draft-hunt-secevent-stream-mgmt.xml

<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type='text/xsl' href='http://xml.resource.org/authoring/rfc2629.xslt' ?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-hunt-secevent-stream-mgmt-00"
	ipr="trust200902">
	<front>
		<title abbrev="draft-hunt-secevent-stream-mgmt">
			SET Security Event Stream Management and Provisioning</title>

		<author fullname="Phil Hunt" initials="P." role="editor"
			surname="Hunt">
			<organization abbrev="Oracle">Oracle Corporation</organization>

			<address>
				<email>phil.hunt@yahoo.com</email>
			</address>
		</author>

		<date year="2017" />

		<keyword>Internet-Draft</keyword>

		<abstract>
			<t>
				This specification defines a "control plane" service which
        enables a client (e.g. an Event Receiver) to establish,
        monitor, and manage a Security Event Token
        Stream.
        </t>
		</abstract>
	</front>

	<middle>
		<section anchor="intro" title="Introduction and Overview" toc="default">
			
      <t>
      This specification defines a "Control Plane" service that defines 
      how an Event Receiver or its agent may provision, monitor, and manage 
      the configuration of an Event Stream that delivers Security Event Tokens 
      (see <xref target="I-D.ietf-secevent-token"/>) using delivery 
      methods such as specified in the SET Delivery Using HTTP 
      Specification (see <xref target="I-D.ietf-secevent-delivery"/>).
      </t>
      <t> 
      The specification defines the common metadata Event Transmitters
      and Receivers use to describe HTTP service endpoints, methods, optional
      signing and encryption modes, as well as the type and content of SETs
      delivered over a Stream. The specification defines how
      the Event Receiver parties may review and update the current 
      configuration and confirm operational delivery status using HTTP over TLS. 
      </t>    
      
      <t>The mandatory part of this specification (see <xref target="monitorStream"/>) 
      uses a profile of SCIM (see <xref target="RFC7643"/> and 
      <xref target="RFC7644"/>) to implement Event Stream configuration, monitoring
      and retrieval using HTTP GET <xref target="RFC7231">Section 4.3.1</xref>. 
      Additionally, SCIM MAY be used to manage and update Event Stream
      configuration and operational state.</t>
      
      <t>The choice os SCIM has been recommended as it is intended as
      a general purpose layer that can be applied to many underlying systems.
      SCIM's extensibility mechanisms to define data types (resource types)
      enable it to be flexibly used by specifications intenting to profile
      SET Tokens and Delivery for use in many ways.</t>
      
      <t>For the purposes of the Control Plane, SCIM <xref target="RFC7643">Section 2</xref>
      provides the JSON data definitions that enable the Control Plane to allow
      service providers and clients to negotiate attributes and
      resource types used in different SET Profiles. This includes 
      declarations and discovery of attribute types, mutability, 
      cardinality, and returnability that MAY differ between deployments 
      and SET Event type profiles. For HTTP protocol handling and error 
      signaling, the processing rules in <xref target="RFC7644"/> SHALL be applied. </t>  

			<section anchor="notat" title="Notational Conventions" toc="default">
				<t>
					The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
					"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
					this
					document are to be interpreted as described in
					<xref target="RFC2119" />
					. These keywords are capitalized when used to
					unambiguously specify requirements of the protocol or application
					features and behavior that affect the inter-operability and security of
					implementations. When these words are not capitalized, they are
					meant
					in their natural-language sense.
				</t>

				<t>
					For purposes of readability examples are not URL encoded.
					Implementers MUST percent encode URLs as described in
					<xref target="RFC3986">Section 2.1 of</xref>. Many examples
          show only partial response and may use <spanx style="verb">...</spanx>
          to indicate omitted data.
				</t>

				<t>Throughout this documents all figures MAY contain spaces and
					extra	line-wrapping for readability and space limitations. 
          Similarly, some URI's contained within examples, have been 
          shortened for space and readability reasons.
				</t>
			</section>

			<section anchor="defs" title="Definitions" toc="default">
        <t>This specification assumes terminology defined in the Security
        Event Token specification <xref target="I-D.ietf-secevent-token"/>
        and SET Token Delivery specification <xref target="I-D.ietf-secevent-delivery"/>.</t>
        
				<t>
			  The following definitions are defined for Security Event distribution:
				<list style="hanging">
                        
            <t hangText="Control Plane"><vspace/>
              A Control Plane represents an service offered by an Event
              Transmitter that lets an Event Receiver query the current
              operational and/or error status of an Event Stream.  The
              Control Plane MAY also be used to retrieve Event Stream
              and SET configuration data.
            </t>
            
            <t hangText="Data Plane"><vspace/>
              The Data Plane represents the HTTP service offered by an 
              Event Receiver that allows the Event Transmitter to 
              deliver multiple SETs via HTTP POST as part of an Event
              Stream.</t>
              
            <t hangText="Client">A Client is any actor, typically
            represented by an authorization credential, authorized to 
            make changes to an Event Stream. Verify often this is
            an actor belonging to the Event Receiver organization. Actors
            can be servers, monitoring services, and administrators.</t>
           
				</list></t>
			</section>
		</section>
    

    <section anchor="monitorStream" title="Stream Monitoring and Configuration Retrieval">
  
    <t>The Control Plane is an HTTP service associated with an Event 
    Transmitter that enables the provisioning and monitoring of Event 
    Streams by entities such Event Receivers, administrators, and 
    monitoring services. This section describes required functionality 
    to enable Event Receivers to retrieve configuration attributes and
    to detect SET delivery problems that may occur when an Event 
    Transmitter fails to deliver SETs.</t>
    
    <t>This specification also defines optional Control Plane services 
    to create and update streams in sections <xref target="streamManagement"/> 
    and <xref target="manageSubjects"/>.</t>
    
    <section anchor="subscribeMetadata" title="Event Stream Configuration Attributes">
      
      <t>
      An Event Stream is defined by a set of attributes which together
      define an Event Stream's operational configuration:
      <list style="hanging">
      
        <t hangText="eventUris"><vspace />A read only array of JSON 
        String values which are the URIs of events configured for the 
        Event Stream. This attribute is assigned by the Control Plane 
        provider in response to receiving an Event Stream creation or
        update request. See <spanx style="verb">eventUris_req</spanx>.</t>
        
        <t hangText="eventUris_req"><vspace/>An array of JSON String values
        which are the URIs of events requested by the Event Receiver for
        the Stream. This attribute is modifiable. An Event Stream 
        provider MAY use this attribute to request requested Event URIs
        over time that may not be initially offered.</t>
        
        <t hangText="eventUris_avail"><vspace/>A read only array of 
        JSON String values which are the URIs of events that the Event
        Transmitter is able to support. This attribute MAY be used by
        Control Plane clients to discover new events that may become
        available over time.</t>
        
        <!-- Not really needed
        <t hangText="feedUri"><vspace />A JSON String value containing the URI
        for a feed supported by the feed provider. It describes the 
        content of the feed and MAY also be a resolvable URI where the
        feed meta data may be returned as a JSON object. REQUIRED.</t>
         -->

        <t hangText="methodUri"><vspace />A REQUIRED JSON String value
        which represents the method used to transfer SETs to the Event
        Receiver. See <xref target="I-D.ietf-secevent-delivery"/>.</t>
        
        <t hangText="deliveryUri"><vspace />A JSON String value
        containing a URI that describes the location where
        SETs are received (e.g. via HTTP POST). Its format and usage requirements are 
        defined by the associated <spanx style="verb">methodUri</spanx>.</t>

        <t hangText="iss"><vspace />The URI for the publisher of the SETs 
        that will be issued for the Event Stream. See 
        <xref target="I-D.ietf-secevent-token">Section 2.1</xref>.</t>
        
        <t hangText="aud"><vspace blankLines="0" />An OPTIONAL 
        JSON Array of JSON String values which are URIs representing 
        the audience(s) of the Event Stream. The value SHALL be the value 
        of SET "aud" claim sent to the Event Receiver.
        </t>

        <t hangText="iss_jwksUri"><vspace blankLines="0" />An OPTIONAL 
        String that contains the URL of the SET issuers public JSON 
        Web Key Set <xref target="RFC7517"></xref>. This contains 
        the signing key(s) the Event Receiver uses to validate SET 
        signatures from the Event Transmitter that will be used by the 
        Event Receiver to verify the authenticity of issued SETs. </t>

        <t hangText="aud_jwksUri"><vspace blankLines="0" />An OPTIONAL 
        JSON Web Key Set <xref target="RFC7517" /> that contains the 
        Event Receiver's encryption keys that MAY be used by the 
        Event Transmitter to 
        encrypt SET tokens for the specified Event Receiver.</t>

        <t hangText="status"><vspace blankLines="0" />An OPTIONAL 
        JSON String keyword that indicates the current state of an Event Stream.
        More information on the Event Stream state can be found in 
        <xref target="subState" />. Valid keywords are:<list>
        
          <t><spanx style="verb">on</spanx> - indicates the Event Stream
          has been verified and that the Feed Provider MAY pass 
          SETs to the Event Receiver.</t>

          <!-- No longer used with client initiated verify
          <t><spanx style="verb">verify</spanx> - indicates the 
          Event Stream is pending verification. While in "verify", 
          SETs, except for the verify SET (see 
          <xref target="verifyStream"/>) are not delivered to the 
          Event Receiver. Once verified, the status returns to 
          <spanx style="verb">on</spanx>.</t>
           -->

          <t><spanx style="verb">paused</spanx> - indicates the
          Event Stream is temporarily suspended. While 
          <spanx style="verb">paused</spanx>, SETs SHOULD be 
          retained and delivered when state returns to 
          <spanx style="verb">on</spanx>. If delivery is paused
          for an extended period defined by the Event Transmitter,
          the Event Transmitter MAY change the state to 
          <spanx style="verb">off</spanx> indicating SETs are
          no longer retained.</t>

          <t><spanx style="verb">off</spanx> - indicates that the
          Event Stream is no longer passing SETs. While in off mode,
          the Event Stream configuration is maintained, but new events 
          are ignored, not delivered or retained. Before returning
          to <spanx style="verb">on</spanx>, a verification MUST
          be performed.</t>

          <t><spanx style="verb">fail</spanx> - indicates that the
          Event Stream was unable to deliver SETs to the
          Event Receiver due an unrecoverable error or for an 
          extended period of time. Unlike paused
          status, a failed Event Stream does not retain existing
          or new SETs that are issued. Before returning
          to <spanx style="verb">on</spanx>, a verification MUST
          be performed.</t>
        </list></t>
          
        <t hangText="maxRetries"><vspace blankLines="0" />An OPTIONAL 
        JSON number indicating the 
        maximum number of attempts to deliver a SET. A value of '0'
        indicates there is no maximum. Upon reaching the maximum, the 
        Event Stream <spanx style="verb">status</spanx> attribute is set
        to <spanx style="verb">failed</spanx>.</t>
        
        <t hangText="maxDeliveryTime"><vspace />
        An OPTIONAL number indicating
        the maximum amount of time in seconds a SET MAY take for
        successful delivery per request or cumulatively across 
        multiple retries.  Upon reaching the maximum, the 
        Event Stream <spanx style="verb">status</spanx> is set
        to <spanx style="verb">failed</spanx>. If undefined, there 
        is no maximum time.</t>
        
        <t hangText="minDeliveryInterval"><vspace />
        An OPTIONAL JSON integer that represents the minimum 
        interval in seconds between deliveries. A value of '0'
        indicates delivery should happen immediately. When delivery is
        a polling method (e.g. HTTP GET), it is the expected time between Event Receiver attempts.
        When in push mode (e.g. HTTP POST), it is the interval the server
        will wait before sending a new event or events.</t>
        
        <t hangText="txErr"><vspace />
        An OPTIONAL JSON String keyword value. 
        When the Event Stream has <spanx style="verb">subState</spanx>
        set to <spanx style="verb">fail</spanx>, one of the following
        error keywords is set:<list>
        
          <t><spanx style="verb">connection</spanx> indicates an
          error occurred attempting to open a TCP connection with
          the assigned endpoint.</t>
          <t><spanx style="verb">tls</spanx> indicates an error
          occurred establishing a TLS connection with the assigned
          endpoint.</t>
          <t><spanx style="verb">dnsname</spanx> indicates an error
          occurred establishing a TLS connection where the dnsname
          was not validated.</t>
          <t><spanx style="verb">receiver</spanx> indicates an error
          occurred whereby the Event Receiver has indicated an error
          for which the Event Transmitter is unable to correct.</t>
       
        </list>
        </t>
        
        <t hangText="txErrDesc"><vspace />
        An OPTIONAL String value that is
        usually human readable that provides further diagnostic
        detail by the indicated <spanx style="verb">txErr</spanx>
        error code.</t>
        
        <t hangText="verifyNonce">A String value that when changed
        or set by a Control Plane client will cause the Event Transmitter 
        to issue a single Verify Event based on the nonce value provided (see 
        <xref target="verifyStream"/>). The intent of the value is to
        allow the Event Receiver to confirm the Verify Event received
        matches the value set in the configuration. While this value MAY
        be updated (see <xref target="verifyStream"/>), its value is
        usually not returned as part of an Event Stream configuration. </t>
        
        <t hangText="subjects"><vspace />
        An OPTIONAL complex attribute containing sub objects whose 
        sub-attributes define subjects against which SETs may be issued.
        The following sub-attributes are defined:<list style="hanging">
          <t hangText="value">A String which uniquely identifies a 
          subject (or set of subjects) to be included in the Stream.
          The format and type of value is defined by the 'type' 
          sub-attribute.</t>
          <t hangText="iss">A String which contains the URI of the 
          issuer of the subject identified in the 
          <spanx style="verb">value</spanx> attribute. When not supplied
          the issuer is assumed to be the Event Stream issuer. 
          </t>
          <t hangText="type">A case-insensitive canonical String value 
          which defines the contents of the attribute 'value'. Valid 
          type values are:<list style="hanging">
            <t hangText="OIDC">Is a String value corresponding to an OpenID
            Connect subject. The corresponding <spanx style="verb">iss</spanx>
            attribute is set with the OpenId Connect iss value. </t>
            
            <t hangText="SAML">A String value that is a URI that
            represents the subject of a SAML Identity Provider.</t>
            
            <t hangText="EMAIL">A String Value that is the Email 
            addresses for a subject. The value SHOULD be specified
            according to <xref target="RFC5321" />.</t>
            
            <t hangText="PHIONE">Phone numbers for the user. The value 
            SHOULD be specified according to the format defined in 
            <xref target="RFC3966" />, e.g., 'tel:+1-201-555-0123'.</t>
            
            <t hangText="User">A SCIM User where value is the 'id' of a 
            User resource in the local SCIM service provider.</t>
            
            <t hangText="Group">A SCIM Group where the value is the 'id'
            of a Group resource in the local SCIM service provider.</t>
            
            <t hangText="URI">A miscellaneous subject that can be
            identified by a URI.</t>
          </list></t>
          
        </list></t>
      </list></t>
      
      <t>Additional Event Stream configuration (attributes) MAY be defined
      as extensions. The method for adding new attributes is defined in 
      <xref target="RFC7643">Section 3.3</xref>.</t>
    </section>
   
    <section anchor="getStatus" title="Checking Stream Configuration and Stream State">
      <t>An Event Receiver MAY check the current status of a Stream
      the Event Transmitter's Control Plane service by performing an 
      HTTP GET using the provided URI from the Event Transmitter either 
      through an administrative process or via the optional Stream 
      creation response defined in <xref target="createSub"/>.</t>
      <t>The format of the Stream GET request and response is defined 
      by <xref target="RFC7644">Section 3.4</xref>.
      </t>
      
      <t>In addition to the basic attributes defined in 
      <xref target="RFC7643">Section 2</xref> common to all resource 
      types, an <spanx style="verb">EventStream</spanx> resource types
      uses the attributes defined in <xref target="subscribeMetadata" />.  
      As with any SCIM resource, an <spanx style="verb">EventStream</spanx> 
      resource MUST include the JSON attributes <spanx style="verb">schemas</spanx>
      and <spanx style="verb">id</spanx> as defined in <xref target="RFC7643"/>:
      <list style="hanging">
        <t hangText="schemas"><vspace/>Is an array of Strings with at 
        least a single value of 
        <spanx style="verb">urn:ietf:params:scim:schemas:event:2.0:EventStream</spanx>.
        Configuration MAY be extented through the addition of other schema
        URI values such as in the case where a new delivery method or 
        SET profile needs to define additional attributes.</t>
        
        <t hangText="id"><vspace/>Is a String which is a permanent unique 
        identifier for <spanx style="verb">EventStream</spanx> resources. 
        The value which is also used to define a permanent Event Stream 
        Resource URI.</t>
      </list>
      </t>
      
      <figure anchor="getRequest" title="Example EventStream HTTP GET Request">
        <preamble>The example below retrieves a specific <spanx style="verb">EventStream</spanx> resource whose 
        <spanx style="verb">id</spanx> is <spanx style="verb">548b7c3f77c8bab33a4fef40</spanx>.</preamble>
        <artwork>GET /EventStreams/767aad7853d240debc8e3c962051c1c0
Host: example.com
Accept: application/json
Authorization: Bearer h480djs93hd8</artwork>
</figure>
         
      <figure anchor="streamResponse" title="Example Stream GET Response">
      <preamble>Below is an example response to the 
      <spanx style="verb">EventStream</spanx> retrieval
      made in <xref target="getRequest"/>.</preamble>
      <artwork>HTTP/1.1 200 OK
Content-Type: application/scim+json
Location: 
 https://example.com/EventStreams/767aad7853d240debc8e3c962051c1c0

{
  "schemas":["urn:ietf:params:scim:schemas:event:2.0:EventStream"],
  "id":"767aad7853d240debc8e3c962051c1c0",
  "eventUris_req":[
    "http://schemas.openid.net/event/backchannel-logout"
  ],
  "eventUris":[
    "http://schemas.openid.net/event/backchannel-logout"
  ],
  "methodUri":"urn:ietf:params:set:method:HTTP:webCallback",
  "deliveryUri":"https://notify.examplerp.com/Events",
  "aud":"https://sets.myexamplerp.com",
  "status":"fail",
  "txErr":"connection",
  "txErrDesc":"TCP connect error to notify.examplerp.com.",
  "maxDeliveryTime":3600,
  "minDeliveryInterval":0,
  "description":"Logout events from oidc.example.com",
  "meta":{
     ... SCIM meta attributes ...
  }
}</artwork>
      </figure>  
      
      <t>In the above figure, the <spanx style="verb">EventStream</spanx>
      shows a <spanx style="verb">status</spanx> of <spanx style="verb">fail</spanx> 
      due to a TCP connection error. In this case, the Event Receiver is
      able to discover that its endpoint was unavailable and has been
      marked failed by the Event Transmitter (possibly explaining a lack 
      of received SETs). Typically, with this 
      type of error, appropriate operations staff would be alerted and some 
      corrective action would be taken to check for a configuration
      error or service failure.</t>
      
      <t>The frequency with which Event Receivers poll the
      Event Stream status depends on factors such as: 
      <list style="symbols">
        <t>The level of technical fault tolerance and availability of the 
        receiving endpoint.</t>
        <t>The amount of risk that can be tolerated for lost
        events. For example, if Security Events are considered informational,
        then infrequent (hourly or daily) may be sufficient.</t>
        <t>The amount of buffer recovery offered by an Event Transmitter
        which MAY be minutes depending on SET frequency and buffer size.</t>
      </list>
      In many cases Event Stream status monitoring may be triggered on a 
      timeout basis. Event Receivers would typically poll if they have not
      received a SET for some period during which SETs would be expected
      based on past experience.
      </t>
  
      <t>Receivers MAY use the endpoint 
      <spanx style="verb">/EventStreams</spanx> to query and retrieve available
      Event Streams based on the provided <spanx style="verb">Authorization</spanx> 
      header. 
      </t>
      <figure anchor="getCommonRequest" title="Example Stream HTTP GET Request From Common Endpoint">
        <preamble>The example below retrieves any <spanx style="verb">EventStream</spanx> 
        resources based solely on the requestor's authorization header.
        </preamble>
        <artwork>GET /EventStreams/
Host: example.com
Accept: application/json
Authorization: Bearer h480djs93hd8</artwork>
</figure>
      <figure anchor="getListResponse" title="Example Event Stream List/Query Response Form">
        <artwork>HTTP/1.1 200 OK
Content-Type: application/scim+json
Location: 
  https://example.com/EventStreams/767aad7853d240debc8e3c962051c1c0

{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
  "totalResults":1,
  "itemsPerPage":10,
  "startIndex":1,
  "Resources":[
  {
    "schemas":["urn:ietf:params:scim:schemas:event:2.0:EventStream"],
    "id":"767aad7853d240debc8e3c962051c1c0",
    "feedName":"OIDCLogoutFeed",
    "eventUris_req":[
      "http://schemas.openid.net/event/backchannel-logout"
    ],
    "eventUris":[
      "http://schemas.openid.net/event/backchannel-logout"
    ],
    "eventUris_avail":[
      "http://schemas.openid.net/event/backchannel-logout"
    ],
    "methodUri":"urn:ietf:params:set:method:HTTP:webCallback",
    "deliveryUri":"https://notify.examplerp.com/Events",
    "aud":"https://sets.myexamplerp.com",
    "status":"fail",
    "txErr":"connection",
    "txErrDesc":"TCP connect error to notify.examplerp.com.",
    "maxDeliveryTime":3600,
    "minDeliveryInterval":0,
    "description":"Logout events from oidc.example.com",
    "meta":{
       ... SCIM meta attributes ...
  }]
}</artwork>
      </figure>      
          
    </section>
        
    <section anchor="subState" title="Event Stream State Model">
      <t>The Event Stream configuration attribute <spanx style="verb">status</spanx>
      reports the current state of an Event Stream with regards to
      whether the stream is operational or is in a suspended or failed state.
      Additionally, the <spanx style="verb">status</spanx> attribute 
      can be used to pause or stop streams using the stream configuration
      update functions described in <xref target="streamManagement"/>.</t>
      
      <figure anchor="stateDiag" title="Event Stream States at Event Transmitter">
      <preamble>The following is the state machine representation of a
      Event Stream on a Event Transmitter. Note that a Event Stream cannot
      be made active until a verification process has been completed. As 
      such, a newly created Event Stream begins with state 
      <spanx style="verb">on</spanx>.</preamble>
      <artwork align="center">                          +
                       Create
                          |
+--------+         +------v-----+          +--------+
|        +-Restart->            +--Suspend->        |
|  fail  |         |     on     |          | paused |
|        &lt;--Error--+            &lt;--Resume--+        |
+--------+         +-+-------^--+          +---+----+
                     |       |                 |
                  Disable  Enable              |
                     |       |                 |
                   +-v-------+--+              |
                   |     off    &lt;--Limited-----+
                   +------------+</artwork>
      </figure>
      <t>In <xref target="stateDiag"/>, the following actions impact the
      operational state of an Event Stream. <spanx style="verb">status</spanx> 
      values are shown in the boxes, and change based on the following 
      actions:<list style="hanging">
      
        <t hangText="Create"><vspace />A Event Receiver or an administrator creates
        a new Event Stream as described in <xref target="createSub"></xref>.
        The initial state is <spanx style="verb">on</spanx>.</t>
        
       
        <!-- No used now that receiver verifies success
        <t hangText="Confirm Fail"><vspace />If the confirmation fails,
        the Event Transmitter sets the state to <spanx style="verb">fail</spanx>
        requiring administrative action to correct the issue and 
        <spanx style="verb">Restart</spanx>.</t>
         -->
        
        <t hangText="Error"><vspace />An Event Transmitter that has not been
        able to deliver a SET over one or more retries which has reached
        a limit of attempts (<spanx style="verb">maxRetries</spanx>) 
        or time (<spanx style="verb">maxDeliveryTime</spanx>)
        MAY set the Event Stream state to <spanx style="verb">fail</spanx>.
        What stream status is set to <spanx style="verb">failed</spanx>,
        the Event Transmitter is indicating that SETs are being lost
        and may not be recoverable.</t>
        
        <t hangText="Limited"><vspace/>A paused Event Stream has reached
        the transmitters ability to retain SETs for delivery. The Event 
        Transmitter changes the state to <spanx style="verb">off</spanx>
        indicating SET loss is potentially occurring.</t>
        
        <t hangText="Restart"><vspace />An administrator having corrected the 
        failed delivery condition modifies the Event Stream state to
        <spanx style="verb">on</spanx> (e.g. see <xref target="patchSub" />).
        </t>
        
        <t hangText="Suspend and Resume"><vspace />An Event Stream MAY be 
        suspended and resumed by updating the Event Stream state to
        <spanx style="verb">paused</spanx> or <spanx style="verb">on</spanx>. For
        example, see see <xref target="patchSub" />. While suspended,
        the Event Transmitter retains undelivered SETs for a period of time
        and resources specified by the Event Transmitter (see 
        <spanx style="verb">Limited</spanx>).</t>
        
        <t hangText="Enable and Disable"><vspace />A Event Stream MAY be
        disabled and enabled by updating the Event Stream <spanx style="verb">state</spanx> to
        <spanx style="verb">off</spanx> or <spanx style="verb">on</spanx>. For
        example, see see <xref target="patchSub" />. While the Event Stream
        is disabled, all SETs that occur at the Event Transmitter are lost.</t>
      </list></t>
    
     </section> 
   </section>
			
   <section anchor="streamManagement" title="Stream Management and Provisioning">
      <t>This section describes optional Stream management provisioning
      features that allow receivers or provisioning systems to create 
      streams and update configuration to perform actions such as
      rotation, and operational state (e.g. suspend, stop, or resume)
      management.</t>
      
      <t>The operations specified in this section are based on <xref target="RFC7644"/>.
      SCIM schema declarations for the <spanx style="verb">EventStream</spanx>
      resources are defined in 
      <xref target="eventResourceType"/>. HTTP Protocol usage and 
      processing rules are provided by <xref target="RFC7644"/>.</t>          
      
      
      <section anchor="createSub" title="Creating An Event Stream">
        <t>To define an Event Stream, the Event Receiver or its administrator
        (known as the client) first obtains an authorization credential 
        allowing the ability to define a new Stream. Note: the process 
        for registering to obtain credentials and permission to register 
        is out-of-scope of this specification.</t>
        
        <t>Upon obtaining authorization, the client issues an HTTP POST 
        request as defined in <xref target="RFC7644">Section 3.3</xref>. 
        To complete the request, the administrative entity provides the 
        required Stream configuration attributes as specified 
        in <xref target="subscribeMetadata"/>, the delivery method 
        <xref target="I-D.ietf-secevent-delivery"/> and any additional 
        configuration specified by the SET Event Specifications that are 
        being used.</t>
         
        <t>The client MAY discover the Event Transmitter's 
        Control Plane service for the schema requirements for  
        <spanx style="verb">EventStream</spanx> resource type and any
        other extensions using SCIM schema discovery in  
        <xref target="RFC7644">Section 4</xref>.
        </t>
        
        <t>The process to create an Event Stream is as follows:<list style="numbers">
          <t>The client initiates an HTTP POST to the Control Plane 
          endpoint and provides a 
          JSON document defining an EventStream which contains information
          about the Event Receivers endpoints, settings, and keys.</t>
          <t>Upon validating the request, the Event Transmitters control
          plane provisions the stream and updates the EventStream configuration
          with the corresponding Event Transmitter information.</t>
          <t>The Control Plane responds to the request from step 1 and 
          returns the final representation of the Event Stream configuration
          along with a pointer to the created EventStream resource that
          the client MAY use to monitor status and update configuration.</t>
          <t>Upon receiving the response, the client completes the 
          client side configuration and provisioning based upon the 
          returned EventStream configuration.</t>
        </list></t>
        <figure anchor="createSubscription" title="Example Create Event Stream Request">
        <preamble>In the following non-normative example, a request to 
        create a new <spanx style="verb">EventStream</spanx> is 
        submitted.</preamble>
 <artwork>POST /EventStreams
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8

{
  "schemas":["urn:ietf:params:scim:schemas:event:2.0:EventStream"],
  "feedName":"OIDCLogoutFeed",
  "eventUris_req":[
    "http://schemas.openid.net/event/backchannel-logout"
  ],
  "methodUri":"urn:ietf:params:set:method:HTTP:webCallback",
  "deliveryUri":"https://notify.examplerp.com/Events",
  "aud":"https://sets.myexamplerp.com",
  "maxDeliveryTime":3600,
  "minDeliveryInterval":0,
  "description":"Logout events from oidc.example.com"
}</artwork>
        </figure>
        <figure anchor="createSubscriptionResponse" title="Example Response to Create EventStream Request">
        <preamble>In following non-normative response, the Control
        Plane provider has automatically assigned an HTTP addressable 
        location for the EventStream resource as well as an
        <spanx style="verb">id</spanx>. Additionally, the Control Plane
        response below includes additional configuration data for 
        <spanx style="verb">iss</spanx> and 
        <spanx style="verb">iss_jwksUri</spanx>.</preamble>
<artwork>HTTP/1.1 201 Created
Content-Type: application/scim+json
Location: 
 https://example.com/v2/EventStreams/767aad7853d240debc8e3c962051c1c0

{
  "schemas":["urn:ietf:params:scim:schemas:event:2.0:EventStream"],
  "id":"767aad7853d240debc8e3c962051c1c0",
  "feedName":"OIDCLogoutFeed",
  "eventUris_req":[
    "http://schemas.openid.net/event/backchannel-logout"
  ],
  "eventUris":[
    "http://schemas.openid.net/event/backchannel-logout"
  ],
  "eventUris_avail":[
    "http://schemas.openid.net/event/backchannel-logout"
  ],
  "methodUri":"urn:ietf:params:set:method:HTTP:webCallback",
  "deliveryUri":"https://notify.examplerp.com/Events",
  "aud":"https://sets.myexamplerp.com",
  "status":"on",
  "maxDeliveryTime":3600,
  "minDeliveryInterval":0,
  "iss":"oidc.example.com"
  "iss_jwksUri":"https://example.com/keys/oidc-example-com.jwks"
  "description":"Logout events from oidc.example.com",
  "meta":{
     ... SCIM meta attributes ...
  }
}</artwork>
        </figure>
      </section>
      
      <section anchor="patchSub" title="Updating An Event Stream">
      
        <t>Two HTTP methods are available to update an Event Stream 
        configuration. <list>
          <t>The HTTP PUT operation accepts a JSON Document
        representing an existing EventStream configuration and replaces
        it.</t>
          <t>An optional HTTP PATCH operation uses a JSON Patch 
          <xref target="RFC6902"/> style request format to allow manipulation
          of specific EventStream configuration such as
          (but not limited to) <spanx style="verb">status</spanx>, and 
          <spanx style="verb">subjects</spanx>.</t>
        </list></t>

        <section title="Update using HTTP PUT">
          <t>The HTTP PUT method allows a client having previously 
          received the EventStream JSON document to modify the document
          and replace the Control Plane provider's copy. In using this
          method, the client is not required to remove data normally
          asserted or defined by the Event Stream Control Plane provider
          (e.g. attributes that are read only).
          The processing rules of <xref target="RFC7644"/> enable the
          client to "put back" what was previously received allowing
          the Control Plane provider to figure out what attributes
          need updating and which attributes are ignored.  For example, 
          while "id" is immutable, the Control Plane provider will simply 
          ignore attempts to replace its value. When processing is complete
          the final accepted state is represented in the HTTP Response.</t>
          
          <figure anchor="putSubscription" title="Example Replace Event Stream Request">
          <preamble>In the following non-normative example, a request to 
          replace the existing EventStream <spanx style="verb">EventStream</spanx> is 
          submitted. In this example, the change shown is the status
          is now set to <spanx style="verb">off</spanx>. Note that the client
          does not have to remove read-only attributes such as <spanx style="verb">eventUris</spanx>
          and <spanx style="verb">eventUris_avail</spanx> as these values
          are ignored as per <xref target="RFC7644">Section 3.5.1</xref>.</preamble>
   <artwork>PUT /EventStreams/767aad7853d240debc8e3c962051c1c0
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
  
{
  "schemas":["urn:ietf:params:scim:schemas:event:2.0:EventStream"],
  "id":"767aad7853d240debc8e3c962051c1c0",
  "feedName":"OIDCLogoutFeed",
  "eventUris_req":[
    "http://schemas.openid.net/event/backchannel-logout"
  ],
  "eventUris":[
    "http://schemas.openid.net/event/backchannel-logout"
  ],
  "eventUris_avail":[
    "http://schemas.openid.net/event/backchannel-logout"
  ],
  "methodUri":"urn:ietf:params:set:method:HTTP:webCallback",
  "deliveryUri":"https://notify.examplerp.com/Events",
  "aud":"https://sets.myexamplerp.com",
  "status":"off",
  "maxDeliveryTime":3600,
  "minDeliveryInterval":0,
  "iss":"oidc.example.com"
  "iss_jwksUri":"https://example.com/keys/oidc-example-com.jwks"
  "description":"Logout events from oidc.example.com",
  "meta":{
     ... SCIM meta attributes ...
  }
}</artwork>
          </figure>

        <figure anchor="putSubscriptionResponse" title="Example Response to PUT EventStream Request">
        <preamble>In following non-normative response, the Control
        Plane provider responds with the processed final state
        of the submitted EventStream.</preamble>
<artwork>HTTP/1.1 200 OK
Content-Type: application/scim+json
Location: 
 https://example.com/v2/EventStreams/767aad7853d240debc8e3c962051c1c0

{
  "schemas":["urn:ietf:params:scim:schemas:event:2.0:EventStream"],
  "id":"767aad7853d240debc8e3c962051c1c0",
  "feedName":"OIDCLogoutFeed",
  "eventUris_req":[
    "http://schemas.openid.net/event/backchannel-logout"
  ],
  "eventUris":[
    "http://schemas.openid.net/event/backchannel-logout"
  ],
  "eventUris_avail":[
    "http://schemas.openid.net/event/backchannel-logout"
  ],
  "methodUri":"urn:ietf:params:set:method:HTTP:webCallback",
  "deliveryUri":"https://notify.examplerp.com/Events",
  "aud":"https://sets.myexamplerp.com",
  "status":"off",
  "maxDeliveryTime":3600,
  "minDeliveryInterval":0,
  "iss":"oidc.example.com"
  "iss_jwksUri":"https://example.com/keys/oidc-example-com.jwks"
  "description":"Logout events from oidc.example.com",
  "meta":{
     ... SCIM meta attributes ...
  }
}</artwork>
        </figure>
        
        </section>

            
        <section anchor="updatePatch" title="Update using HTTP PATCH">
        <t>Periodically, Event Receiver parties MAY have need to update an
        EventStream configuration for the purpose of:<list style="symbols">
          <t>Rotating access credentials or keys</t>
          <t>Updating endpoint configuration</t>
          <t>Making operational changes such as pausing, resetting, or 
          disabling an Event Stream.</t>
          <t>Other operations (e.g. such as adding or removing subjects)
          as defined by profiling Event specifications.</t>
        </list></t>

        <t>As documented in <xref target="RFC7644">Section 3.5.2</xref>,
        one or more PATCH operations (which are based on 
        <xref target="RFC6902"/>) can be made against a single 
        EventStream resource. The update is expressed as a JSON document. 
        The JSON document contains an attribute <spanx style="verb">Operations</spanx>
        which contains an array of JSON objects each of which each have the 
        following attributes:<list style="hanging">
          <t hangText="op"><vspace/>A JSON attribute whose value is one of
          <spanx style="verb">add</spanx>, <spanx style="verb">remove</spanx>,
          or <spanx style="verb">replace</spanx>.</t>
          <t hangText="path"><vspace/>A JSON attribute whose value is a document
          attribute path (see <xref target="RFC7644">Section 3.5.2</xref>) 
          describing the attribute or sub-attribute or
          value to be updated in the case of multi-valued complex attributes
          such as <spanx style="verb">subjects</spanx>.</t>
          <t hangText="value"><vspace/>The value to be assigned to the JSON 
          document attribute defined in <spanx style="verb">path</spanx>.</t>
        </list></t>

        <figure anchor="subscriptionPatch" title="Example EventStream PATCH Request">
        <preamble>In the following non-normative example, the client
        requests that the <spanx style="verb">status</spanx> configuration
        attribute be changed to <spanx style="verb">paused</spanx> for 
        the EventStream whose path is identified by the request URI path.</preamble>
<artwork>PATCH /EventStreams/767aad7853d240debc8e3c962051c1c0
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8

{
  "schemas":
    ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [{
    "op":"replace",
    "path":"status",
    "value":"paused"
  }]
}</artwork>
       </figure>
       <t>In the above figure, upon receiving the request, the Event 
       Transmitter would stop sending Events to the Receiver based on 
       the requested value of <spanx style="verb">status</spanx> being
       set to <spanx style="verb">paused</spanx>.</t>
            
       <t>
       <figure anchor="memberPatch" title="Example Changing the Members of EventStream">
        <preamble>In the following non-normative example, the client
        requests the addition and removal of two subjects
        from an existing EventStream. This operation is discussed 
        further in <xref target="subjMgmtStream"/>.</preamble>
<artwork>PATCH /EventStreams/767aad7853d240debc8e3c962051c1c0
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8

{
  "schemas":
    ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [{
    "op":"add",
    "path":"subjects",
    "value":{
      "type":"EMAIL",
      "value":"alice@example.com"
    }
  },
  { 
    "op":remove",
    "path":"subjects[value eq \"bob@example.com\"]
  }]
}</artwork>
        </figure>
        In the above request, the second operation, the remove operation, 
        uses a <spanx style="verb">path</spanx> attribute to specify a
        matching filter the correct array element of <spanx style="verb">subjects</spanx>
        by matching the appropriate sub-attributes which are denoted by 
        square brackets (see <xref target="RFC7644">Figure 1 and 2</xref>
        for other examples and ABNF for filters). 
        In this case the composite filter of the <spanx style="verb">subjects</spanx> sub-attributes 
<spanx style="verb">type</spanx> and <spanx style="verb">value</spanx>
are used to remove the correct JSON array element.
Upon receiving the request, the EventStream subjects attribute would be 
updated to reflect the changes.     
        </t>
        </section>
        
      </section>      
    </section>
   
   <section anchor="manageSubjects" title="Models for Managing Stream Subjects">
     
     <t>The extensibility of SCIM enables many ways to model
     subjects that are part of an Event Stream. This section
     explores a few alternatives that profiling specifications could
     use to manage the contents of an Event Stream. These examples 
     include managing subjects:<list style="symbols">
       <t>As an attribute of an Event Stream configuration (see <xref target="subjMgmtStream"/>);</t>
       <t>As a member of SCIM Group (see <xref target="subjMgmtGroup"/>); and,</t>
       <t>As a specific Subject resource (see <xref target="subjMgmtResource"/>).</t>
     </list>
     </t>
   
   <section anchor="subjectConsiderations" title="General Considerations for Managing Subjects">
      
      <t>As a privacy and scalability consideration, profiling specifications SHOULD
      consider that most deployments SHOULD not allow the subjects that 
      are part of an Event Stream to be enumerated in a single request. 
      For example, in <xref target="subjMgmtStream"/>, 
      the Event Stream configuration attribute <spanx style="verb">subjects</spanx> 
      is typically not returned when querying Event Stream configurations
      (see <xref target="getStatus" />). This is because the number of 
      values may be too large (e.g. great than 100k values or even 
      in the billions or more). Further, depending on the Security
      Event types being exchanged, Event Receivers MAY confirm that a 
      subject is part of a stream for privacy reasons. </t>
      
      <t>The ability to return attributes such as <spanx style="verb">subjects</spanx>
      is indicated by Control Plane service providers in schema discovery 
      (see <xref target="RFC7644">Section 4</xref>) as the schema attribute 
      <spanx style="verb">returned</spanx>. For <spanx style="verb">subjects</spanx>
      this attribute SHOULD be set to <spanx style="verb">request</spanx> or 
      <spanx style="verb">never</spanx>.  In <spanx style="verb">request</spanx> mode,
      the client must specifically request the attribute <spanx style="verb">subjects</spanx>
      to have it enumerated. If the mode is <spanx style="emph">never</spanx>,
      the attribute SHALL NOT be returned to clients. In all cases however,
      a client MAY execute a query to verify the presence of a subject:</t>
      
   </section>
   
   <section anchor="subjMgmtStream" title="Subjects as Part of Stream Configuration">
   <t>In this section, examples are given using the 
   <spanx style="verb">subjects</spanx> attribute of Event Stream 
   configuration described in <xref target="subscribeMetadata"/></t>
   
   <t>The following sections assume subject membership within streams 
   is defined by the <spanx style="verb">subjects</spanx> attribute of 
   the Event Stream configuration. As defined, subjects can support a
   number of value types including: OIDC Connect Subjects, SCIM Users
   and Groups, e-mail and telephone number identifiers, and URI referencable
   entities. </t>
   
 
   <section anchor="checkSubject" title="Checking Subject Membership">

      <t>Checking subject membership is a matter of performing a query
      using a filter to achieve a match based on a value of the 
      <spanx style="verb">subjects</spanx> attribute.</t>
      
      <section title="Email Based Subjects">
        <t>In this section, values have been added to the 
        <spanx style="verb">subjects</spanx> attribute that are email 
        addresses which clients to the Control Plane would like to verify are 
        present or not. The <spanx style="verb">subjects</spanx> attribute 
        has sub-attribute <spanx style="verb">type</spanx> set to 
        <spanx style="verb">EMAIL</spanx> and the sub-attribute 
        <spanx style="verb">value</spanx> contains an email address.</t>

        <figure anchor="verifySubject" title="Determining if an EMail Subject is in an Event Stream">
        <preamble>In the following non-normative example, a client queries
        the Control Plane to see if <spanx style="verb">alice@example.com</spanx> is part of any
        defined stream configuration. In the request, only the attribute 
        <spanx style="verb">id</spanx> of the Event Stream is requested 
        as the client does not need to see the rest of the Event Stream
        attributes. Note, for readability, the URL is not encoded.</preamble> 
  <artwork>GET /EventStreams?filter=(subjects.value eq "alice@example.com")
  &amp;attributes=id
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8</artwork>
        </figure>
  
        <figure anchor="verifyNoMatch" title="Example Response With No Subject Match">
        <preamble>In this non-normative example response, the subject is confirmed
        as not part of any Event Streams associated with the requester. In
        this case an empty list is returned with no values and 
        <spanx style="verb">totalResults</spanx> is 
        <spanx style="verb">0</spanx>.</preamble>
        <artwork>HTTP/1.1 200 OK
Content-Type: application/scim+json
  
{
  "schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
  "totalResults":0,
  "Resources":[]
}</artwork>
        </figure>   
        
        <figure anchor="verifyMatch" title="Example Response With Single Match">
        <preamble>In the response below, a match for subject <spanx style="verb">alice@example.com</spanx> 
        is found and the <spanx style="verb">id</spanx> of the 
        Event Stream configuration that contains the subject is returned is 
        <spanx style="verb">767aad7853d240debc8e3c962051c1c0</spanx>.</preamble>
        <artwork>HTTP/1.1 200 OK
Content-Type: application/scim+json
  
{
  "schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
  "totalResults":1,
  "Resources":[
    {
      "id":"767aad7853d240debc8e3c962051c1c0",
      ...other meta attributes...
    }
  ]
}
        </artwork>
        </figure>   
        
      </section>
      
      <section title="OIDC Based Subjects">
        <t>In this section, values in the 
        <spanx style="verb">subjects</spanx> attribute are OIDC users
        which clients would like to verify are present. The attribute 
        <spanx style="verb">subjects</spanx> has the sub-attribute
        <spanx style="verb">type</spanx> set to <spanx style="verb">OIDC</spanx>
        and the sub-attribute <spanx style="verb">value</spanx> contains
        an OIDC <spanx style="verb">sub</spanx> value and the 
        <spanx style="verb">iss</spanx> sub-attribute contains the 
        corresponding OIDC Provider <spanx style="verb">iss</spanx> value.
        For this example, the OIDC <spanx style="verb">iss</spanx> is
        <spanx style="verb">op.example.com</spanx> and the 
        <spanx style="verb">sub</spanx> is <spanx style="verb">123456</spanx>.</t>

        <figure anchor="verifyOidcSubject" title="Determining if an OIDC Subject is in an Event Stream">
        <preamble>In the following non-normative example, a client queries
        the Control Plane to see if the above OIDC user is part of any
        defined stream configuration. In the request, only the attribute 
        <spanx style="verb">id</spanx> is requested. Note, for
        readability, the URL is not encoded.</preamble> 
  <artwork>GET /EventStreams?filter=(subjects[value eq "123456" and
  iss eq "op.example.com"])&amp;attributes=id
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8</artwork>
        </figure>
  
        <t>In the above request note that <spanx style="verb">iss</spanx>
        and <spanx style="verb">value</spanx> are enclosed within
        square brackets. This is done, per <xref target="RFC7644">Figure 1</xref> to
        ensure the matching condition within "[" and "]" is matched
        against the same JSON array record.  If the filter was expressed as
<spanx style="verb">(subjects.value eq "123456" and subjects.iss eq "op.example.com")</spanx>
        Then an improper match may occur because a composite value of 
        <spanx style="verb">subjects</spanx>
        may have <spanx style="verb">123456</spanx> while another has 
        <spanx style="verb">op.example.com</spanx>.</t>

        <t>For examples of responses to <xref target="verifyOidcSubject" />,
        see <xref target="verifyNoMatch" /> and <xref target="verifyMatch" /></t>
        
      </section>
  </section>
  
  <section title="Adding and Removing Subjects to a Stream">
      <t>Adding and removing subjects to an Event Stream is performed
      using the HTTP PATCH method described in <xref target="updatePatch" />.
      The following provides examples of adding and removing subjects
      based on EMAIL and OIDC subects. </t>    
    
      <figure anchor="addEmailSubject" title="Adding an EMAIL Subject to a Stream">
      <preamble>In the following non-normative example, the client
      requests the addition of a subject identified by an EMAIL address
      to an existing EventStream. The composite value of subjects
      has the sub-attributes <spanx style="verb">type</spanx> and <spanx style="verb">value</spanx>
      which are assigned.</preamble>
<artwork>PATCH /EventStreams/767aad7853d240debc8e3c962051c1c0
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8

{
  "schemas":
    ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [{
    "op":"add",
    "path":"subjects",
    "value":{
      "type":"EMAIL",
      "value":"alice@example.com"
    }
  }]
}</artwork>
      </figure>
      
      <figure anchor="addOidcSubject" title="Adding an OIDC Provider Subject to a Stream">
      <preamble>In the following non-normative example, the client
      requests the addition of an OIDC subject 
      to an existing EventStream. The composite value of <spanx style="verb">subjects</spanx>
      has the sub-attributes <spanx style="verb">type</spanx>, 
      <spanx style="verb">iss</spanx>, and <spanx style="verb">value</spanx>
      which are assigned.</preamble>
<artwork>PATCH /EventStreams/767aad7853d240debc8e3c962051c1c0
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8

{
  "schemas":
    ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [{
    "op":"add",
    "path":"subjects",
    "value":{
      "type":"OIDC",
      "value":"123456",
      "iss":"op.example.com"
    }
  }]
}</artwork>
      </figure>
    
      <figure anchor="removeOidcSubjects" title="Removing an OIDC Connect Subject from a Stream">
      <preamble>In the following non-normative example, the client
      requests the removal of a subject selected by using a 
      filter against the <spanx style="verb">subjects</spanx> attribute.</preamble>
<artwork>PATCH /EventStreams/767aad7853d240debc8e3c962051c1c0
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8

{
  "schemas":
    ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [{
    "op":"remove",
    "path":"subjects[value eq \"123456\" and iss eq \"op.example.com\"]",
  }]
}</artwork>
      </figure>
    
    </section>
  </section>
   
  <section anchor="subjMgmtGroup" title="Subjects as Members of a Group">
   <t>SCIM defines a resource type called a 
   <spanx style="verb">Group</spanx> which can be used as a container
   to manage one or more objects in a collection (See Section 4.2 of <xref target="RFC7643"/>).
   Groups work in similar fashion to the operations described in 
   <xref target="subjMgmtStream"/> except instead of operations against
   the '<spanx style="verb">subjects</spanx>, the <spanx style="verb">members</spanx>
   attribute is used. Typically the value of the members attribute is 
   the <spanx style="verb">id</spanx> of a local User or Group.
   </t>
   <t>In order to use this method, the Stream configuration indicates
   the SCIM Group being used by adding Group as a member of the <spanx style="verb">subjects</spanx>
   attribute of the Stream configuration and indicating a 
   <spanx style="verb">type</spanx> of <spanx style="verb">Group</spanx>.</t>
   
   <figure anchor="streamGroupConfig" title="Event Stream Configured to Use SCIM Group">
  <preamble>The following is an example Stream configuration that has
  a Group as a member of the subjects. In the example below, 
  <spanx style="verb">e18c2dfb5d588</spanx> is the identifier of a SCIM
  Group containing a list of member resources.</preamble>
<artwork>
{
  "schemas":["urn:ietf:params:scim:schemas:event:2.0:EventStream"],
  "id":"767aad7853d240debc8e3c962051c1c0",
  "feedName":"OIDCLogoutFeed",
  "eventUris":[
    "http://schemas.openid.net/event/backchannel-logout"
  ],
  "methodUri":"urn:ietf:params:set:method:HTTP:webCallback",
  "deliveryUri":"https://notify.examplerp.com/Events",
  "aud":"https://sets.myexamplerp.com",
  "status":"off",
  "maxDeliveryTime":3600,
  "minDeliveryInterval":0,
  "iss":"oidc.example.com"
  "subjects":[
    {
      "type":"Group"
      "value":"e18c2dfb5d588"
    }
  ]
  "iss_jwksUri":"https://example.com/keys/oidc-example-com.jwks"
  "description":"Logout events from oidc.example.com",
  "meta":{
     ... SCIM meta attributes ...
  }
}</artwork>
        </figure>
        <t></t>
   
   
   <section anchor="checkMember" title="Checking Membership">

      
        <t>In this section, values have been added to the 
        <spanx style="verb">members</spanx> attribute are 
        <spanx style="verb">id</spanx> values of known SCIM resources. 
        These values can be queried against the Group to see if the
        <spanx style="verb">id</spanx> is a member.</t>
   
        <t>If the requester does not know the <spanx style="verb">id</spanx>
        of the resource for which they would like to check membership, 
        a query can be performed as described in <xref target="RFC7644">Section 3.4</xref>.
        </t>

        <figure anchor="verifyMember" title="Determining if a SCIM Resource is in a Event Stream Example">
        <preamble>In the following non-normative example, a client queries
        the Control Plane to see if a User with <spanx style="verb">id</spanx>
        value of <spanx style="verb">413861904646</spanx>
        is a part of any Group. .</preamble> 
  <artwork>GET /Groups?filter=members.value eq "413861904646"
  &amp;attributes=id
Host: scim.example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8</artwork>
        </figure>
  
        <figure anchor="verifyMmbrNoMatch" title="Example Response With No Match">
        <preamble>In this non-normative response, the <spanx style="verb">id</spanx> is confirmed
        as not part of the Group queried by the requester. In
        this case an empty list is returned with no values and <spanx style="verb">totalResults</spanx> is 
        <spanx style="verb">0</spanx>.</preamble>
        <artwork>HTTP/1.1 200 OK
Content-Type: application/scim+json
  
{
  "schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
  "totalResults":0,
  "Resources":[]
}</artwork>
        </figure>   
        
        <figure anchor="verifyMemberMatch" title="Example Response With Single Match">
        <preamble>In the response below, a match for resource with an
        <spanx style="verb">id</spanx> value of <spanx style="verb">413861904646</spanx> 
        is found and the <spanx style="verb">id</spanx> of any matched 
        Groups that contain the <spanx style="verb">id</spanx> is returned.
        In this case a <spanx style="verb">Group</spanx> with an <spanx style="verb">id</spanx>
        value of <spanx>e18c2dfb5d588</spanx> is returned.</preamble>
        <artwork>HTTP/1.1 200 OK
 Content-Type: application/scim+json

 {
   "schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
   "totalResults":1,
     "Resources":[
       {
         "id":"e18c2dfb5d588",
       }
     ]
   }</artwork>
        </figure>
  </section>
  
  <section title="Adding and Removing SCIM Users to a Group">
      <t>Adding and removing Users to an Event Stream Group is performed
      using the HTTP PATCH method described in <xref target="updatePatch" />.
      The following provides examples of adding and removing <spanx style="verb">Users</spanx>
      to a <spanx style="verb">Group</spanx> </t>    
    
      <figure anchor="addMemberResource" title="Example Adding a User to a Group">
      <preamble>In the following non-normative example, the client
      requests the addition of a User identified by an <spanx style="verb">id</spanx>
      to an existing <spanx style="verb">Group</spanx> which is used by
      an Event Stream to denote member subjects. </preamble>
<artwork>PATCH /Groups/e18c2dfb5d588
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8

{
  "schemas":
    ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [{
    "op":"add",
    "path":"members",
    "value":{
      "type":"User",
      "value":"8c16-01f8e146b87a"
    }
  }]
}</artwork>
      </figure>
      

    
      <figure anchor="removeMemberOidcSubjects" title="Example Removing a User from a Group">
      <preamble>In the following non-normative example, the client
      requests the removal of a User identified by <spanx style="verb">id</spanx> 
      with value <spanx style="verb">8c16-01f8e146b87a</spanx>. The item
      to be removed is selected by using a 
      filter against the <spanx style="verb">members</spanx> attribute.</preamble>
<artwork>PATCH /Groups/e18c2dfb5d588
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8

{
  "schemas":
    ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [{
    "op":"remove",
    "path":"members.value eq \"8c16-01f8e146b87a\"",
  }]
}</artwork>
      </figure>
    
    </section>   
   </section>
   
   <section anchor="subjMgmtResource" title="Subjects as a Resource (aka POST Profile)">
     <t>This section demonstrates how to model subject participation in 
     an Event Stream by treating subjects as a resource (a <spanx style="verb">Subject</spanx>).
     In this model, a subject is added, removed, and queried from an Event 
     Stream by through HTTP POST, DELETE, and GET methods.
     </t>
    
     <t>In this model, a new SCIM resource type is defined that 
     describes the <spanx style="verb">Subject</spanx> resource and 
     its associated schema.</t>
     <figure anchor="subjectResourceType" title="Example Resource Type Definition for Subjects">
     <preamble>The following is a non-normative example of a 
     Resource Type definition that is configured in a SCIM service
     provider. The Resource Type defines the <spanx style="verb">Subjects</spanx> 
     endpoint as well as a URI for the schema definition.
     The Resource Type configuration can be discovered by querying the 
     SCIM service  provider's <spanx style="verb">/ResourceTypes</spanx> endpoint (see
     <xref target="RFC7644">Section 4</xref>).</preamble>
     <artwork>{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
  "id": "Subject",
  "name": "Subject",
  "endpoint": "/Subjects",
  "description": "Endpoint managing SECEVENT Subjects.",
  "schema": "urn:ietf:params:scim:schemas:event:2.0:Subject",
  "schemaExtensions": []
}</artwork>
     </figure>
     
     <figure anchor="subjectSchema" title="Example Schema for Subject Resources">
     <preamble>The following is an example schema definition for a Subject
     resource. This configuration can be retrieved from the SCIM Service 
     Provider using the <spanx style="verb">/Schemas</spanx> endpoint (see
     <xref target="RFC7644">Section 4</xref>).</preamble>
     <artwork>{
  "id" : "urn:ietf:params:scim:schemas:event:2.0:Subject",
  "name" : "Subject",
  "description" : "Subject stream configuration",
  "attributes" : [
    {
      "name" : "email",
      "type" : "string",
      "multiValued" : false,
      "description" : "The email of the subject being added to Event
      Streams. The value SHOULD be specfied according to [RFC5321].",
      "required" : true,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    },
    {
      "name" : "displayName",
      "type" : "string",
      "multiValued" : false,
      "description" : "A simple representation of a Subject's name
      that can be used for display purposes.",
      "required" : false,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    },     
    {
      "name" : "streamId",
      "type" : "string",
      "multiValued" : fase,
      "description" : "An Event Stream a Subject is part
      of as identified by EventStream id",
      "required" : false,
      "mutability" : "readWrite",
      "returned" : "default"
    }
  ]
}</artwork>
     </figure>
     
     <section title="Adding A Subject to a Stream">
       <t>To add a Subject to a Stream, an HTTP POST is used to create a new
       Subject resource which contains attributes identifying the subject
       and the associated Event Stream <spanx style="verb">id</spanx>.</t>
       
       <figure anchor="addSubject" title="Adding a Subject to a Stream Using POST">
       <preamble>The following non-normative example demonstrates adding
       a subject identified by <spanx style="verb">example.user@example.com</spanx>
       to an <spanx style="verb">EventStream</spanx> identified by 
       <spanx style="verb">id</spanx> with value <spanx style="verb">767aad7853d240debc8e3c962051c1c0</spanx>.</preamble>
       <artwork>POST /Subjects/ HTTP/1.1
Host: transmitter.example.com
Authorization: Bearer eyJ0b2tlbiI6ImV4YW1wbGUifQo=
{
 "schemas":["urn:ietf:params:scim:schemas:event:2.0:Subject"],
 "email": "example.user@example.com",
 "streamIds": "767aad7853d240debc8e3c962051c1c0",
 "schemas":["urn:ietf:params:scim:schemas:event:2.0:Subject"]
}</artwork>
       </figure>
       
       <figure anchor="addSubjectResponse" title="Response to Adding a Subject to a Stream Using POST">
       <preamble>In response the server indicates the record is created
       and returns a permanent URI of the entry. This URI can later
       be used to remove the subject from the identified EventStream.</preamble>
       <artwork>HTTP/1.1 201 Created
Content-Type: application/scim+json
Location:
    https://example.com/v2/Subjects/e3c962051c1c0
{
  "schemas":["urn:ietf:params:scim:schemas:event:2.0:Subject"],
  "id": "e3c962051c1c0",
  "email": "example.user@example.com",
  "streamIds": "767aad7853d240debc8e3c962051c1c0",
  "meta":{
     ...SCIM meta data...
  }
}</artwork>
       </figure>
       <t>Should the record be a duplicate Subject, the Control Plane
       implementation MAY choose to return the original resource registration
       and location with HTTP Status 200 (OK).</t>
     </section>
     
     <section anchor="querySubjects" title="Querying for Subject in Event Streams">
       <t>To query Subjects, SCIM filters can be used to return matching
       resources as per <xref target="RFC7643">Section 3.4.2</xref></t>
       
       <figure anchor="querySubjectStream" title="Querying if a Subject is in an EventStream">
       <preamble>Assuming the <spanx style="verb">id</spanx> of the EventStream is known,
       a query can be made against that identifier and the subjects
       identifier - in this case, an email address.</preamble>
       <artwork>GET /Subjects?filter=(streamId eq "e3c962051c1c0" and 
   email eq "example.user@example.com")</artwork>
       </figure>
       
       <figure anchor="querySubjectStreamResponse" title="Response to Query">
       <preamble>If a match to the request in <xref target="querySubjectStream"/>
       is made, the following is a non-normative example response showing
       the matched Subject resource.</preamble>
       <artwork>HTTP/1.1 200 OK
 Content-Type: application/scim+json

{
   "schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
   "totalResults":1,
     "Resources":[
       {
         "id":"e3c962051c1c0",
         "email": "example.user@example.com"
         "streamIds": "e3c962051c1c0",
         "schemas":["urn:ietf:params:scim:schemas:event:2.0:Subject"],
         ...additional meta data...
       }     
    ]
}</artwork>
       </figure>
       <t></t>
       <figure anchor="queryAllStreams" title="Querying All Event Streams for Subject">
       <preamble>To see if an email address is present in multiple EventStreams,
       the following query MAY be used.</preamble>
       <artwork>GET /Subjects?filter=(email eq "example.user@example.com")</artwork>
       </figure>
       <t>Assuming only one match is found, than a response similar
       to <xref target="querySubjectStreamResponse"/> is returned. If
       not matches occur, a response is returned with <spanx style="verb">totalResults</spanx>
       equal to 0. If more than one match is returned, the additional
       matches are returned in the <spanx style="verb">Resources</spanx>
       array.</t>
     </section>
   
     <section title="Removing a Subject from an Event Stream">
       <t>Assuming the <spanx style="verb">id</spanx> of the Subject
       resource is known, HTTP DELETE MAY be used. If it is not known,
       the <spanx style="verb">id</spanx> MAY be queried as per <xref target="querySubjects"/>.</t>
       
       <figure anchor="deleteSubject" title="Removing a Subject from an Event Stream">
       <preamble>To remove a Subject resource perform an HTTP DELETE
       using the resource's URI (see <xref target="RFC7644">Section 3.6</xref>).</preamble>
       <artwork>DELETE /Subjects/e3c962051c1c0</artwork></figure>
     </section>
   </section>
    
  </section>

   <section anchor="verifyStream" title="Event Stream Verification">
  
        <t>In the verify process, the Event Receiver organization initiates
        a request to the Event Transmitter to verify the Stream is working
        correctly. This can be used to both test for configuration errors 
        (e.g. incorrect keys for signing and/or encryption, endpoints) 
        and to verify operational state by using a Verify Event as an
        occasional 'ping' test. </t> 
        
        <t>To initiate a Verify Event, the Event Receiver organization
        using the Control Plane to set a nonce value for the Stream
        Configuration attribute <spanx style="verb">verifyConfirm</spanx>. 
        Once set, the Event Transmitter SHALL issue a Verify SET
        the includes the client specified nonce value. </t>
        
       <figure anchor="verifyPatch" title="Requesting a Verify using PATCH">
        <preamble>In the following non-normative example, the client
        requests a Verify Event by setting the attribute 
        <spanx style="verb">verifyNonce</spanx> as part of the Event 
        Stream configuration.</preamble>
<artwork>PATCH /EventStreams/767aad7853d240debc8e3c962051c1c0
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8

{
  "schemas":
    ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [{
    "op":"replace",
    "path":"verifyNonce",
    "value":"VGhpcyBpcyBhbi"
  }]
}</artwork>
            </figure>
        
        
        <t>Upon the changing of the Event Stream configuration attribute
        <spanx style="verb">verifyNonce</spanx>, the Event Transmitter 
        sends a Verify Event SET to the Event Receiver using the registered 
        <spanx style="verb">methodUri</spanx> mechanism.</t>
        
        <t>The Verify SET contains the following attributes:<list style="hanging">
          <t hangText="events"><vspace/>Set with an event attribute of 
          <spanx style="verb">urn:ietf:params:secevent:verification</spanx>
          and
          contains the sub-attribute <spanx style="verb">nonce</spanx>
          which contains the value of <spanx style="verb">verifyNonce</spanx>
          .</t>

          <t hangText="iss"><vspace/>Set to the URI defined in the Event Stream
          configuration.</t>

          <t hangText="aud"><vspace/>MUST be set to a value that matches the
          EventStream <spanx style="verb">aud</spanx> value agreed to.</t>
                    
        </list>
        </t>
        
        <t>If the Event Stream is configured to encrypt SETs for the 
        Event Receiver, then the SET MUST be encrypted with 
        the provided key. Successful parsing of the
        message confirms that provides confirmation of correct 
        configuration and possession of keys.</t>
         
        <figure anchor="verifyEvent" title="Example Verification SET">
        <preamble>The following is a non-normative JSON representation 
        of a Verify Event issued to an Event Receiver. Included in the SET
        is an example nonce value <spanx style="verb">VGhpcyBpcyBhbi</spanx>.</preamble>
<artwork>{
  "jti": "123456",
  "iss": "https://transmitter.example.com",
  "aud": "receiver.example.com",
  "iat": "1493856000",
  "events": [
    "urn:ietf:params:secevent:verification" : {
      "nonce": "VGhpcyBpcyBhbi",
    },
  ],
}</artwork>
        </figure>
        
        <t>The above SET is encoded as a JWT and transmitted to the 
        Event Receiver using the configured delivery method.</t>

        <t>Upon receiving a verify SET, the Event Receiver SHALL parse
        the SET and verify its claims. In particular, the Event Receiver
        SHALL confirm that the values for <spanx style="verb">nonce</spanx> 
        match the value assigned to <spanx style="verb">verifyNonce</spanx>
        in the Event Stream Configuration via the Control Plane. If
        the values do not match, administrative action should be taken
        to address the mis-configuration.  Similarly if the SET is not
        received or is unparseable, the Event Receiver organization
        can check Event Stream configuration and check for errors by
        reviewing the Stream configuration attributes <spanx style="verb">status</spanx>
        and <spanx style="verb">txErr</spanx>. </t>
     </section>
   
   <section anchor="Privacy" title="Privacy Considerations">
   
      <t>See <xref target="RFC7644">Section 7.5</xref> for protocol
      specific privacy considerations.</t>
      
      <t>The Privacy Considerations of SET Token Specification 
      <xref target="I-D.ietf-secevent-token"/> and the SET Token 
      Delivery specification <xref target="I-D.ietf-secevent-delivery"/>
      SHALL apply.</t>
      
      <section title="Subject Management">
        <t>The exact set of subject entities upon which SETs can be 
        issued SHOULD NOT be made available to any single party. This is
        because a subject's relationship with an Event Transmitter
        MAY change over time and may not be known to the Event Receiver.
        A design consideration is that an Event Receiver MUST already
        know personal identifiers before asking an Event Transmitter
        if there is an existing relationship by asking if that 
        personal identifier is part of a stream. Accordingly the 
        <spanx style="verb">subjects</spanx> attribute of an Event
        Stream can not normally be returned. Instead, a Control Plane
        provider MAY confirm a subject is part of a stream. See
        <xref target="subjectConsiderations"/> and <xref target="checkSubject"/>.</t>
        <t>When receiving a request from a Control Plane client to 
        add a subject, the provider SHOULD consider if the subject is
        appropriate to the purpose of the Event Stream being managed. For
        example, for an OpenID Connect Provider, was consent obtained
        to share security data with the Relying Party. Such authorization
        may have been previously authorized by a user via the OpenID
        consent process. Having obtained consent, the Control Plane
        provider SHOULD consider
        if the SET Events being requested to be streamed are appropriate. </t>
      </section>
   
   </section>
   
   <section anchor="Security" title="Security Considerations" toc="default">

      <t>This specification depends on the Security Considerations of 
      <xref target="RFC7644"/>. </t>
   
      <section title="Multi-Party Access to Streams">
        <t>Implementations SHOULD support access roles which enable
        different types of access to Event Streams via the Control
        Plane service.  A minimal suggested set of roles includes:
        <list style="hanging">
          <t hangText="Monitor">For clients to retrieve Event Stream 
          configuration and obtain current status. Access is limited
          to read-only operations.</t>
          <t hangText="Control">Adds the ability to modify the 
          <spanx style="verb">status</spanx> attribute to control the
          operational state of the Event Stream in addition to the rights
          granted by <spanx style="verb">Monitor</spanx>.</t>
          <t hangText="Manage">Provides the ability to list, create and manage
          Event Streams including updating and verifying subjects.</t>
        </list>
        Typically these roles are rights or scopes associated with the 
        security credential presented in the HTTP Authorization header
        of requests (see <xref target="RFC7644">Section 7</xref>). The 
        method by which these roles are implemented is out of scope
        of this specification. </t>
      </section>   
   </section>

    <section anchor="IANA" title="IANA Considerations">
      
      <section anchor="verifyUri" title="Registration of Verify Event URI">
        <t>IANA is requested to add an entry to the 'IETF URN Sub-namespace
        for Registered Protocol Parameter Identifiers' registry and create a
        sub-namespace for the Registered Parameter Identifier as per <xref
        target="RFC3553"/>: <spanx style="verb">urn:ietf:params:secevent:verification</spanx>.</t>

        <t>The identifier is used to indicate a Verify Event as defined
        in <xref target="verifyStream"/> for use in the <spanx style="verb">events</spanx>
        attribute defined in <xref target="I-D.ietf-secevent-token"/>.</t>
      </section>
      
      <section title="SCIM Schema Registration">
        <t>As per the "SCIM Schema URIs for Data Resources" registry established
        by <xref target="RFC7643">Section 10.3</xref>, the following defines and registers
        the following SCIM URIs and Resource Types for Feeds and Event Streams.</t>
        <texttable>
        <ttcol>Schema URI</ttcol><ttcol>Name</ttcol><ttcol>ResourceType</ttcol><ttcol>Reference</ttcol>
        
        <c>urn:ietf:params:scim: schemas:event:2.0: EventStream</c>
        <c>SET Event Stream</c>
        <c>EventStream</c>
        <c><xref target="subscribeMetadata"/></c>
        
        </texttable>
      
        <t>Attributes for SET Event Streams are defined in <xref target="subscribeMetadata"/></t>
      
        <t>SCIM Schema and ResourceType definitions are defined in <xref target="eventResourceType"/></t>
      </section>

  
    </section>
  </middle>

  <back>
    <references title="Normative References">
      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml' ?>
      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.3986.xml' ?>
      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.5988.xml' ?>
      
      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.7231.xml' ?><!-- HTTP Semantics -->
      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.7519.xml' ?><!-- JWT -->
      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.7517.xml' ?><!-- JWK -->
   
      <?rfc include='http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-secevent-token-02.xml'?>
      <?rfc include='http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-secevent-delivery-00.xml'?>

    </references>

    <references title="Informative References">
    
      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.3553.xml' ?><!-- Proto Params-->
      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.3966.xml' ?><!-- JWS -->
      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.5321.xml' ?><!-- JWS -->

      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.6902.xml' ?><!-- JWS -->

      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.7515.xml' ?><!-- JWS -->
      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.7516.xml' ?><!-- JWE -->
      
      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.7644.xml' ?><!-- SCIM API -->
      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.7643.xml' ?><!-- SCIM Schema -->

      <reference anchor="openid-connect-core">
        <front>
          <title>OpenID Connect Core 1.0</title>
          <author fullname="Nat Sakimura et al"><organization>NRI</organization></author>
          <date day="8" month="Nov" year="2014"/>
        </front>
        <format type="HTML" target="http://openid.net/specs/openid-connect-core-1_0.html"/>
      </reference>

     <!-- 
      <reference anchor="Order-Operations">
        <front>
          <title>Order of Operations: Programming Languages</title>

          <author>
            <organization>Wikipedia</organization>
          </author>

          <date/>
        </front>

        <format target="http://en.wikipedia.org/wiki/Order_of_operations#Programming_languages"
                type="HTML"/>
      </reference>
       -->
    </references>

    <section anchor="eventResourceType" title="Event Stream Resource Type and Schema Definitions">
             
        <t>The <spanx style="verb">EventStream</spanx> resource type definition 
        is defined as follows:
<figure anchor="subscriptionType" title="SCIM EventStream Resource Type Definition">
<artwork>{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
  "id": "EventStream",
  "name": "EventStream",
  "endpoint": "/EventStreams",
  "description": "Endpoint and event configuration and status for SEC EVENT streams.",
  "schema": "urn:ietf:params:scim:schemas:event:2.0:EventStream",
  "schemaExtensions": []
}</artwork>
        </figure>
        The resource type above is discoverable in the 
<spanx style="verb">/ResourceTypes</spanx> endpoint of a SCIM service
provider and informs SCIM clients about
the endpoint location of EventStream resources and the SCIM schema used
to define the resource.  The corresponding schema for the EventStream
resource MAY be retrieved from the SCIM <spanx style="verb">/Schemas</spanx> 
endpoint (see <xref target="RFC7644">Section 3.2</xref>).
        </t>
       
        <t>The attributes for the EventStream resource type are defined in
        <xref target="subscribeMetadata"/>.</t>
        
        <figure>
        <artwork>  {
    "id" : "urn:ietf:params:scim:schemas:event:2.0:EventStream",
    "name" : "EventStream",
    "description" : "Event Stream Configuration",
    "attributes" : [
      {
        "name" : "eventUris",
        "type" : "string",
        "multiValued" : true,
        "description" : "An array of String value containing a logical
        unique URI for Events that may be issued in the Stream",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readOnly",
        "returned" : "default",
        "uniqueness" : "none"
      },
      {
        "name" : "eventUris_req",
        "type" : "string",
        "multiValued" : true,
        "description" : "An array of String value containing a logical
        unique URI for Events that an Event Receiver is requesting.",
        "required" : true,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      },
      {
        "name" : "eventUris_avail",
        "type" : "string",
        "multiValued" : true,
        "description" : "An array of String value containing a logical
        unique URI for Events that are supported by the Transmitter",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readOnly",
        "returned" : "default",
        "uniqueness" : "none"
      },
      {
        "name" : "methodUri",
        "type" : "string",
        "multiValued" : false,
        "description" : "A String value containing the URI for the
        method used to deliver SET events. The method used indicates
        the required configuration parameters for an
        operational Event Stream configuration.",
        "required" : true,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      },
      {
        "name" : "deliveryUri",
        "type" : "string",
        "multiValued" : false,
        "description" : "A String value containing the URI for a
        feed endpoint used to pick up or deliver SET events based on
        a configured method.",
        "required" : true,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      },
      {
        "name" : "iss",
        "type" : "string",
        "multiValued" : false,
        "description" : "The URI for the publisher of the SETs that will 
        be issued for the Event Stream.",
        "required" : true,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      },
      {
        "name" : "aud",
        "type" : "string",
        "multiValued" : true,
        "description" : "An OPTIONAL Array of JSON String values which 
        are URIs representing the audience(s) of the Event Stream.  
        Values SHALL be the value of SET "aud" claim sent to the Event 
        Receiver.",
        "required" : true,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      },
      {
        "name" : "iss_jwksUri",
        "type" : "string",
        "multiValued" : false,
        "description" : "An OPTIONAL 
        String that contains the URL of the SET issuers public JSON 
        Web Key Set [RFC7517]. This contains the signing key(s) the 
        Event Receiver uses to validate SET signatures from the Event 
        Transmitter that will be used by the Event Receiver to verify 
        the authenticity of issued SETs.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      },
      {
        "name" : "aud_jwksUri",
        "type" : "string",
        "multiValued" : false,
        "description" : "An OPTIONAL JSON Web Key Set [RFC7517] that 
        contains the Event Receiver's encryption keys that MAY be used 
        by the Event Transmitter to encrypt SET tokens for the specified 
        Event Receiver.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      },
      {
        "name" : "status",
        "type" : "string",
        "multiValued" : false,
        "description" : "An OPTIONAL JSON String keyword that indicates 
        the current state of an Event Stream.  More information on the E
        vent Stream state can be found in Section 2.3.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none",
        "canonicalValues" : [
              "on",
              "off",
              "verify",
              "paused",
              "fail"
            ]
      },
      {
        "name" : "maxRetries",
        "type" : "integer",
        "multiValued" : false,
        "description" : "An OPTIONAL JSON number indicating the maximum 
        number of attempts to deliver a SET.  A value of '0' indicates 
        there is no maximum. Upon reaching the maximum, the Event Stream 
        'status' attribute is set to 'failed'.",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      },
      {
        "name" : "maxDeliveryTime",
        "type" : "integer",
        "multiValued" : false,
        "description" : "An OPTIONAL number indicating the maximum 
        amount of time in seconds a SET MAY take for successful delivery 
        per request or cumulatively across multiple retries.  Upon 
        reaching the maximum, the Event Stream 'status' is set to 
        'failed'.  If undefined, there is no maximum time.",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      },
      {
        "name" : "minDeliveryInterval",
        "type" : "integer",
        "multiValued" : false,
        "description" : "An OPTIONAL JSON integer that represents the 
        minimum interval in seconds between deliveries.  A value of '0' 
        indicates delivery should happen immediately.  When delivery is 
        a polling method (e.g.  HTTP GET), it is the expected time 
        between Event Receiver attempts.  When in push mode (e.g. 
        HTTP POST), it is the interval the server will wait before 
        sending a new event or events.",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      },
      {
        "name" : "txErr",
        "type" : "string",
        "multiValued" : false,
        "description" : "An OPTIONAL JSON String keyword value.  When 
        the Event Stream has 'status' set to 'fail', a keyword condition
        is set.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none",
        "canonicalValues" : [
              "connection",
              "tls",
              "dnsname",
              "receiver",
              "other"
            ]        
      },
      {
        "name" : "txErrDesc",
        "type" : "string",
        "multiValued" : false,
        "description" : "An OPTIONAL String value that is usually human 
        readable that provides further diagnostic detail by the 
        indicated 'txErr' error code.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      },
      {
        "name" : "verifyNonce",
        "type" : "string",
        "multiValued" : false,
        "description" : "An OPTIONAL String value that when changed
        or set by a Control Plane client will cause the Event Transmitter 
        to issue a single Verify Event based on the value provided.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "writeOnly",
        "returned" : "never",
        "uniqueness" : "none"
      },
      {
        "name" : "subjects",
        "type" : "complex",
        "multiValued" : true,
        "description" : "An optional list of subjects that are part of
        the Stream.",
        "required" : false,
        "subAttributes" : [
          {
            "name" : "value",
            "type" : "string",
            "multiValued" : false,
            "description" : "Identifier of the member of this Group.
            The contents of this parameter are determined by the value
            of the sub-attribute 'type'.",
            "required" : false,
            "caseExact" : false,
            "mutability" : "immutable",
            "returned" : "default",
            "uniqueness" : "none"
          },
          {
            "name" : "type",
            "type" : "string",
            "multiValued" : false,
            "description" : "A label indicating the type of resource,
            e.g., OIDC Connect Subject, SAML Subject, Email address,
            Telephone Number, SCIM User or SCIM Group, or the URI
            of some other network addressable subject.",
            "required" : false,
            "caseExact" : false,
            "canonicalValues" : [
              "User",
              "Group",
              "OIDC",
              "SAML"
              "EMIL",
              "PHONE",
              "URI"
            ],
            "mutability" : "immutable",
            "returned" : "default",
            "uniqueness" : "none"
          }
        ],
        "mutability" : "readWrite",
        "returned" : "request"
      }
    ],
    
    "meta" : {
      "resourceType" : "Schema",
      "location" :
        "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group"
    }
  },
        </artwork>
        </figure>            
      </section>
      
      <section title="Acknowledgments">
      <t>The editors would like to thanks the members of the SCIM WG which 
      began discussions of provisioning events starting with: draft-hunt-scim-notify-00 in 2015.</t>
      
      <t>This draft is a re-work of material from Sections 2 and 4 of
      draft-hunt-secevent-distribution-01. The editor would like to thank
      Marius Scurtescu, Tony Nadalin, and Morteza Ansari for their 
      contributions in previous drafts.</t>
      
      <t>The editor would like to thank the participants in the the SECEVENTS
      working group for their support of this specification.</t>
    </section>

    <section title="Change Log">
      <t>Draft 00 - PH - First Draft based on control plane portions of draft-hunt-idevent-distribution</t>
      
    </section>
  </back>
</rfc>