Skip to content

feat: Add SCIM V2 #2309

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Bewinxed wants to merge 23 commits into
base: master
Choose a base branch
from
Draft

feat: Add SCIM V2 #2309

Bewinxed wants to merge 23 commits into from

Conversation

@Bewinxed
Copy link
Collaborator

@Bewinxed Bewinxed commented Dec 31, 2025
edited
Loading

What kind of change does this PR introduce?

Feature - adds SCIM v2 provisioning support for enterprise SSO providers

This is a complete, general implementation inspired by the needs of this PR #2115

What is the current behavior?

Currently there's no way for identity providers (Okta, Azure AD, OneLogin, etc.) to automatically provision and deprovision users. Admins have to manually manage user accounts when employees join or leave, which is error-prone and doesn't scale for enterprise customers.

What is the new behavior?

Adds full SCIM v2 (RFC 7644) support, allowing identity providers to:

  • User provisioning: Automatically create users when added to the IdP
  • User updates: Sync profile changes (name, email) from IdP
  • User deprovisioning: Soft-delete users via ban when removed from IdP (preserves data, terminates sessions)
  • Group management: Create/update/delete groups and manage group membership

Endpoints added:

  • GET/POST /scim/v2/Users - list and create users
  • GET/PUT/PATCH/DELETE /scim/v2/Users/{id} - manage individual users
  • GET/POST /scim/v2/Groups - list and create groups
  • GET/PUT/PATCH/DELETE /scim/v2/Groups/{id} - manage individual groups
  • Discovery endpoints: /scim/v2/ServiceProviderConfig, /scim/v2/Schemas, /scim/v2/ResourceTypes

Authentication: Bearer token per SSO provider (stored as bcrypt hash)

Filtering: Full RFC 7644 filter support using the scim2/filter-parser library - supports eq, ne, co, sw, ew, pr, gt, ge, lt, le operators with and/or/not logic.

IdP compatibility: Tested with Azure AD quirks (booleans as strings, case-insensitive displayName uniqueness).

Additional context

I tried my best to make the implementation fit within the current tenant/user model instead of new tables for everything, adding schema changes only when necessary.

Some compliance work might be needed for other nuances with other SCIM providers (I've tested Microsoft Azure).

Deviations from RFC 7643

Some deviations from the RFC for SCIM v2 were done that relates to Supabase Auth:

  • Email is REQUIRED, as required by our auth model.
  • Deprovisioning uses soft-delete via Ban with reason (the RFC leaves this implementation to the imlementer).
  • Bulk operations not supported, yet in the initial implementation.

New dependencies

  • github.com/scim2/filter-parser/v2 - RFC 7644 SCIM filter parsing

Schema Changes

  • sso_providers gets 2 new columns: scim_enabled (boolean), scim_bearer_token_hash (text)
  • scim_groups - stores SCIM groups per SSO provider
  • scim_group_members - junction table for group membership
  • Bulk operations not supported in initial release

Next (WIP)

  • Add tests mirroring the test suite of Azure/Okta's SCIM test.

@Bewinxed
feat: add scim to sso providers, banner reason to users, and add scim…
e2901b2 
…_groups
@Bewinxed
feat: add SCIM fields and methods to models
166ee65
@Bewinxed
feat: add scim error codes
4e7a417
@Bewinxed
fix: add findUserByProvider to user model
840057e
@Bewinxed
chore: update Ban() calls in admin.go
651dcee
@Bewinxed
feat: Add SCIM v2 endpoints
be55e46
@Bewinxed
feat: register SCIM endpoints
7e91a9d
@Bewinxed
fix: reuse existing helpers for user creation, add audit logging
9e1f619
@Bewinxed
feat: Add Admin SCIM management endpoints
03e96ff
@Bewinxed
chore: make SCIM Token prefixed
30a8800
@Bewinxed
fix: several bugfixes, add db-pagination
735558b
@Bewinxed
fix: restore is_super_admin to the User model
2ebeb3c
@Bewinxed
fix: RFC 7644 compliance
532246c
@Bewinxed
chore: extract scim_parser out, minimal impl
4282abe
@Bewinxed
chore: extract scim types out
5df74ae
@Bewinxed
chore: add scim2/filter-parser as SCIM query parser
a92c777
@Bewinxed
chore: add SCIM errors
ab673ef
@Bewinxed
feat: add SCIM filter support to user and group queries
911ff26 
- Add FindUsersByProviderWithFilter for SCIM user listing
- Add FindSCIMGroupsBySSOProviderWithFilter for group listing
- Make external_id nullable, add case-insensitive displayName index
- Validate user belongs to SSO provider before adding to group
@Bewinxed
chore: refactor SCIM to use extracted types/helpers.
8674842
@Bewinxed
feat: add scim2/filter-parser dependency
718c6d2
@Bewinxed
feat: add scim filters with RFC 7644 support
78b29f5
@Bewinxed
fix: group schema migration fix
3226bd6
@Bewinxed
chore: rename scim parser to scim helper after dep was added
6b02a77
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Bewinxed