Internet-Draft S. Kushwaha Intended status: Informational Oracle Corporation Expires: October 2026 April 2026 Cursor-Based Pagination for Multi-Valued Attributes in SCIM 2.0 draft-kushwaha-scim-attr-cursor-pagination-00 Abstract The System for Cross-domain Identity Management (SCIM) 2.0 specification (RFC 7644) defines pagination mechanisms at the resource level. However, it does not provide a standardized method for paginating large multi-valued attributes within a resource. This limitation creates scalability and performance challenges in modern identity systems, particularly for attributes such as group memberships, roles, and entitlements. This document proposes a cursor-based pagination mechanism for multi-valued attributes in SCIM resources. The proposal introduces attribute-level pagination parameters and response metadata, including total count, to improve performance, consistency, and usability in large-scale deployments. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at https://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at https://www.ietf.org/shadow.html Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. 1. Introduction SCIM 2.0 (RFC 7644) provides a standardized protocol for identity provisioning and management across domains. It supports pagination for collections of resources using parameters such as "startIndex" and "count". However, SCIM does not define pagination for multi-valued attributes within a resource. Examples include: - group.members - user.roles - user.entitlements In large-scale identity systems, these attributes can contain thousands or tens of thousands of entries, resulting in large payloads and degraded performance. This document proposes a standardized, cursor-based approach for paginating such attributes. 2. Problem Statement Consider the following request: GET /Groups/{id} A SCIM server may return all members of a group in a single response. For large groups, this can lead to: - Excessive response payload size - Increased latency - High memory consumption on clients and servers Offset-based pagination is not suitable for multi-valued attributes in dynamic systems because membership data may change between requests, resulting in skipped or duplicated entries. There is currently no standard mechanism in SCIM to paginate multi-valued attributes within a resource. 3. Proposed Solution 3.1 Attribute-Level Cursor Pagination This document introduces cursor-based pagination for multi-valued attributes. Clients MAY request partial results for a multi-valued attribute using the following query parameters: - attributeCursor: an opaque continuation token issued by the server - attributeCount: the maximum number of items to return Example (initial request): GET /Groups/{id}?attributes=members&attributeCount=100 Example (subsequent request): GET /Groups/{id}?attributes=members&attributeCursor=eyJjdXJzb3IiOiIxMDAifQ==&attributeCount=100 The cursor is opaque and MUST NOT be interpreted by the client. 3.2 Response Structure The server returns a subset of the multi-valued attribute along with pagination metadata. Example response: { "id": "group-123", "members": [ { "value": "2819c223-7f76-453a-919d-413861904646", "$ref": "../Users/2819c223-7f76-453a-919d-413861904646", "display": "Babs Jensen" } ], "membersPagination": { "totalResults": 5000, "itemsPerPage": 100, "nextCursor": "eyJjdXJzb3IiOiIxMDAifQ==", "hasMore": true } } 3.3 Rationale Cursor-based pagination avoids inconsistencies caused by concurrent updates, scales efficiently for large datasets, and aligns with modern API design practices. 3.4 Backward Compatibility Servers MAY implement attribute-level pagination optionally. Existing SCIM clients remain unaffected. 4. Security Considerations Servers MUST enforce access control for all returned data. Cursor tokens SHOULD be tamper-resistant and scoped appropriately. 5. Implementation Considerations Clients SHOULD treat cursors as opaque values. Servers SHOULD optimize backend queries for partial retrieval. 6. Future Work Future extensions may include filtering, sorting, and schema standardization. 7. IANA Considerations This document makes no requests of IANA. 8. Disclaimer This document represents the personal views of the author and does not necessarily reflect the views of Oracle Corporation. 9. References [RFC7644] Hunt, P., et al., "System for Cross-domain Identity Management: Protocol", RFC 7644, September 2015. Author's Address Saurabh Kushwaha Oracle Corporation Email: saurabhkushwaha123@gmail.com