Description
When calling the SCIM endpoint /Users?filter=userName eq {emailId} I am getting various kinds of responses/errors.
If the user with the email id is present getting back the user details.
If the user is not present then getting an empty List response.
If the user is in pending list or the pending invite has been expired/deleted I am getting status 400 Bad Request.
Error
{
“schemas”: [
“urn:ietf:params:scim:api:messages:2.0:Error”
],
“detail”: “User {email ID} not exist or not belong to this account.”,
“status”: 400
}
Which App Type (OAuth / Chatbot / JWT / Webhook)?
SCIM, OAuth, SAML
Which Endpoint/s?
SCIM v2 /Users?filter=userName eq {email}
How To Reproduce (If applicable)
Steps to reproduce the behavior:
add a random dummy email id in the query of SCIM API (user who is not present in the zoom users) we get an empty list response from the SCIM API call
Invite this user andmake the same call again - we get the 400 error code.
Screenshots (If applicable)
If applicable, add screenshots to help explain your problem.
Additional context
My question is what is the reason to treat the pending users differently?
Why am I gettingthe status code 400 error even after deleting the pending invite/ the invite got expired?
Are there any other cases where the users are treated differently (like in pending list) and return 400 error when queried from SCIM API?
I guess this is wrong because when I query for a random user xyz@gmail.com who is not in my account currently and never been invited at all (which is a not existing account), I get a response of empty list from SCIM API endpoint. Why is that?
@chanikya.mohank My mistake, you’re correct, when its a non existing user you would get a 200 status. This should be a 404 not found. I will alert our Engineers about this so that we can make a change.
So now, after the correction, the 400 error would be resulted only in case of pending user, right? (as the not existing will return 404 after the correction you said now)
Would the pending user be the only single case where the response would be 404 or are there any other cases?
Is it correct to treat the deleted pending user’s invite email with 400 instead of 404, as the pending invite is no longer belonging to the account and the account does not exist in the zoom account?
Because, consider the case where the Zoom admin invites a user (usingthe user’s email) and the user did not accept the email invite. It’s been more than 30 days now or the admin has deleted the pending invite form the pending users list. Now, if the admin tries to provision the same user’s email from some 3rd party Identity provider into zoom via Scim API, zoom will throw 400 error instead of 404 and they cannot reuse the email(which was pending before) for provisioning at all because its 400 error and 400 can be caused by any reason. The only solution in this case would be to invite the user again through zoom invite but that would not be provisioning.
"It is designed that the non-existent user returns empty data. When Azure, Okta and other cloud platforms supporting SCIM use SCIM API to synchronously create the user in the Zoom, they will first call /scim2/Users? filter=userName eq {email}. If empty data is received, these platforms will request to create new users. If 400 is returned, they will stop creating new users synchronously.
Request List Users API to query the user in the pending list will return an error “User {email ID} not exist or not belong to this account” because of our invitation process design of work email.
These users, which do not confirm the invitation, actually temporarily belong to a nonexistent account, and the account id is randomly generated. However, when we call List User API, we will match the User’s account id with the current account, which will result in an error if the user queried in the pending List.
At present, only this kind of situation is special and can lead to this kind of problem."