Internet-Draft                                              S. Kushwaha
Intended status: Informational                              Oracle Corporation
Expires: October 2026                                       April 2026

   Cursor-Based Pagination for Multi-Valued Attributes in SCIM 2.0
               draft-kushwaha-scim-attr-cursor-pagination-00

Abstract

   The System for Cross-domain Identity Management (SCIM) 2.0
   specification (RFC 7644) defines pagination mechanisms at the
   resource level. However, it does not provide a standardized method
   for paginating large multi-valued attributes within a resource.

   This limitation creates scalability and performance challenges in
   modern identity systems, particularly for attributes such as group
   memberships, roles, and entitlements.

   This document proposes a cursor-based pagination mechanism for
   multi-valued attributes in SCIM resources. The proposal introduces
   attribute-level pagination parameters and response metadata,
   including total count, to improve performance, consistency, and
   usability in large-scale deployments.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   https://www.ietf.org/1id-abstracts.html

   The list of Internet-Draft Shadow Directories can be accessed at
   https://www.ietf.org/shadow.html

Copyright Notice

   Copyright (c) 2026 IETF Trust and the persons identified as the
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with
   respect to this document.

1.  Introduction

   SCIM 2.0 (RFC 7644) provides a standardized protocol for identity
   provisioning and management across domains. It supports pagination
   for collections of resources using parameters such as "startIndex"
   and "count".

   However, SCIM does not define pagination for multi-valued attributes
   within a resource. Examples include:

   - group.members
   - user.roles
   - user.entitlements

   In large-scale identity systems, these attributes can contain
   thousands or tens of thousands of entries, resulting in large
   payloads and degraded performance.

   This document proposes a standardized, cursor-based approach for
   paginating such attributes.

2.  Problem Statement

   Consider the following request:

   GET /Groups/{id}

   A SCIM server may return all members of a group in a single response.
   For large groups, this can lead to:

   - Excessive response payload size
   - Increased latency
   - High memory consumption on clients and servers

   Offset-based pagination is not suitable for multi-valued attributes
   in dynamic systems because membership data may change between
   requests, resulting in skipped or duplicated entries.

   There is currently no standard mechanism in SCIM to paginate
   multi-valued attributes within a resource.

3.  Proposed Solution

3.1  Attribute-Level Cursor Pagination

   This document introduces cursor-based pagination for multi-valued
   attributes.

   Clients MAY request partial results for a multi-valued attribute
   using the following query parameters:

   - attributeCursor: an opaque continuation token issued by the server
   - attributeCount: the maximum number of items to return

   Example (initial request):

   GET /Groups/{id}?attributes=members&attributeCount=100

   Example (subsequent request):

   GET /Groups/{id}?attributes=members&attributeCursor=eyJjdXJzb3IiOiIxMDAifQ==&attributeCount=100

   The cursor is opaque and MUST NOT be interpreted by the client.

3.2  Response Structure

   The server returns a subset of the multi-valued attribute along with
   pagination metadata.

   Example response:

   {
     "id": "group-123",
     "members": [
       {
         "value": "2819c223-7f76-453a-919d-413861904646",
         "$ref": "../Users/2819c223-7f76-453a-919d-413861904646",
         "display": "Babs Jensen"
       }
     ],
     "membersPagination": {
       "totalResults": 5000,
       "itemsPerPage": 100,
       "nextCursor": "eyJjdXJzb3IiOiIxMDAifQ==",
       "hasMore": true
     }
   }

3.3  Rationale

   Cursor-based pagination avoids inconsistencies caused by concurrent
   updates, scales efficiently for large datasets, and aligns with
   modern API design practices.

3.4  Backward Compatibility

   Servers MAY implement attribute-level pagination optionally. Existing
   SCIM clients remain unaffected.

4.  Security Considerations

   Servers MUST enforce access control for all returned data. Cursor
   tokens SHOULD be tamper-resistant and scoped appropriately.

5.  Implementation Considerations

   Clients SHOULD treat cursors as opaque values. Servers SHOULD optimize
   backend queries for partial retrieval.

6.  Future Work

   Future extensions may include filtering, sorting, and schema
   standardization.

7.  IANA Considerations

   This document makes no requests of IANA.

8.  Disclaimer

   This document represents the personal views of the author and does
   not necessarily reflect the views of Oracle Corporation.

9.  References

   [RFC7644]  Hunt, P., et al., "System for Cross-domain Identity
              Management: Protocol", RFC 7644, September 2015.

Author's Address

   Saurabh Kushwaha
   Oracle Corporation
   Email: saurabhkushwaha123@gmail.com