What are all the cases where Zoom scim API return Error 400 bad request even if the query params are correct

Description
When calling the SCIM endpoint /Users?filter=userName eq {emailId} I am getting various kinds of responses/errors.

  1. If the user with the email id is present getting back the user details.
  2. If the user is not present then getting an empty List response.
  3. If the user is in pending list or the pending invite has been expired/deleted I am getting status 400 Bad Request.

Error
{
“schemas”: [
“urn:ietf:params:scim:api:messages:2.0:Error”
],
“detail”: “User {email ID} not exist or not belong to this account.”,
“status”: 400
}

Which App Type (OAuth / Chatbot / JWT / Webhook)?
SCIM, OAuth, SAML

Which Endpoint/s?
SCIM v2 /Users?filter=userName eq {email}

How To Reproduce (If applicable)
Steps to reproduce the behavior:

  1. add a random dummy email id in the query of SCIM API (user who is not present in the zoom users) we get an empty list response from the SCIM API call
  2. Invite this user andmake the same call again - we get the 400 error code.

Screenshots (If applicable)
If applicable, add screenshots to help explain your problem.

Additional context

  1. My question is what is the reason to treat the pending users differently?
  2. Why am I gettingthe status code 400 error even after deleting the pending invite/ the invite got expired?
  3. Are there any other cases where the users are treated differently (like in pending list) and return 400 error when queried from SCIM API?

Hi @chanikya.mohank,

Pending users are not actual users so you will get a 404 error.

Since a pending user is not a actual user you will get a 404 after deleting a pending user.

Right now for the SCIM errors it’s by design that the same error code 404 for both not existing accounts and users that are out of your account.

Let us know if you have any other questions.

Thanks

1 Like

Hello @Michael_Purnell,

Thanks for the reply.

I guess this is wrong because when I query for a random user xyz@gmail.com who is not in my account currently and never been invited at all (which is a not existing account), I get a response of empty list from SCIM API endpoint. Why is that?

@chanikya.mohank My mistake, you’re correct, when its a non existing user you would get a 200 status. This should be a 404 not found. I will alert our Engineers about this so that we can make a change.

Thanks

1 Like

@Michael_Purnell, thanks for the consideration.

So now, after the correction, the 400 error would be resulted only in case of pending user, right? (as the not existing will return 404 after the correction you said now)

Would the pending user be the only single case where the response would be 404 or are there any other cases?

Is it correct to treat the deleted pending user’s invite email with 400 instead of 404, as the pending invite is no longer belonging to the account and the account does not exist in the zoom account?

Thanks.

Hey @chanikya.mohank,

Correct.

The other instance where the endpoint would return a 404 is if the url path was incorrect.

For example: https://api.zoom.us/v2/scim2/Users would throw a 404, since you should not include the v2 path.

Are you suggesting it should be 404 instead of 400?

Thanks,
Tommy

Yes, @tommy.

Because, consider the case where the Zoom admin invites a user (usingthe user’s email) and the user did not accept the email invite. It’s been more than 30 days now or the admin has deleted the pending invite form the pending users list. Now, if the admin tries to provision the same user’s email from some 3rd party Identity provider into zoom via Scim API, zoom will throw 400 error instead of 404 and they cannot reuse the email(which was pending before) for provisioning at all because its 400 error and 400 can be caused by any reason. The only solution in this case would be to invite the user again through zoom invite but that would not be provisioning.

1 Like

Hey @chanikya.mohank,

Thanks for your input here. I will pass this along to the team. CC @Michael_Purnell

-Tommy

1 Like

@tommy any updates on the decision for the fix?

Thank you.

Hey @chanikya.mohank,

No updates yet. We are discussing this and will get back to you with an update. (ZOOM-135505)

Thanks,
Tommy

1 Like

Hello @tommy,

Any updates on the issue?

Thanks.

Hey @chanikya.mohank,

Here is an update from one of our engineers:

"It is designed that the non-existent user returns empty data. When Azure, Okta and other cloud platforms supporting SCIM use SCIM API to synchronously create the user in the Zoom, they will first call /scim2/Users? filter=userName eq {email}. If empty data is received, these platforms will request to create new users. If 400 is returned, they will stop creating new users synchronously.

Request List Users API to query the user in the pending list will return an error “User {email ID} not exist or not belong to this account” because of our invitation process design of work email.

These users, which do not confirm the invitation, actually temporarily belong to a nonexistent account, and the account id is randomly generated. However, when we call List User API, we will match the User’s account id with the current account, which will result in an error if the user queried in the pending List.

At present, only this kind of situation is special and can lead to this kind of problem."

Thanks,
Tommy