":"tracing request to backend","headers":{"Authorization":["Bearer secret"],"Content-Length":["165"],"Content-Type":["application/scim+json"],"User-Agent":[""],"X-Forwarded-For":["5.6.7.8"],"X-Forwarded-Proto":["https"]},"level":"trace","logger":"authentik.router","timestamp":"2024-09-05T14:43:15Z","url":"http://localhost:8000/source/scim/onelogin/v2/Groups/080cf9f3-0912-44e4-ab91-0d467b154db1?"}
{"auth_via": "unauthenticated", "domain_url": "authentik.tdservice.net", "event": "/source/scim/onelogin/v2/Groups/080cf9f3-0912-44e4-ab91-0d467b154db1", "host": "authentik.tdservice.net", "level": "info", "logger": "authentik.asgi", "method": "PATCH", "pid": 95278, "remote": "5.6.7.8", "request_id": "c49dc755a27f484e938f09a7936a378e", "runtime": 23, "schema_name": "public", "scheme": "https", "status": 405, "timestamp": "2024-09-05T14:43:15.204668", "user": "ak-source-scim-4bbaea0b-65bf-4cd4-aad8-5f0da180ce30", "user_agent": ""}
{"cidr":"172.99.0.0/16","event":"Setting proxy headers","level":"trace","remoteAddr":"172.99.0.1","timestamp":"2024-09-05T14:43:15Z"}
{"event":"tracing request to backend","headers":{"Authorization":["Bearer secret"],"Content-Length":["165"],"Content-Type":["application/scim+json"],"User-Agent":[""],"X-Forwarded-For":["5.6.7.8"],"X-Forwarded-Proto":["https"]},"level":"trace","logger":"authentik.router","timestamp":"2024-09-05T14:43:15Z","url":"http://localhost:8000/source/scim/onelogin/v2/Groups/a3d0173c-e821-4f44-aa09-75779a242e52?"}
{"auth_via": "unauthenticated", "domain_url": "authentik.tdservice.net", "event": "/source/scim/onelogin/v2/Groups/a3d0173c-e821-4f44-aa09-75779a242e52", "host": "authentik.tdservice.net", "level": "info", "logger": "authentik.asgi", "method": "PATCH", "pid": 95278, "remote": "5.6.7.8", "request_id": "6ed64d066752462199e1c68092615f3d", "runtime": 23, "schema_name": "public", "scheme": "https", "status": 405, "timestamp": "2024-09-05T14:43:15.266977", "user": "ak-source-scim-4bbaea0b-65bf-4cd4-aad8-5f0da180ce30", "user_agent": ""}
unfortunately there are not logs from OneLogin, but i hope the nginx logs in front of the authentik is sufficient to see enough details
Version and Deployment (please complete the following information):
- authentik version: 2024.8.0
- Deployment: docker-compose
Additional context
to make the user provisioning possible, we had to rewrite the content-type header to "application/scim+json"