Skip to content

Add GET method to deprovision route #573

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
phavekes wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add GET method to deprovision route #573

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
287ebfb
Add GET method to deprovision route
phavekes Jan 14, 2026
7925eb6
Update documentation
phavekes Jan 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions docs/MiddlewareAPI.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,8 +117,8 @@ Example of possible error messages. These may differ in the real world, but give

### Allowed to self-vet using an existing self-asserted token?

Is the Identity allowed to self-vet a token using a self-asserted token (SAT). This is only allowed when the only token(s)
possessed by the identity are of the self-asserted token vetting type. If another token type is registered, the
Is the Identity allowed to self-vet a token using a self-asserted token (SAT). This is only allowed when the only token(s)
possessed by the identity are of the self-asserted token vetting type. If another token type is registered, the
middleware will nudge the user to use that token. As using a SAT token will result in a token with a lowered LoA. As the
identity of the user is not verified by a RA(A).

Expand Down Expand Up @@ -193,7 +193,7 @@ Basic Command Structure

### Request
URL: `http://middleware.tld/deprovision/{collabPersonId}
Method: DELETE
Method: DELETE or GET
Request parameters:
- collabPersonId: collabPersonId of the identity

Expand Down Expand Up @@ -314,7 +314,7 @@ Request parameters:
In order to inform RA(A) users about which institutions they are authorized to manage we need profile information.
The profile endpoint aggregates the identity of the user with the FGA configuration of the institution he/she hails from.

### Request
### Request
URL: `http://middleware.tld/profile/{identityId}`
Method: GET
Request parameters:
Expand All @@ -334,7 +334,7 @@ Request parameters:
"is_sraa": false,
"authorizations": {
"ra": ["institution-a", "institution-b"],
"raa": ["institution-a"]
"raa": ["institution-a"]
},
"implicit_raa_at": ["institution-a", "institution-b"]
}
Expand Down
2 changes: 1 addition & 1 deletion src/Surfnet/StepupMiddleware/ApiBundle/Resources/config/routing.yml
View file
Open in desktop
Copy link
Member

@pmeulen pmeulen Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See previous comment. It looks like the MW deprovision API does not adhere to the API that lifecycle expects (a GET only returns the user's info, it does not deprovision the user)

Copy link
Member

@pmeulen pmeulen Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@johanib What do you think of this?

Copy link
Contributor

@johanib johanib Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lifecycle: GET /deprovision/<collabPersonId>
> Middleware GET deprovision/<collabPersonId> 🔴 Does not exist.

DELETE /deprovision/<collabPersonId>
> DELETE deprovision/<collabPersonId> ✔️

DELETE /deprovision/<collabPersonId>/dry-run
> DELETE deprovision/<collabPersonId>/dry-run ✔️

Without taking the new GET from Peter into consideration, Pieter is right:
The GET deprovision/<collabPersonId> does not exist in middleware. User lifecycle implements in in code & documentation, but it does not work. So, if this is needed, we should add the new GET route to middleware, and return the data.
Usually, GET should not perform mutations, especially in the this context where DELETE is also used.

In summary, I think we should follow the lifecycle specifications.

@phavekes what's the reason for this PR? Is there another component besides user lifecycle that calls the deprovision endpoints on Middleware?

... On the other hand, why is the GET even needed, if the DRY RUN returns the same data? (But then the dry run should just return no data)

Another tweak:
The DELETE deprovision/<collabPersonId>/dry-run route in middleware should only accept DELETE requests. It currently accepts all http verbs.

Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ deprovision:
defaults:
_controller: Surfnet\StepupMiddleware\ApiBundle\Controller\DeprovisionController::deprovision
_format: json
methods: [ DELETE ]
methods: [ DELETE, GET ]

identity:
path: /identity/{id}
Expand Down