AWS SCIM Provisioning Failure

[arcdigital]

Describe the bug
AWS is returning 400s during the SCIM sync. It looks like authentik is trying to do a PATCH request that AWS doesn't like.

{"domain_url": null, "event": "Failed to send SCIM request", "level": "warning", "logger": "authentik.lib.sync.outgoing.base", "method": "PATCH", "path": "/Groups/uuid", "provider": "AWS SCIM", "response": "{"schema":["urn:ietf:params:scim:api:messages:2.0:Error"],"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Current PATCH support allows omitting \"path\" attribute only for Add and Replace operations modifying a single attribute.","status":"400","exceptionRequestId":"uuid","timeStamp":"2024-12-10 19:50:00.531"}", "schema_name": "public", "task_id": "task-ID", "timestamp": "2024-12-10T19:50:00.539728"}

Version and Deployment (please complete the following information):

• authentik version: 2024.10.4

[uptownhr]

I am currently using 2024.8.4 and also experiencing this issue. I'd also like to add that there are warning logs in the Sync Status area of the aws-scim provider section.

[fullykubed]

@BeryJu It appears the problem is here which you last updated to introduce PATCH support.

The way that this is implemented sends a PATCH request with the full group model dumped as JSON. However, AWS only supports PATCH with a single group property at a time.

As far as I can tell, this doesn't seem too bad of a bug atm, but definitely not ideal. While groups can still be created, deleted, and have their membership change, you would not be able to update things like the name have then have that reflected in AWS.

Do you have any thoughts on whether a workaround is possible?

[fullykubed]

It would be kindof nice to be able to override the configuration values returned by the providers /ServiceProviderConfig endpoint to be able to deal with cases like this where the SCIM target has weird limitations (code).

To be fair to Authentik, it looks like AWS is the one not conformant with the SCIM PATCH spec currently. However, being able to integrate with AWS without issue is likely important to many Authentik users.

[fullykubed]

It might make sense just to do a fallback to PUT if the PATCH doesn't work?

[fullykubed]

@BeryJu Would you be open to a PR that implements the retry / fallback to PUT if PATCH doesn't work?

[argo1984]

Are there any news regarding to it? Is there an existing workaround?

[jorhett]

As far as I can tell, this doesn't seem too bad of a bug atm, but definitely not ideal. While groups can still be created, deleted, and have their membership change, you would not be able to update things like the name have then have that reflected in AWS.

I have recently setup AWS SCIM and NO groups are successfully being created due to this bug, so yes it is TOO bad of a bug. It makes SCIM effectively worthless for AWS.

[fullykubed]

@jorhett Just for clarity, we regularly set up new authentik<->aws integrations and the initial provisioning seems to work fine. Not saying you aren't valid in your concern here (@BeryJu still happy to tackle this if you sign-off), but might be worth double checking something else isn't amiss in your setup.

[argo1984]

@fullykubed the initial sync seemed to work for me as well but i had some issues and resettet the syn. the "2nd initial sync" didn't deploy the groups. I resetted everything on aws side.

[fullykubed]

That makes sense. Good to know!

[jorhett]

@fullykubed I'm 100% willing to investigate anything it could be on our side. The reason I opened this issue is that I can't find anything left I can debug:

• AWS Is masking all the details so I don't even know what entry they say is a duplicate
• I can't seem to find any way to get higher levels of debug out of Authentik

I'm a coder happy and willing to identify the problem and even provide a patch if I can find a way to get more debug output to tell me what's going on here.

Looking at the cloudtrail logs it seems we are issuing more CreateUser requests when the user list hasn't change. So it seems likely that something isn't syncing up correctly, and authentik believes it needs to create the users.

Also, as @argo1984 experienced, our Groups are synced but have zero members.

[jorhett]

Just being able to get a cleartext copy of the SCIM transactions would really help.

[fullykubed]

@jorhett To be clear, I am just another user like yourself who has stumbled upon this unfortunate problem. I have done the necessary inspection of the network traffic to highlight the root cause here. I am also willing to allocate resources from my company to fix it. However, ultimately my hands are tied because Authentik's CTO @arcdigital is the one who introduced the code change and he hasn't been able / willing to respond to our offer to help assist in fixing this integration.

[arcdigital]

@fullykubed What? I'm neither Authentik's CTO, nor the person who introduced the code change?? I literally opened this issue because I'm experiencing this problem myself.