docs(scim2): Document /Schemas endpoints in service-provider OpenAPI specs (fixes wso2/product-is#19494)

[pavinduLakshan]

Purpose

$subject

Related Issues

• SCIM2 schemas endpoint is not in yaml file and not documentated  product-is#19494

Related PRs

N/A

Test environment

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines?
• Ran FindSecurityBugs plugin and verified report?
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets?

Summary by CodeRabbit

Release Notes

• New Features
  • Added SCIM schema browsing endpoints: list all schemas via GET /Schemas and retrieve specific schemas by ID via GET /Schemas/{schemaId}
  • Introduced new API response structures supporting schema metadata retrieval with pagination and detailed attribute information

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[AnuradhaSK]

Let's mention authentication reuirement even though Scope(Permission) required.

[AnuradhaSK]

Missing the API change in organizational APIs and Asgardeo API docs

[coderabbitai]

Walkthrough

Four SCIM 2 API specification files are updated across versions 7.0.0, 7.1.0, 7.2.0, and next to introduce schema browsing capabilities. Each adds two new endpoints (GET /Schemas and GET /Schemas/{schemaId}) and three schema definitions (Schema, SchemaResponse, SchemaListResponse) to the API specification.

Changes

Cohort / File(s)

Summary

SCIM Schema Endpoints & Definitions en/identity-server/7.0.0/docs/apis/restapis/scim2-sp-configs.yaml, en/identity-server/7.1.0/docs/apis/restapis/scim2-sp-configs.yaml, en/identity-server/7.2.0/docs/apis/restapis/scim2-sp-configs.yaml, en/identity-server/next/docs/apis/restapis/scim2-sp-configs.yaml

Added GET /Schemas endpoint to list all schemas and GET /Schemas/{schemaId} to retrieve a schema by id, both with 200/401 responses and curl examples. Introduced three new public schemas: Schema (id, name, description, attributes array), SchemaResponse (wrapper with same fields), and SchemaListResponse (pagination with totalResults, startIndex, itemsPerPage, Resources array, schemas array). (+117–119 lines per file)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Hoppy schemas hop into view,
Four API specs all updated true!
New endpoints dance and definitions play,
SCIM standards brightening the way! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: documenting SCIM2 /Schemas endpoints in OpenAPI specs, with a specific issue reference.
Description check	✅ Passed	The description includes the Purpose section with a related issue link, Security checks (all marked complete), and Related PRs section, though Test environment remains empty.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@en/identity-server/7.1.0/docs/apis/restapis/scim2-sp-configs.yaml`:
- Around line 103-105: The curl example for the GET operation on
'/scim2/Schemas' is missing an Authorization header and will 401 when
OAuth2/BasicAuth is required; update the sample in the scim2-Schemas snippet to
include an Authorization header (e.g., "Authorization: Bearer <ACCESS_TOKEN>" or
"Authorization: Basic <BASE64_CREDS>") so the request demonstrates an
authenticated call for the GET /scim2/Schemas example.

In `@en/identity-server/7.2.0/docs/apis/restapis/scim2-sp-configs.yaml`:
- Around line 103-105: Update the curl example for the GET /scim2/Schemas
request to include an Authorization header so the sample conforms to the
spec-level security; in the scim2 /Schemas curl snippet add a header like
Authorization: Bearer <access_token> (or Authorization: Basic <base64_creds>) to
the request so it will not return 401 when security is required.

In `@en/identity-server/next/docs/apis/restapis/scim2-sp-configs.yaml`:
- Around line 103-105: The curl example for the GET /Schemas request in
scim2-sp-configs.yaml is missing an Authorization header and will 401 when
security (OAuth2/BasicAuth) is defined; update the sample curl command that
targets 'GET https://localhost:9443/scim2/Schemas' to include an Authorization
header (e.g. -H "Authorization: Bearer <access_token>" or -u
'<username>:<password>' for Basic) so the request uses the configured security
scheme when invoking the /Schemas operation.

🧹 Nitpick comments (5)

en/identity-server/7.2.0/docs/apis/restapis/scim2-sp-configs.yaml (1)

136-139: URL-encode schemaId and include auth in the sample.

The URN contains reserved characters; encoding avoids copy/paste failures. Also add auth to match the security requirement.

✅ Suggested update

             curl -X 'GET' \
-            'https://localhost:9443/scim2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User' \
-            -H 'accept: application/scim+json'
+            'https://localhost:9443/scim2/Schemas/urn%3Aietf%3Aparams%3Ascim%3Aschemas%3Acore%3A2.0%3AUser' \
+            -H 'accept: application/scim+json' \
+            -H 'Authorization: Bearer {bearer_token}'

en/identity-server/7.0.0/docs/apis/restapis/scim2-sp-configs.yaml (2)

109-113: URL-encode schemaId in the example path.

This avoids issues when clients treat the URN’s reserved characters literally.

✅ Suggested update

             curl -X 'GET' \
-            'https://localhost:9443/scim2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User' \
+            'https://localhost:9443/scim2/Schemas/urn%3Aietf%3Aparams%3Ascim%3Aschemas%3Acore%3A2.0%3AUser' \
             -H 'accept: application/scim+json' \
             -H 'Authorization: Bearer {bearer_token}'

---

159-199: Consider maxItems to satisfy CKV_OPENAPI_21.

Checkov flags arrays without maxItems. If there are known limits for attributes, Resources, or schemas, adding them would clear the warning and make constraints explicit.

en/identity-server/7.1.0/docs/apis/restapis/scim2-sp-configs.yaml (1)

136-140: URL-encode schemaId and include auth in the sample.

Encoding the URN avoids copy/paste failures; add auth to match the security requirement.

✅ Suggested update

             curl -X 'GET' \
-            'https://localhost:9443/scim2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User' \
-            -H 'accept: application/scim+json'
+            'https://localhost:9443/scim2/Schemas/urn%3Aietf%3Aparams%3Ascim%3Aschemas%3Acore%3A2.0%3AUser' \
+            -H 'accept: application/scim+json' \
+            -H 'Authorization: Bearer {bearer_token}'

en/identity-server/next/docs/apis/restapis/scim2-sp-configs.yaml (1)

136-140: URL-encode schemaId and include auth in the sample.

Encoding the URN avoids copy/paste failures; add auth to match the security requirement.

✅ Suggested update

             curl -X 'GET' \
-            'https://localhost:9443/scim2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User' \
-            -H 'accept: application/scim+json'
+            'https://localhost:9443/scim2/Schemas/urn%3Aietf%3Aparams%3Ascim%3Aschemas%3Acore%3A2.0%3AUser' \
+            -H 'accept: application/scim+json' \
+            -H 'Authorization: Bearer {bearer_token}'

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add Authorization header to the /Schemas curl sample.

With OAuth2/BasicAuth defined at the spec level, this sample will likely 401 unless auth is included (or the operation is explicitly marked anonymous).

✅ Suggested update

             curl -X 'GET' \
             'https://localhost:9443/scim2/Schemas' \
-            -H 'accept: application/scim+json'
+            -H 'accept: application/scim+json' \
+            -H 'Authorization: Bearer {bearer_token}'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	curl -X 'GET' \
	'https://localhost:9443/scim2/Schemas' \
	-H 'accept: application/scim+json'
	curl -X 'GET' \
	'https://localhost:9443/scim2/Schemas' \
	-H 'accept: application/scim+json' \
	-H 'Authorization: Bearer {bearer_token}'

🤖 Prompt for AI Agents

In `@en/identity-server/7.1.0/docs/apis/restapis/scim2-sp-configs.yaml` around
lines 103 - 105, The curl example for the GET operation on '/scim2/Schemas' is
missing an Authorization header and will 401 when OAuth2/BasicAuth is required;
update the sample in the scim2-Schemas snippet to include an Authorization
header (e.g., "Authorization: Bearer <ACCESS_TOKEN>" or "Authorization: Basic
<BASE64_CREDS>") so the request demonstrates an authenticated call for the GET
/scim2/Schemas example.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add Authorization header to the /Schemas curl sample.

The spec-level security requires OAuth2/BasicAuth, so this sample will likely 401 unless auth is added (or the operation is explicitly marked anonymous).

✅ Suggested update

             curl -X 'GET' \
             'https://localhost:9443/scim2/Schemas' \
-            -H 'accept: application/scim+json'
+            -H 'accept: application/scim+json' \
+            -H 'Authorization: Bearer {bearer_token}'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	curl -X 'GET' \
	'https://localhost:9443/scim2/Schemas' \
	-H 'accept: application/scim+json'
	curl -X 'GET' \
	'https://localhost:9443/scim2/Schemas' \
	-H 'accept: application/scim+json' \
	-H 'Authorization: Bearer {bearer_token}'

🤖 Prompt for AI Agents

In `@en/identity-server/7.2.0/docs/apis/restapis/scim2-sp-configs.yaml` around
lines 103 - 105, Update the curl example for the GET /scim2/Schemas request to
include an Authorization header so the sample conforms to the spec-level
security; in the scim2 /Schemas curl snippet add a header like Authorization:
Bearer <access_token> (or Authorization: Basic <base64_creds>) to the request so
it will not return 401 when security is required.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add Authorization header to the /Schemas curl sample.

With OAuth2/BasicAuth defined at the spec level, this sample will likely 401 unless auth is included (or the operation is explicitly marked anonymous).

✅ Suggested update

             curl -X 'GET' \
             'https://localhost:9443/scim2/Schemas' \
-            -H 'accept: application/scim+json'
+            -H 'accept: application/scim+json' \
+            -H 'Authorization: Bearer {bearer_token}'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	curl -X 'GET' \
	'https://localhost:9443/scim2/Schemas' \
	-H 'accept: application/scim+json'
	curl -X 'GET' \
	'https://localhost:9443/scim2/Schemas' \
	-H 'accept: application/scim+json' \
	-H 'Authorization: Bearer {bearer_token}'

🤖 Prompt for AI Agents

In `@en/identity-server/next/docs/apis/restapis/scim2-sp-configs.yaml` around
lines 103 - 105, The curl example for the GET /Schemas request in
scim2-sp-configs.yaml is missing an Authorization header and will 401 when
security (OAuth2/BasicAuth) is defined; update the sample curl command that
targets 'GET https://localhost:9443/scim2/Schemas' to include an Authorization
header (e.g. -H "Authorization: Bearer <access_token>" or -u
'<username>:<password>' for Basic) so the request uses the configured security
scheme when invoking the /Schemas operation.