draft-hunt-secevent-distribution.xml

<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type='text/xsl' href='http://xml.resource.org/authoring/rfc2629.xslt' ?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-hunt-secevent-distribution-02"
	ipr="trust200902">
	<front>
		<title abbrev="draft-hunt-secevent-distribution">
			SET Token Delivery Using HTTP</title>

		<author fullname="Phil Hunt" initials="P." role="editor"
			surname="Hunt">
			<organization abbrev="Oracle">Oracle Corporation</organization>

			<address>
				<email>phil.hunt@yahoo.com</email>
			</address>
		</author>
    
    <author fullname="Marius Scurtescu" initials="M.S." surname="Scurtescu">
      <organization abbrev="Google">Google</organization>

      <address>
        <email>mscurtescu@google.com</email>
      </address>
    </author>

		<date year="2017" />

		<keyword>Internet-Draft</keyword>

		<abstract>
			<t>
				This specification defines how a series of security event tokens 
        (SETs) may be delivered to a previously registered receiver 
        using HTTP over TLS. The specification defines the metadata the 
        an Event Transmitter uses to describe the Event Receiver's HTTP 
        endpoint and the SET token delivery configuration. The 
        specification defines how the Event Receiver may check the 
        current configuration metadata and delivery status using 
        HTTP GET over TLS. The specification also defines how delivery 
        can be assured subject to the SET Token Receiver's need for assurance.
        </t>
		</abstract>
	</front>

	<middle>
		<section anchor="intro" title="Introduction and Overview" toc="default">
			
      <t>
        This specification defines how a stream of SETs (see <xref target="I-D.ietf-secevent-token"/>)
        can be transmitted to a previously registered 
        Event Receiver using HTTP POST <xref target="RFC7231"/>
        over TLS. The specification defines the metadata the Event Transmitter
        uses to describe the Event Receiver's HTTP endpoint and the SET token 
        delivery configuration. The specification defines how
        the Event Receiver may check the current configuration metadata 
        and delivery status using HTTP GET over TLS. The specification 
        also defines how delivery can be assured subject to the SET 
        Token Receiver's need for assurance. 
      			</t>

			<figure anchor="notificationStream" title="SET Event Stream">
          <preamble>The following diagram shows a typical SET Event 
          Stream. A stream consists of a pair of HTTP endpoints, one for 
          the event stream transmitter and one for the receiver. The 
          receiver endpoint is used by the transmitter to deliver SET 
          events via HTTPS POST and is known as the "Data Plane". The 
          transmitter's HTTP endpoint is used by the receiver to perform 
          HTTPS GET requests to check the stream status and is known as 
          the "Control Plane". In the diagram, the arrow heads point
        to the service provider (the direction of an HTTP request):</preamble>
					<artwork align="center">
+-----------+ Data Plane            +----------+
|Transmitter+------HTTP POST--------> Receiver |
|           &lt;------HTTP GET---------+          |
+-----------+         Control Plane +----------+
</artwork>
        <postamble></postamble>
			</figure>
      <figure anchor="notificationIDP" title="Duplexed Streams"><preamble>
        In some service provider relationships, for example between 
        Identity Providers and Relying Parties, there may be a need to 
        have bi-directional SET event exchange. This involves 
        establishing a second event stream that works with transmitter 
        and receiver roles reversed.
      </preamble>
      <artwork align="center">
  Identity                             Relying
  Provider                             Party

                 IDP to RP Stream

+-----------+ Data Plane            +------------+
|Transmitter+-----------------------> Receiver   |
|           &lt;-----------------------+            |
+-----------+         Control Plane +------------+


                 RP to IDP Stream

+-----------+ Data Plane            +------------+
| Receiver  &lt;-----------------------+ Transmitter|
|           +----------------------->            |
+-----------+         Control Plane +------------+
      </artwork></figure>
      <t>This specification contains two major sections:<list style="hanging">
        <t hangText="Control Plane">The service through which Event 
        Receivers can review and optionally managed Event Streams. 
        It defines the metadata associated with Event Streams along 
        with stream status reporting.</t>
        <t hangText="Data Plane">Through which SET Events are
        delivered by an Event Transmitter to an Event Receiver using 
        a defined Event Stream. The Data Plane includes a verification 
        process which tests and validates Event Stream configuration. 
        The Data plan defines processing and error 
        signaling used in the delivery of SETs.</t>
      </list> </t>
      

			<section anchor="notat" title="Notational Conventions" toc="default">
				<t>
					The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
					"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
					this
					document are to be interpreted as described in
					<xref target="RFC2119" />
					. These keywords are capitalized when used to
					unambiguously specify requirements of the protocol or application
					features and behavior that affect the inter-operability and security of
					implementations. When these words are not capitalized, they are
					meant
					in their natural-language sense.
				</t>

				<t>
					For purposes of readability examples are not URL encoded.
					Implementers MUST percent encode URLs as described in
					<xref target="RFC3986">Section 2.1 of</xref>
					.
				</t>

				<t>Throughout this documents all figures MAY contain spaces and
					extra
					line-wrapping for readability and space limitations. Similarly, some
					URI's contained within examples, have been shortened for space and
					readability reasons.
				</t>
			</section>

			<section anchor="defs" title="Definitions" toc="default">
        <t>This specification assumes terminology defined in the Security
        Event Token specification<xref target="I-D.ietf-secevent-token"/>
        .</t>
				<t>
					The following definitions are defined for Security Event distribution:
					<list style="hanging">
          
            <t hangText="Identity Provider"><vspace/>
              An Identity Provider is a service provider that issues authentication
              assertions that may be used by Relying Party service providers
              to establish login sessions with users. Examples of Identity 
              Providers are defined in: OpenID Connect 
              <xref target="openid-connect-core"/> and SAML2 
              <xref target="saml-core-2.0"/>. For the purpose of this 
              specification an Identity Provider also includes any provider
              of services where the compromise of an account may open up 
              relying parties to attack. For example for the purposes of
              security events, an email service provider could be 
              considered an "implicit" Identity Provider.
            </t>
              
            <t hangText="Relying Party"><vspace/>
              A Relying Party is a service provider that accepts assertions 
              from Identity Providers to establish sessions. Examples of 
              Relying Parties are defined in: OpenID Connect 
              <xref target="openid-connect-core"/> and SAML2 
              <xref target="saml-core-2.0"/>
            </t>          
            
            <t hangText="Event Transmitter"><vspace/>
              A service provider that delivers SETs to other providers known
              as Event Receivers. Some examples of Event Transmitters are 
              Identity Providers and Relying Parties. An Event Transmitter
              is responsible for offering a service that allows the Event
              Receiver to check the Event Stream configuration and status
              known as the "Control Plane". 
            </t>
            
            <t hangText="Event Receiver"><vspace/>
              A service provider that registers to receive SETs from 
              an Event Transmitter and provides an endpoint to receive
              SETs via HTTP POST (known as the "Data Plane"). 
              Some examples of Event Receivers are 
              Identity Providers and Relying Parties. Event Receivers
              can check current Event Stream configuration and status by
              accessing the Event Transmitters "Control Plane".
            </t>
  
            <t hangText="Event Stream"><vspace/>
              An Event Stream establishes Event Receiver communication
              endpoints, security configuration and feed content that 
              is used by an Event Transmitter to
              send a series of SET Events to an Event Receiver. An Event 
              Stream defines a "Data Plane" and "Control Plane" service
              relationship between
              an Event Transmitter and and Event Receiver. 
            </t>
              
            <t hangText="Control Plane"><vspace/>
              A Control Plane represents an service offered by an Event
              Transmitter that lets an Event Receiver query the current
              operational and/or error status of an Event Stream.  The
              Control Plane MAY also be used to retrieve Event Stream
              and SET configuration data.
            </t>
            
            <t hangText="Data Plane"><vspace/>
              The Data Plane represents the HTTP service offered by an 
              Event Receiver that allows the Event Transmitter to 
              deliver multiple SETs via HTTP POST as part of an Event
              Stream.</t>
            
						<t hangText="Event Family"><vspace/>An Event Family is a 
              URI that describes the set of events types be issued in 
              an Event Stream.
						</t>
            
            <t hangText="Subject"><vspace/>
              The security subject around which a security event has 
              occurred. For example, a security subject might per a user, 
              a person, an email address, a service provider entity, an
              IP address, an OAuth Client, a mobile device, or any identifiable
              thing referenced in security and authorization systems.
            </t>

					</list>
				</t>
			</section>
		</section>
    

    <section title="Control Plane - Monitoring">
  
    <t>The Control Plane is provided by the Event Transmitter and
    enables Event Receivers to check the Event Stream configuration
    and check for transmission errors. This section describes mandatory
    to implement functionality to enable Event Receivers to detect
    SET delivery problems that may occur when an Event Transmitter fails
    to deliver SETs.</t>
    
    <t>Implementers MAY optionally implement and support full Event Stream 
    provisioning and management as described in <xref target="streamManagement"/>.
    This functionality also allows Event Receivers to "pause", "disable",
    or re-enable Event Streams in scenario where the operational
    needs of the receiver need to be co-ordinated with Event Transmitters 
    (see <xref target="subState"/> and <xref target="patchSub"/>).</t>
    
    <t>SCIM defines flexible mechanisms to ease adaptability
    to different underlying data systems while maximizing 
    inter-operabilty. <xref target="RFC7643">Section 2</xref>
    SHALL provide the processing rule that enable Control Plane 
    providers and clients negotiate specific attributes (metadata) 
    including differing provider definitions of attribute types, 
    mutability, cardinality, or returnability that MAY differ. 
    For HTTP method handling and error signaling, the 
    processing rules in <xref target="RFC7644"/> SHALL apply. </t>
      
    
    <section anchor="subscribeMetadata" title="Event Stream Configuration">
   
      <t>An Event Stream represents an agreement to deliver SETs from a
      specified Feed URI from an Event Transmitter to an Event Receiver.
      The method of delivery and the 
      parameters for delivery are specified a set of parameters called 
      Event Stream metadata (see <xref target="subscribeMetadata" />).
      </t>   
   
          <t>
            An Event Stream is defined by the following metadata:
            <list style="hanging">
              <t hangText="feedUri"><vspace />An OPTIONAL JSON String value containing the URI
              for a feed supported by the feed provider. It describes the 
              content of the feed and MAY also be a resolvable URI where the
              feed meta data may be returned as a JSON object. REQUIRED.</t>

              <t hangText="methodUri"><vspace />A REQUIRED JSON String value
              which is a URI with a prefix of <spanx style="verb">urn:ietf:params:set:method</spanx>.
              This specification defines HTTP POST delivery method:
              <spanx style="verb">urn:ietf:params:set:method:HTTP:webCallback</spanx>
              <vspace blankLines="0" /> in which the Feed Provider delivers events 
              using HTTP POST to a specified callback URI.</t>
              
              <t hangText="deliveryUri"><vspace />A JSON String value
              containing a URI that describes the location where
              SETs are received (e.g. via HTTP POST). Its format and usage requirements are 
              defined by the associated <spanx style="verb">methodUri</spanx>.</t>

              <t hangText="iss"><vspace/>The URI for the publisher of the SETs 
              that will be issued for the Event Stream. See 
              <xref target="I-D.ietf-secevent-token">Section 2.1</xref>.
              [[Editors Note: Are multiple publishers expected for the same
              stream? Should iss be multi-valued?]]</t>
              
              <t hangText="aud"><vspace blankLines="0" />An OPTIONAL 
              JSON Array of JSON String values which are URIs representing 
              the audience(s) of the Event Stream. The value SHALL be the value 
              of SET "aud" claim sent to the Event Receiver.
              </t>

              <t hangText="iss_jwks_uri"><vspace blankLines="0" />An OPTIONAL 
              String that contains the URL of the SET issuers public JSON 
              Web Key Set <xref target="RFC7517"></xref>. This contains 
              the signing key(s) the RP uses to validate SET signatures
              from the Event Transmitter that will be used by the Event 
              Receiver to verify the authenticity of issued SETs. </t>

              <t hangText="confidential_Jwks_uri"><vspace blankLines="0" />An OPTIONAL 
              JSON Web Key Set <xref target="7517"/> that contains the 
              Event Receiver's encryption keys that MAY be used by the 
              Event Transmitter to 
              encrypt SET tokens for the specified Event Receiver.</t>

              <t hangText="subStatus"><vspace blankLines="0" />An OPTIONAL 
              JSON String keyword that indicates the current state of an Event Stream.
              More information on the Event Stream state can be found in 
              <xref target="subState"/>. Valid keywords are:<list>
                  <t><spanx style="verb">on</spanx> - indicates the Event Stream
                  has been verified and that the Feed Provider MAY pass 
                  SETs to the Event Receiver.</t>

                  <t><spanx style="verb">verify</spanx> - indicates the 
                  Event Stream is pending verification. While in "verify", 
                  SETs, except for the verify SET (see 
                  <xref target="verifyStream"/>) are not delivered to the 
                  Event Receiver. Once verified, the status returns to 
                  <spanx style="verb">on</spanx>.</t>

                  <t><spanx style="verb">paused</spanx> - indicates the
                  Event Stream is temporarily suspended. While 
                  <spanx style="verb">paused</spanx>, SETs SHOULD be 
                  retained and delivered when state returns to 
                  <spanx style="verb">on</spanx>. If delivery is paused
                  for an extended period defined by the Event Transmitter,
                  the Event Transmitter MAY change the state to 
                  <spanx style="verb">off</spanx> indicating SETs are
                  no longer retained.</t>

                  <t><spanx style="verb">off</spanx> - indicates that the
                  Event Stream is no longer passing SETs. While in off mode,
                  the Event Stream metadata is maintained, but new events 
                  are ignored, not delivered or retained. Before returning
                  to <spanx style="verb">on</spanx>, a verification MUST
                  be performed.</t>

                  <t><spanx style="verb">fail</spanx> - indicates that the
                  Event Stream was unable to deliver SETs to the
                  Event Receiver due an unrecoverable error or for an 
                  extended period of time. Unlike paused
                  status, a failed Event Stream does not retain existing
                  or new SETs that are issued. Before returning
                  to <spanx style="verb">on</spanx>, a verification MUST
                  be performed.</t>
                </list></t>
                
              <t hangText="maxRetries"><vspace blankLines="0" />An OPTIONAL 
              JSON number indicating the 
              maximum number of attempts to deliver a SET. A value of '0'
              indicates there is no maximum. Upon reaching the maximum, the 
              Event Stream <spanx style="verb">subStatus</spanx> attribute is set
              to <spanx style="verb">failed</spanx>.</t>
              
              <t hangText="maxDeliveryTime"><vspace/>
              An OPTIONAL number indicating
              the maximum amount of time in seconds a SET MAY take for
              successful delivery per request or cumulatively across 
              multiple retries.  Upon reaching the maximum, the 
              Event Stream <spanx style="verb">subStatus</spanx> is set
              to <spanx style="verb">failed</spanx>. If undefined, there 
              is no maximum time.</t>
              
              <t hangText="minDeliveryInterval"><vspace/>
              An OPTIONAL JSON integer that represents the minimum 
              interval in seconds between deliveries. A value of '0'
              indicates delivery should happen immediately. When delivery is
              a polling method (e.g. HTTP GET), it is the expected time between Event Receiver attempts.
              When in push mode (e.g. HTTP POST), it is the interval the server
              will wait before sending a new event or events.</t>
              
              <t hangText="txErr"><vspace />
              An OPTIONAL JSON String keyword value. 
              When the Event Stream has <spanx style="verb">subState</spanx>
              set to <spanx style="verb">fail</spanx>, one of the following
              error keywords is set:<list>
              
                <t><spanx style="verb">connection</spanx> indicates an
                error occurred attempting to open a TCP connection with
                the assigned endpoint.</t>
                <t><spanx style="verb">tls</spanx> indicates an error
                occurred establishing a TLS connection with the assigned
                endpoint.</t>
                <t><spanx style="verb">dnsname</spanx> indicates an error
                occurred establishing a TLS connection where the dnsname
                was not validated.</t>
                <t><spanx style="verb">receiver</spanx> indicates an error
                occurred whereby the Event Receiver has indicated an error
                for which the Event Transmitter is unable to correct.</t>
             
              </list>
              [[Editors note: other conditions?]]
              </t>
              
              <t hangText="txErrDesc"><vspace/>
              An OPTIONAL String value that is
              usually human readable that provides further diagnostic
              detail by the indicated <spanx style="verb">txErr</spanx>
              error code.</t>
            </list></t>
            
            <t>Additional Event Stream metadata (attributes) MAY be defined
            as extensions. The method for adding new attributes is defined in 
            <xref target="RFC7643">Section 3.3</xref>.</t>
        </section>
        
        <section anchor="subState" title="Event Stream State Model">
          <t>The Event Stream configuration attribute <spanx style="verb">subStatus</spanx>
          tracks the state of any particular Event Stream with regards to
          whether SETs are ready or able to be delivered. The impact on 
          delivery processing is described in <xref target="processingStatus" />.</t>
          <figure anchor="stateDiag" title="Event Stream States at Event Transmitter">
          <preamble>The following is the state machine representation of a
          Event Stream on a Event Transmitter. Note that a Event Stream cannot
          be made active until a verification process has been completed. As 
          such, a newly created Event Stream begins with state 
          <spanx style="verb">verify</spanx>.</preamble>
          <artwork>
                               +
                               |
                             Create
                               v
    +------+              +----------+
    | fail +->Restart---->|  verify  |
    +------+              +----+-----+
        ^                      |
        |&lt;----Confirm Fail&lt;----+
        |                   Confirm
        |                      v
        |                 +----------+               +--------+
        |                 |          +--->Suspend--->|        |
        +------Timeout&lt;---+    on    |               | paused |
                          |          |&lt;--Resume&lt;-----+        |
                          +-+--------+               +----+---+
                            |      ^                      |
                         Disable Enable                   |
                            v      |                      |
                          +--------+-+                    |
                          |   off    |&lt;----Limited&lt;-------+
                          +----------+</artwork>
          </figure>
          <t>In the above diagram, the following actions impact the state
          of an Event Stream. <spanx style="verb">subStatus</spanx> values are shown in
          the boxes, and change based on the following actions:<list style="hanging">
          
            <t hangText="Create"><vspace />A Event Receiver or an administrator creates
            a new Event Stream using SCIM as described in <xref target="createSub"></xref>.
            The initial state is <spanx style="verb">verify</spanx>.</t>
            
            <t hangText="Confirm"><vspace />The Event Transmitter sends a verification
            SET to the Event Receiver which confirms with the correct response as
            described in <xref target="verifyStream" />. If it succeeds
            to deliver, the Event Transmitter SHALL set state to 
            <spanx style="verb">on</spanx>.</t>
            
            <t hangText="Confirm Fail"><vspace />If the confirmation fails,
            the Event Transmitter sets the state to <spanx style="verb">fail</spanx>
            requiring administrative action to correct the issue and 
            <spanx style="verb">Restart</spanx>.</t>
            
            <t hangText="Timeout"><vspace />A Event Transmitter who has not been
            able to deliver a SET over one or more retries which has reached
            a limit of attempts (<spanx style="verb">maxRetries</spanx>) 
            or time (<spanx style="verb">maxDeliveryTime</spanx>)
            MAY set the Event Stream state to <spanx style="verb">fail</spanx>.
            In general, the intention is to indicate the maximum
            number of retries or time a Event Transmitter is able to wait until
            SET event loss begins to occur resulting in the failed state.</t>
            
            <t hangText="Limited"><vspace/>A paused Event Stream has reached
            a limit and the Event Transmitter can no longer retain SETs.
            The Event Transmitter changes the state to <spanx style="verb">off</spanx>.</t>
            
            <t hangText="Restart"><vspace />An administrator having corrected the 
            failed delivery condition modifies the Event Stream state to
            <spanx style="verb">verify</spanx> (e.g. see <xref target="patchSub" />).
            </t>
            
            <t hangText="Suspend and Resume"><vspace />An Event Stream MAY be 
            suspended and resumed by updating the Event Stream state to
            <spanx style="verb">paused</spanx> or <spanx style="verb">on</spanx>. For
            example, see see <xref target="patchSub" />. While suspended,
            the Event Transmitter MAY retain undelivered SETs for a period of time.
            If the Event Transmitter is no longer able to retain SETs, the Event Stream
            state SHOULD be set to <spanx style="verb">off</spanx> to indicate
            SETs are being lost.
            </t>
            
            <t hangText="Enable and Disable"><vspace />A Event Stream MAY be
            disabled and enabled by updating the Event Stream state to
            <spanx style="verb">off</spanx> or <spanx style="verb">on</spanx>. For
            example, see see <xref target="patchSub" />. While the Event Stream
            is disabled, all SETs that occur at the Event Transmitter are lost.</t>
          </list></t>
        
        </section>
        
        <section anchor="getStatus" title="Checking Stream Configuration and Stream State">
          <t>An Event Receiver MAY check the current status of a Stream
          with the Event Transmitter, by performing an HTTP GET using the
          provided URI from the Transmitter.</t>
          <t>The format of the response is defined by <xref target="RFC7644">Section TBD</xref>.
          </t>
          
          <t>In addition to the attributes defined in 
          <xref target="subscribeMetadata"/>, the response SHALL include
          an additional JSON attribute <spanx style="verb">schemas</spanx>
          with at least a single value of <spanx style="verb">urn:ietf:params:scim:schemas:event:2.0:EventStream</spanx>.
          This static attribute is provided to enable optional SCIM client
          compatibility and informs the client of the type of JSON 
          object being returned. Service providers may offer additional 
          attributes by adding additional schema values as per <xref target="RFC7644"/>.
          </t>
         
<figure anchor="streamResponse" title="Example Stream GET Response">
<preamble>The response below shows an example response to an HTTP GET, 
in this case to <spanx style="verb">https://example.com/v2/EventStreams/767aad7853d240debc8e3c962051c1c0</spanx>.</preamble>
<artwork>HTTP/1.1 200 OK
Content-Type: application/json
Location: 
 https://example.com/v2/EventStreams/767aad7853d240debc8e3c962051c1c0

{
  "schemas":["urn:ietf:params:scim:schemas:event:2.0:EventStream"],
  "id":"767aad7853d240debc8e3c962051c1c0",
  "feedName":"OIDCLogoutFeed",
  "feedUri":
    "https://example.com/v2/Feeds/88bc00de776d49d5b535ede882d98f74",
  "methodUri":"urn:ietf:params:set:method:HTTP:webCallback",
  "deliveryUri":"https://notify.examplerp.com/Events",
  "aud":"https://sets.myexamplerp.com",
  "subStatus":"fail",
  "txErr":"connection",
  "txErrDesc":"TCP connect error to notify.examplerp.com.",
  "maxDeliveryTime":3600,
  "minDeliveryInterval":0,
  "description":"Logout events from oidc.example.com",
  "meta":{
     ... SCIM meta attributes ...
  }
}</artwork>
</figure>  
      <t>In the above figure, the Event Stream is showing a failed
      status due to a TCP connection error. The Event Receiver is
      able to discover that its endpoint was unavailable and has been
      marked failed by the Event Transmitter. It is expected that the
      appropriate operations staff would be alerted and some 
      corrective action would be taken.</t>
      
      <t>The frequency with which Event Receivers should poll the
      Event Stream status depends on the following factors: <list style="symbols">
      <t>The level of technical fault tolerance and availability of the 
      receiving endpoint.</t>
      <t>A frequency appropriate to the amount of risk that can be tolerated for lost
      events. For example, if Security Events are considered informational,
      then infrequent (hourly or daily) may be sufficient.</t>
      </list>
      In most cases Event Stream status polling can be triggered on a 
      timeout basis. Event Receivers would typically poll if they have not
      received a SET for some period during which SETs would be expected
      based on past experience.
      </t>
      
  </section>
  
  
  </section>
   
  <section title="Data Plane">
    <t>The data plane represent the HTTP request channel by which the Event
    Transmitter delivers SET Events to an Event Receiver.</t>
    <section anchor="process" title="Event Delivery Process">
			<t>When a Security Event occurs, the Feed Provider constructs a SET
      token <xref target="I-D.ietf-secevent-token" /> that describes the	event. 
      The feed provider determines the feeds that the event should be 
      distributed to, and determines which Event Receivers need to be notified.</t>
      <t> 
      How SET Events are defined and the process by which events are identified for 
      Event Receivers is out-of-scope of this	specification.
			</t>

			<t>
			When a SET is available for a Event Receiver, the Feed Transmitter
			attempts to deliver the SET based on the Event Receiver's registered
			delivery mechanism:
			<list style="symbols">
				<t>The Event Transmitter uses an HTTP/1.1 POST to the Event 
        Receiver endpoint to deliver the SET;
			  </t>

			  <t>Or, the Feed Transmitter delivers the event through a different
        method not defined by this specification.
			  </t>
			</list>
			</t>

			<t>Feed Transmitters SHALL NOT be required to main or record SETs.  
      As such, transmitted SETs SHOULD be self-validating (e.g. signed).
			</t>

			<t>
				If delivery to any particular Event Receiver has been delayed for
				an extended period of time, the Feed Transmitter MAY suspend the
        affected Event Stream and even stop maintaining outstanding SETs for
				the Event Receiver at its discretion and available resources. See Event Stream
				<spanx style="verb">subState</spanx> in <xref target="subscribeMetadata" />.
			</t>

			<t>
				Upon receiving a SET, the Event Receiver reads the SET and validates 
        it. Based upon the content of the token, the Event Receiver decides what, 
        if any, action needs to be taken in response to the received SET. For 
        example, in response to a SCIM provisioning event <xref target="idevent-scim" /> 
        indicating a changed resource, the Event Receiver might perform a 
        SCIM GET request (see <xref target="RFC7644">Section 3.4</xref>)
				to the affected resource URI in order to confidentially obtain 
        the current state of the transmitter's affected SCIM resource in 
        order to reconcile local corresponding state changes. 
      </t>
        
      <t>
        The action a Event Receiver takes in response to a SET MAY be 
        substantially different than merely copying the action of the 
        SET issuer. 
        A single SET can trigger one or more receiver actions or
        it can be ignored. For example, upon receiving 
        notification that a user resource has been added to a group, the 
        Event Receiver may first determine that the user does not exist in the 
        Event Receiver's domain. The Event Receiver translates the event into two 
        actions:<list style="numbers">
          <t>Retrieve the user (e.g. using SCIM GET) and then provisions 
          the user locally. After enabling the user,</t>
          <t>The Event Receiver then enables the user for the application 
        associated with membership in the issuer's group.</t>
        </list>  
			</t>    
  </section>
  
  <section title="Event Stream State">
     <t>As mentioned in <xref target="subscribeMetadata" />, the attribute 
     <spanx style="verb">subStatus</spanx> defines the current state of 
     an Event Stream. <xref target="stateDiag" /> shows a state 
     diagram for Event Streams. The following describes that actions taken
     by the Event Transmitter based upon <spanx style="verb">subStatus</spanx>.</t>
     <texttable anchor="processingStatus" title="Delivery Processing By Status">
     <ttcol>Status</ttcol><ttcol>Action</ttcol>
     
     <c>on</c><c>Delivery SHALL be attempted based on the method defined
     in the Event Stream attribute <spanx style="verb">methodUri</spanx>.
     If the SET fails to deliver it MAY be retained for a retry delivery in a minimum
     of <spanx style="verb">minDeliveryInterval</spanx> seconds. If new SETs arrive before 
     the interval, the SETs MUST be held for delivery in order of reception.
     If this is a repeat attempt to deliver, the Event Transmitter MAY discard
     the SET if <spanx style="verb">maxRetries</spanx> or <spanx style="verb">maxDeliveryTime</spanx> 
     is exceeded. If a SET is discarded, the Event Transmitter MAY set <spanx style="verb">subStatus</spanx>
     to <spanx style="verb">failed</spanx>.</c>
     
     <c>verify</c><c>If the SET is not a
     Verify SET, the SET MAY be retained for a retry at the Event Transmitter's discretion. 
     If a Verify SET fails to deliver, the Event Transmitter SHALL set <spanx style="verb">subStatus</spanx>
     to <spanx style="verb">failed</spanx>. The Event Transmitter MAY opt to make
     multiple attempts to complete a verification during which status remains as 
     <spanx style="verb">verify</spanx>.</c>
     
     <c>paused</c><c>The SET is held for delivery in a queue. The Event Transmitter MAY
     at its own discretion set the Event Stream state to <spanx style="verb">failed</spanx>
     if <spanx style="verb">subStatus</spanx> is not returned to <spanx style="verb">on</spanx>
     in what the Event Transmitter determines to be a reasonable amount of time.</c>
     
     <c>off</c><c>The SET is ignored.</c>
     
     <c>fail</c><c>The SET is ignored due to a previous unrecoverable error. </c>
     
     </texttable>
     </section>
     <section anchor="httpPost" title="HTTP POST Delivery">
        
       <t>This method allows a feed provider to use HTTP POST 
       (<xref target="RFC7231">Section 4.3.3</xref>) to deliver
       SETs to the registered web callback URI identified in the Event
       Stream configuration. The Event Stream 
       <spanx style="verb">methodUri</spanx> value for this method 
       is <spanx style="verb">urn:ietf:params:set:method:HTTP:webCallback</spanx>.</t>
            
       <t>The SET to be delivered MAY be signed 
       and/or encrypted as defined in <xref target="I-D.ietf-secevent-token" />.</t>
           
       <t>The Event Stream's <spanx style="verb">deliveryUri</spanx> 
       attribute indicates the location of a Event Receiver provided 
       endpoint which accepts HTTP POST requests (e.g. 
       <spanx style="verb">https://notify.examplerp.com/Events</spanx>).</t>
 
       <t>The content-type for the HTTP POST is 
       <spanx style="verb">application/jwt</spanx> and SHALL consists of 
       a single SET token (see <xref target="I-D.ietf-secevent-token" />).</t>
       
       <figure anchor="messageSet" title="Encoded SET To Be Transmitted">
              <artwork>
  eyJhbGciOiJub25lIn0
  .
  eyJwdWJsaXNoZXJVcmkiOiJodHRwczovL3NjaW0uZXhhbXBsZS5jb20iLCJmZWV
  kVXJpcyI6WyJodHRwczovL2podWIuZXhhbXBsZS5jb20vRmVlZHMvOThkNTI0Nj
  FmYTViYmM4Nzk1OTNiNzc1NCIsImh0dHBzOi8vamh1Yi5leGFtcGxlLmNvbS9GZ
  WVkcy81ZDc2MDQ1MTZiMWQwODY0MWQ3Njc2ZWU3Il0sInJlc291cmNlVXJpcyI6
  WyJodHRwczovL3NjaW0uZXhhbXBsZS5jb20vVXNlcnMvNDRmNjE0MmRmOTZiZDZ
  hYjYxZTc1MjFkOSJdLCJldmVudFR5cGVzIjpbIkNSRUFURSJdLCJhdHRyaWJ1dG
  VzIjpbImlkIiwibmFtZSIsInVzZXJOYW1lIiwicGFzc3dvcmQiLCJlbWFpbHMiX
  SwidmFsdWVzIjp7ImVtYWlscyI6W3sidHlwZSI6IndvcmsiLCJ2YWx1ZSI6Impk
  b2VAZXhhbXBsZS5jb20ifV0sInBhc3N3b3JkIjoibm90NHUybm8iLCJ1c2VyTmF
  tZSI6Impkb2UiLCJpZCI6IjQ0ZjYxNDJkZjk2YmQ2YWI2MWU3NTIxZDkiLCJuYW
  1lIjp7ImdpdmVuTmFtZSI6IkpvaG4iLCJmYW1pbHlOYW1lIjoiRG9lIn19fQ
  .
</artwork>
       </figure>
            
       <t>To deliver an event, the Event Transmitter generates an event delivery message
       and uses HTTP POST to the EventStream configured endpoint. The content-type of the
       message is <spanx style="verb">application/jwt</spanx> and the expected
       response type (accept) is <spanx style="verb">application/json</spanx>.</t>
      
       <figure align="left" anchor="postSet" title="Example Web Callback POST Request">
         <artwork align="left">POST /Events  HTTP/1.1

Host: notify.examplerp.com
Accept: application/json
Content-Type: application/jwt
"eyJhbGciOiJub25lIn0
.
eyJwdWJsaXNoZXJVcmkiOiJodHRwczovL3NjaW0uZXhhbXBsZS5jb20iLCJmZWV
kVXJpcyI6WyJodHRwczovL2podWIuZXhhbXBsZS5jb20vRmVlZHMvOThkNTI0Nj
FmYTViYmM4Nzk1OTNiNzc1NCIsImh0dHBzOi8vamh1Yi5leGFtcGxlLmNvbS9GZ
WVkcy81ZDc2MDQ1MTZiMWQwODY0MWQ3Njc2ZWU3Il0sInJlc291cmNlVXJpcyI6
WyJodHRwczovL3NjaW0uZXhhbXBsZS5jb20vVXNlcnMvNDRmNjE0MmRmOTZiZDZ
hYjYxZTc1MjFkOSJdLCJldmVudFR5cGVzIjpbIkNSRUFURSJdLCJhdHRyaWJ1dG
VzIjpbImlkIiwibmFtZSIsInVzZXJOYW1lIiwicGFzc3dvcmQiLCJlbWFpbHMiX
SwidmFsdWVzIjp7ImVtYWlscyI6W3sidHlwZSI6IndvcmsiLCJ2YWx1ZSI6Impk
b2VAZXhhbXBsZS5jb20ifV0sInBhc3N3b3JkIjoibm90NHUybm8iLCJ1c2VyTmF
tZSI6Impkb2UiLCJpZCI6IjQ0ZjYxNDJkZjk2YmQ2YWI2MWU3NTIxZDkiLCJuYW
1lIjp7ImdpdmVuTmFtZSI6IkpvaG4iLCJmYW1pbHlOYW1lIjoiRG9lIn19fQ
.</artwork>
        </figure>
            
        <t>Upon receipt of the request, the Event Receiver SHALL validate the 
        JWT structure of the SET as defined in <xref target="RFC7519">Section 7.2</xref>.
        The Event Receiver SHALL also validate the SET information as described
        in <xref target="I-D.ietf-secevent-token">Section 2</xref>.</t>
        <t>If the SET is determined to be valid, the Event Receiver SHALL
        indicate successful submission by responding with HTTP Status
        202 as <spanx style="verb">Accepted</spanx> (see <xref target="RFC7231">Section 6.3.3</xref>).</t>
            
        <t>If SET or JWT is invalid, or there is an HTTP error, the Event Receiver
        SHALL respond with the appropriate HTTP error or an HTTP Status
        400 Bad Request error as follows:</t>
        <texttable anchor="reqErrors" title="HTTP Status 400 Errors">
          <ttcol>Err Value</ttcol><ttcol>Description</ttcol>
          <c>jwtParse</c><c>Invalid or unparsable JWT or JSON structure.</c>
          <c>jwtHdr</c><c>In invalid JWT header was detected.</c>
          <c>jwtCrypto</c><c>Unable to parse due to unsupported algorithm.</c>
          <c>jws</c><c>Signature was not validated.</c>
          <c>jwe</c><c>Unable to decrypt JWE encoded data.</c>
          <c>jwtAud</c><c>Invalid audience value.</c>
          <c>jwtIss</c><c>Issuer not recognized.</c>
          <c>setType</c><c>An unexpected event type was received.</c>
          <c>setParse</c><c>Invalid structure was encountered such as inability
          to parse SET event payload.</c>
          <c>setData</c><c>SET event claims incomplete or invalid.</c>
          <c>dup</c><c>A duplicate SET was received and has been ignored.</c>
        </texttable>
            
        <figure anchor="goodPostResponse" title="Example Successful Delivery Response">
        <preamble>The following is a non-normative example of a successful
        receipt of a SET.</preamble>
          <artwork>HTTP/1.1 202 Accepted</artwork>
        </figure> 
            
        <t>An HTTP Status 400 Bad Request response includes a JSON
        object which provides details about the error. The JSON object
        includes the JSON attributes: <list style="hanging">
          <t hangText="err"><vspace />A value which is a keyword that 
          describes the error (see <xref target="reqErrors" />).</t>
          <t hangText="description"><vspace />A human-readable text that provides
          additional diagnostic information.</t>
        </list> </t>
        <figure anchor="badPostResponse" title="Example Bad Request Response">
        <preamble>The following is an example non-normative Bad
        Request error.</preamble>
        <artwork>HTTP/1.1 400 Bad Request
Content-Type: application/json

{
  "err":"dup",
  "description":"SET already received. Ignored."

}</artwork>
        </figure>
       
     </section>
       
     <section anchor="verifyStream" title="Event Stream Verification">
  
        <t>To confirm an Event Stream configuration, the Event
        Transmitter SHALL send a
        verification SET to the Event Receiver using the registered 
        <spanx style="verb">methodUri</spanx> mechanism which in this case
        is <spanx style="verb">urn:ietf:params:set:method:HTTP:webCallback</spanx>. 
        </t>
        
        <t>The Verify SET contains the following attributes:<list style="hanging">
          <t hangText="events">Set with a value of 
          <spanx style="verb">[[this RFC URL]]#verify</spanx>.</t>

          <t hangText="iss">Set to the URI defined in the Event Stream
          metadata (see <xref target="subscribeMetadata"/>).</t>

          <t hangText="aud">MUST be set to a value that matches the
          EventStream <spanx style="verb">aud</spanx> value (see 
          <xref target="subscribeMetadata"/>).</t>

          <t hangText="exp">A value that indicates the
          time the verification request will expire. Once expired, the
          server will set the Event Stream state to <spanx style="verb">fail</spanx>.</t>
          
        </list>
        </t>
        
        <t>
        If the Event Stream <spanx style="verb">confidentialJWK</spanx>
        value was supplied, then the SET SHOULD be encrypted with 
        the provided key. Successful parsing of the
        message confirms that provides confirmation of correct 
        configuration and possession of keys.</t>
          
        <t>A payload attribute <spanx style="verb">confirmChallenge</spanx>
        is provided with a JSON String value that the Event Receiver SHALL echo 
        back in its response. The intent is to confirm that the Event Receiver 
        has successfully parsed the SET and is not just echoing back 
        HTTP success.</t>

        <figure anchor="verifyPostEvent" title="Example Verification SET with Challenge">
        <preamble>A non-normative JSON representation of an event to be
        sent to a Event Receiver as a Event Stream confirmation. Note the
        event is not yet encoded as a JWT token:</preamble>
<artwork>{  
  "jti": "4d3559ec67504aaba65d40b0363faad8",
  "events":["[[this RFC URL]]#verify"],
  "iat": 1458496404,
  "iss": "https://scim.example.com",  
  "exp": 1458497000,
  "aud":[
   "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754",
   "https://scim.example.com/Feeds/5d7604516b1d08641d7676ee7"
  ], 
  "[[this RFC URL]]#verify":{
    "confirmChallenge":"ca2179f4-8936-479a-a76d-5486e2baacd7"
  }  
}</artwork>
        </figure>
        
        <t>The above SET is encoded as a JWT and transmitted to the 
        Event Receiver as shown in <xref target="postSet" />.</t>

        <t>Upon receiving a verify SET, the Event Receiver SHALL 
        respond with a JSON object that includes a 
        <spanx style="verb">challengeResponse</spanx> attribute and 
        the value that was provided in <spanx style="verb">confirmChallenge</spanx>.
        The content type header is set to <spanx style="verb">application/json</spanx>.</t>
        
        <figure anchor="verifyPostResponse" title="Example Response to Verify SET with Challenge">
          <preamble>
The following is a non-normative example response to a Verify SET 
received via HTTP/1.1 POST and includes a JSON object containing the 
confirmation attribute and value.</preamble>
<artwork>HTTP/1.1 200 OK
Content-Type: application/json

{  
  "challengeResponse":"ca2179f4-8936-479a-a76d-5486e2baacd7"
}</artwork>
        </figure>

        <t>
        If the Event Receiver returns a non-matching value or an HTTP status
        other than a 200 series response,  the Event Stream 
        <spanx style="verb">state</spanx> SHALL be set to <spanx style="verb">fail</spanx>.
        A declining Event Receiver MAY simply respond with any 400 series HTTP
        error (e.g. 404).</t>
          
     </section>
   </section>
			
   <section anchor="streamManagement" title="Control Plane - Management and Provisioning">
      <t>This section describes how SCIM <xref target="RFC7644" />
      and <xref target="RFC7643" /> MAY be used to add
      create, read, update, delete capability to the Control Plane to enable
      provisioning and operational management of Event Streams. In addition
      to provisioning of Event Streams, it can also be used by Event
      Receivers to change or reset the operational state of Event Streams
      such as pausing, stopping, or re-enabling after a failure. </t>
      
      <t>SCIM is a protocol used by many security systems 
      for provisioning and co-ordinating identities and other security
      subjects in cross-domain scenarios. SCIM is a RESTful profile of
      HTTP that is intended to be implemented by applications that need 
      provisioning and management of security subjects and is ideal to 
      the task of provisioning related security event signal
      systems. Examples of provisioning endpoints (SCIM service providers) 
      include both Identity Providers and Relying Party applications (e.g. business and 
      consumer web applications) as well as security and authorization 
      infrastructure components.</t>
      
      <t>[[Editors Note:  At the time of writing, some groups feel a CRUD API is not required and 
      participants would prefer to manage streams using an out-of-band workflow approach.]]</t>
          
      <section title="Event Stream Resource Type Definition">
      
        <t>To extend SCIM to support Event Streams, requires defining
        an <spanx style="verb">EventStream</spanx> SCIM resource type, 
        and implementing the corresponding RESTful HTTP operations to create, 
        update, retrieve EventStream Resources. For SCIM service provider capability 
        and schema discovery (see <xref target="RFC7644">Sections 3 and 4</xref>).</t>   
        
        <t>The <spanx style="verb">EventStream</spanx> resource type definition 
        is defined as follows:
<figure anchor="subscriptionType" title="SCIM EventStream Resource Type Definition">
<artwork>{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
  "id": "EventStream",
  "name": "EventStream",
  "endpoint": "/EventStreams",
  "description": "Endpoint and event configuration and status for SEC EVENT streams.",
  "schema": "urn:ietf:params:scim:schemas:event:2.0:EventStream",
  "schemaExtensions": []
}</artwork>
<postamble>The resource type above is discoverable in the 
<spanx style="verb">/ResourceTypes</spanx> and informs SCIM clients about
the endpoint location of EventStream resources and the SCIM schema used
to define the resource.  The corresponding schema for the EventStream
resource MAY be retrieved from the SCIM <spanx style="verb">/Schemas</spanx> 
endpoint (see <xref target="RFC7644">Section 3.2</xref>).</postamble>
        </figure>
        </t>
        <t>To retrieve information about one or more Event Streams, 
        authorized clients MAY query the 
        <spanx style="verb">/EventStreams</spanx> endpoint 
        as defined in <xref target="RFC7644">Section 3.4</xref>.</t>
        
<figure anchor="subscriptionGetRequest" title="Example SCIM EventStream HTTP GET Request">
            <preamble>The example below retrieves a specific <spanx style="verb">EventStream</spanx> resource whose 
            <spanx style="verb">id</spanx> is <spanx style="verb">548b7c3f77c8bab33a4fef40</spanx>.</preamble>
            <artwork>GET /EventStreams/767aad7853d240debc8e3c962051c1c0
Host: example.com
Accept: application/json
Authorization: Bearer h480djs93hd8</artwork>
</figure>

<figure anchor="subscriptionResponse" title="Example EventStream HTTP GET Response">
            <preamble>The response below shows an example Feed resource
            that describes an available feed.</preamble>
            <artwork>HTTP/1.1 200 OK
Content-Type: application/json
Location: 
 https://example.com/v2/EventStreams/767aad7853d240debc8e3c962051c1c0

{
  "schemas":["urn:ietf:params:scim:schemas:event:2.0:EventStream"],
  "id":"767aad7853d240debc8e3c962051c1c0",
  "feedName":"OIDCLogoutFeed",
  "feedUri":
    "https://example.com/v2/Feeds/88bc00de776d49d5b535ede882d98f74",
  "methodUri":"urn:ietf:params:set:method:HTTP:webCallback",
  "deliveryUri":"https://notify.examplerp.com/Events",
  "aud":"https://sets.myexamplerp.com",
  "subStatus":"verify",
  "maxDeliveryTime":3600,
  "minDeliveryInterval":0,
  "description":"Logout events from oidc.example.com",
  "meta":{
     ... SCIM meta attributes ...
  }
}</artwork>
</figure>
            
        <t>In the above example (<xref target="subscriptionResponse" />)
        the EventStream is for the the Feed  
        <spanx style="verb">https://example.com/v2/Feeds/88bc00de776d49d5b535ede882d98f74</spanx>.
        The current Event Stream state is <spanx style="verb">verify</spanx>
        which suggest the Event Stream Verification (see <xref target="verifyStream" />) process has not yet 
        completed. Since there is no value for <spanx style="verb">feedJwk</spanx>, )
        or <spanx style="verb">confidentialJwk</spanx>, SETs will be
        sent without signing or encryption (plain text).</t>          
      </section>
      
      <section anchor="createSub" title="Creating A New Event Stream">
        <t>To subscribe to a feed, the Event Receiver first obtains 
        an authorization credential authorizing to to make the request
        (this process is out of scope of the specification but is often
        completed through OAuth). Upon obtaining authorization, the 
        Event Receiver organization uses the SCIM Create operation
        (HTTP POST) as defined in <xref target="RFC7644">Section 3.3</xref>.
        Event Transmitter's Control Plane service MAY have additional 
        schema requirements for Event Stream creation which MAY be 
        discovered using SCIM service configuration and schema discovery, 
        see <xref target="RFC7644">Section 4</xref>.
        </t>
        <figure anchor="createSubscription" title="Example Create Event Stream Request">
        <preamble>In the following non-normative example, a new EventStream
        is created. Note that the Event Transmitter's control-plane automatically
        assigns the <spanx style="verb">id</spanx> attribute.</preamble>
 <artwork>POST /EventStreams
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8

{
  "schemas":["urn:ietf:params:scim:schemas:event:2.0:EventStream"],
  "feedName":"OIDCLogoutFeed",
  "feedUri":
    "https://example.com/v2/Feeds/88bc00de776d49d5b535ede882d98f74",
  "methodUri":"urn:ietf:params:set:method:HTTP:webCallback",
  "deliveryUri":"https://notify.examplerp.com/Events",
  "aud":"https://sets.myexamplerp.com",
  "maxDeliveryTime":3600,
  "minDeliveryInterval":0,
  "description":"Logout events from oidc.example.com"
}</artwork>

        </figure>
        <figure anchor="createSubscriptionResponse" title="Example Response to Create EventStream Request">
        <preamble>In following non-normative response, the Event service provider
        has automatically assigned a resource location as well as an
        <spanx style="verb">id</spanx>. Usually upon creation, the
        initial value of <spanx style="verb">subStatus</spanx> is 
        <spanx style="verb">pending</spanx> indicating that the 
        Stream Verification process (see <xref target="verifyStream" />) 
        has not been completed.</preamble>
<artwork>HTTP/1.1 201 Created
Content-Type: application/scim+json
Location: 
 https://example.com/v2/EventStreams/767aad7853d240debc8e3c962051c1c0

{
  "schemas":["urn:ietf:params:scim:schemas:event:2.0:EventStream"],
  "id":"767aad7853d240debc8e3c962051c1c0",
  "feedName":"OIDCLogoutFeed",
  "feedUri":
    "https://example.com/v2/Feeds/88bc00de776d49d5b535ede882d98f74",
  "methodUri":"urn:ietf:params:set:method:HTTP:webCallback",
  "deliveryUri":"https://notify.examplerp.com/Events",
  "aud":"https://sets.myexamplerp.com",
  "subStatus":"verify",
  "maxDeliveryTime":3600,
  "minDeliveryInterval":0,
  "description":"Logout events from oidc.example.com",
  "meta":{
     ... SCIM meta attributes ...
  }
}</artwork>
        </figure>
      </section>
      
      <section anchor="patchSub" title="Updating An Event Stream">
        <t>Periodically, Event Receivers MAY have need to update an
        Event Stream configuration for the purpose of:<list style="symbols">
        <t>Rotating access credentials or keys</t>
        <t>Updating endpoint configuration</t>
        <t>Making operational changes such as pausing, resetting, or 
        disabling an Event Stream.</t>
        <t>Other operations (e.g. such as adding or removing subjects)
        as defined by profiling Event specifications.</t></list></t>
        <t>To modify an EventStream, an Event Receiver or authorized management
        client MAY use the HTTP PUT operation (see <xref target="RFC7644">Section 3.5.1</xref>) 
        or MAY use the HTTP PATCH operation (see <xref target="RFC7644">Section 3.5.2</xref>) 
        if supported by the Event Transmitter's control plane service. 
        Note that HTTP PATCH enables more specific changes. This is particularly 
        useful when updating multi-valued attributes that may contain 
        large numbers of values. An example of this would be an EventStream
        that uses a <spanx style="verb">members</spanx> attribute to define the 
        subjects of the Event Stream.</t>
        
        <figure anchor="subscriptionPatch" title="Example EventStream PATCH Request">
        <preamble>In the following non-normative example, the client
        is requesting that <spanx style="verb">subStatus</spanx> be 
        changed to <spanx style="verb">paused</spanx> for the EventStream
        whose path is identified by the request URI path.</preamble>
<artwork>PATCH /EventStreams/767aad7853d240debc8e3c962051c1c0
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8

{
  "schemas":
    ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [{
    "op":"replace",
    "path":"subStatus",
    "value":"paused"
  }]
}

</artwork>
<postamble>Upon receiving the request, the Event Transmitter would stop
sending Events to the Receiver. Note that while the request MAY seem complex
it avoids the need for the requestor to have all of the current EventStream
values in order to make a PUT request. In other words, an HTTP PATCH can
be typically done in a single request response whereas an HTTP POST usually
is preceded by an HTTP GET.</postamble>
            </figure>
      </section>      
    </section><section anchor="Security" title="Security Considerations" toc="default">

      <t>[TO BE COMPLETED]</t>
   </section>

    <section anchor="IANA" title="IANA Considerations">
      
      <section title="SCIM Schema Registration">
        <t>As per the "SCIM Schema URIs for Data Resources" registry established
        by <xref target="RFC7643">Section 10.3</xref>, the following defines and registers
        the following SCIM URIs and Resource Types for Feeds and Event Streams.</t>
        <texttable>
        <ttcol>Schema URI</ttcol><ttcol>Name</ttcol><ttcol>ResourceType</ttcol><ttcol>Reference</ttcol>
        
        <c>urn:ietf:params:scim: schemas:event:2.0: EventStream</c>
        <c>SET Event Stream</c>
        <c>EventStream</c>
        <c><xref target="subscribeMetadata"/></c>
        
        </texttable>
      
      </section>

  
    </section>
  </middle>

  <back>
    <references title="Normative References">
      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml' ?>
      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.3986.xml' ?>
      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.5988.xml' ?>
      
      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.7231.xml' ?><!-- HTTP Semantics -->
      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.7519.xml' ?><!-- JWT -->

      <?rfc include='http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-secevent-token-00.xml'?>

    </references>

    <references title="Informative References">
      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.7515.xml' ?><!-- JWS -->
      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.7516.xml' ?><!-- JWE -->
      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.7517.xml' ?><!-- JWK -->
      
      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.7644.xml' ?><!-- SCIM API -->
      <?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.7643.xml' ?><!-- SCIM Schema -->

      <reference anchor="openid-connect-core">
        <front>
          <title>OpenID Connect Core 1.0</title>
          <author fullname="Nat Sakimura et al"><organization>NRI</organization></author>
          <date day="8" month="Nov" year="2014"/>
        </front>
        <format type="HTML" target="http://openid.net/specs/openid-connect-core-1_0.html"/>
      </reference>
      <reference anchor="saml-core-2.0">
        <front>
          <title>Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0</title>
          <author fullname="Scott Cantor et al"><organization>Internet2</organization></author>
          <date day="15" month="March" year="2005"/>
        </front>
        <format type="PDF" target="http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf"/>
      </reference>
      <reference anchor="idevent-scim">
        <front>
          <title>SCIM Event Extensions (work in progress)</title>
          <author fullname="Phil Hunt"><organization>Oracle Corporation</organization></author>
          <date/>
        </front>  
        <format type="TXT" target="draft-hunt-idevent-scim-00.txt"/>    
      </reference>

     <!-- 
      <reference anchor="Order-Operations">
        <front>
          <title>Order of Operations: Programming Languages</title>

          <author>
            <organization>Wikipedia</organization>
          </author>

          <date/>
        </front>

        <format target="http://en.wikipedia.org/wiki/Order_of_operations#Programming_languages"
                type="HTML"/>
      </reference>
       -->
    </references>

    

    <section title="Acknowledgments">
      <t>The editors would like to thanks the members of the SCIM WG which 
      began discussions of provisioning events starting with: draft-hunt-scim-notify-00 in 2015.</t>
      
      <t>The editor would like to thank the participants in the the SECEVENTS
      working group for their support of this specification.</t>
    </section>

    <section title="Change Log">
      <t>Draft 00 - PH - First Draft based on reduced version of draft-hunt-idevent-distribution</t>
      <t>Draft 01 - PH - <list style="symbols">
        <t>Reworked terminology to match new WG Transmitter/Receiver terms</t>
        <t>Reworked sections into Data Plane vs. Control Plane</t>
        <t>Removed method transmission registry in order to simplify the specification</t>
        <t>Made Create, Update operations optional for Control Plane (Read is MTI)</t>
      </list></t>
      <t>Draft 02 - PH <list style="symbols">
        <t>Added iss metadata for Event Stream</t>
        <t>Changed to using JWKS_uri for issuer and receiver.</t>
      </list></t>
      
    </section>
  </back>
</rfc>