Skip to content

feat: Add SCIM V2 #2309

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Bewinxed wants to merge 37 commits into
base: master
Choose a base branch
from
Open

feat: Add SCIM V2 #2309

Bewinxed wants to merge 37 commits into from

Conversation

@Bewinxed
Copy link
Collaborator

@Bewinxed Bewinxed commented Dec 31, 2025
edited
Loading

What kind of change does this PR introduce?

Feature - adds SCIM v2 provisioning support for enterprise SSO providers

This is a complete, general implementation inspired by the needs of this PR #2115

What is the current behavior?

Currently there's no way for identity providers (Okta, Azure AD, OneLogin, etc.) to automatically provision and deprovision users. Admins have to manually manage user accounts when employees join or leave, which is error-prone and doesn't scale for enterprise customers.

What is the new behavior?

Adds full SCIM v2 (RFC 7644) support, allowing identity providers to:

  • User provisioning: Automatically create users when added to the IdP
  • User updates: Sync profile changes (name, email) from IdP
  • User deprovisioning: Soft-delete users via ban when removed from IdP (preserves data, terminates sessions)
  • Group management: Create/update/delete groups and manage group membership

Endpoints added:

  • GET/POST /scim/v2/Users - list and create users
  • GET/PUT/PATCH/DELETE /scim/v2/Users/{id} - manage individual users
  • GET/POST /scim/v2/Groups - list and create groups
  • GET/PUT/PATCH/DELETE /scim/v2/Groups/{id} - manage individual groups
  • Discovery endpoints: /scim/v2/ServiceProviderConfig, /scim/v2/Schemas, /scim/v2/ResourceTypes

Authentication: Bearer token per SSO provider (stored as bcrypt hash)

Filtering: Full RFC 7644 filter support using the scim2/filter-parser library - supports eq, ne, co, sw, ew, pr, gt, ge, lt, le operators with and/or/not logic.

IdP compatibility: Tested with Azure AD quirks (booleans as strings, case-insensitive displayName uniqueness).

Additional context

I tried my best to make the implementation fit within the current tenant/user model instead of new tables for everything, adding schema changes only when necessary.

Some compliance work might be needed for other nuances with other SCIM providers (I've tested Microsoft Azure).

Deviations from RFC 7643

Some deviations from the RFC for SCIM v2 were done that relates to Supabase Auth:

  • Email is REQUIRED, as required by our auth model.
  • Deprovisioning uses soft-delete via Ban with reason (the RFC leaves this implementation to the imlementer).
  • Bulk operations not supported, yet in the initial implementation.

New dependencies

  • github.com/scim2/filter-parser/v2 - RFC 7644 SCIM filter parsing

Schema Changes

  • sso_providers gets 2 new columns: scim_enabled (boolean), scim_bearer_token_hash (text)
  • scim_groups - stores SCIM groups per SSO provider
  • scim_group_members - junction table for group membership
  • Bulk operations not supported in initial release

Testing

All tests were based on the assumptions that the Azure Validation Tool expects, currently all passing.

@Bewinxed Bewinxed force-pushed the bewinxed/add-scim-v2 branch from 158c1ad to f514de5 Compare January 19, 2026 10:08
Bewinxed added 29 commits January 19, 2026 10:11
@Bewinxed
feat: add scim to sso providers, banner reason to users, and add scim…
c75d5e0 
…_groups
@Bewinxed
feat: add SCIM fields and methods to models
2c30594
@Bewinxed
feat: add scim error codes
839b846
@Bewinxed
fix: add findUserByProvider to user model
46334c3
@Bewinxed
chore: update Ban() calls in admin.go
7bbfa38
@Bewinxed
feat: Add SCIM v2 endpoints
819094b
@Bewinxed
feat: register SCIM endpoints
fc384f0
@Bewinxed
fix: reuse existing helpers for user creation, add audit logging
74b05d9
@Bewinxed
feat: Add Admin SCIM management endpoints
914f33c
@Bewinxed
chore: make SCIM Token prefixed
3000648
@Bewinxed
fix: several bugfixes, add db-pagination
2796206
@Bewinxed
fix: restore is_super_admin to the User model
ff88aab
@Bewinxed
fix: RFC 7644 compliance
e90bed2
@Bewinxed
chore: extract scim_parser out, minimal impl
4b83019
@Bewinxed
chore: extract scim types out
e692f7a
@Bewinxed
chore: add scim2/filter-parser as SCIM query parser
5cd4efe
@Bewinxed
chore: add SCIM errors
a1b1420
@Bewinxed
feat: add SCIM filter support to user and group queries
20fa976 
- Add FindUsersByProviderWithFilter for SCIM user listing
- Add FindSCIMGroupsBySSOProviderWithFilter for group listing
- Make external_id nullable, add case-insensitive displayName index
- Validate user belongs to SSO provider before adding to group
@Bewinxed
chore: refactor SCIM to use extracted types/helpers.
be9fade
@Bewinxed
feat: add scim2/filter-parser dependency
a29b7d8
@Bewinxed
feat: add scim filters with RFC 7644 support
b8789db
@Bewinxed
fix: group schema migration fix
6dc1b69
@Bewinxed
chore: rename scim parser to scim helper after dep was added
d13d40a
@Bewinxed
chore: extract UserNotInSSOProviderError as typed error
4e4e139 
Replace string-based error comparison with proper typed error pattern
following existing codebase conventions in models/errors.go.
@Bewinxed
chore(scim): remove unused group query functions
ae6fc63 
Remove CountSCIMGroupsBySSOProvider and FindSCIMGroupsBySSOProvider
which were superseded by FindSCIMGroupsBySSOProviderWithFilter.
@Bewinxed
chore: consolidate userBelongsToProvider implementations
f3bdc2e 
Export UserBelongsToSSOProvider from models package and use it as
single source of truth. API layer retains thin wrapper for convenience.
@Bewinxed
chore: consolidate filter clause types
c30a9f6 
Remove duplicate SCIMFilterResult type from api package in favor of
models.SCIMFilterClause. Remove now-unnecessary toModelFilterClause
conversion function.
@Bewinxed
fix(scim): remove duplicate types and fix error handling consistency
15f1303 
- Remove duplicate SCIMErrorResponse and NewSCIMError from scim_types.go
  (use apierrors.SCIMHTTPError instead)
- Remove duplicate SCIMSchemaError constant (already defined in apierrors)
- Fix error wrapping in applySCIMUserPatch for Ban/Logout operations
- Fix error wrapping in scimDeleteUser for Logout operation
- Wrap validateEmail error in SCIM format in scimCreateUser
@Bewinxed
chore: add scim test infrastructure
f9aef46
@Bewinxed Bewinxed force-pushed the bewinxed/add-scim-v2 branch from f514de5 to 7a60f1b Compare January 19, 2026 10:13
@Bewinxed Bewinxed marked this pull request as ready for review January 19, 2026 10:15
@Bewinxed Bewinxed requested a review from a team as a code owner January 19, 2026 10:15
@Bewinxed Bewinxed force-pushed the bewinxed/add-scim-v2 branch from 72e8e4d to 8450879 Compare January 19, 2026 10:18
@coveralls
Copy link

coveralls commented Jan 19, 2026
edited
Loading

Pull Request Test Coverage Report for Build 21133681412

Details

  • 986 of 1726 (57.13%) changed or added relevant lines in 15 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-0.8%) to 68.013%
Changes Missing Coverage Covered Lines Changed/Added Lines %
internal/api/errors.go 4 6 66.67%
internal/api/scim_helpers.go 111 115 96.52%
internal/api/scim_types.go 16 22 72.73%
internal/models/errors.go 2 8 25.0%
internal/models/sso.go 23 36 63.89%
internal/api/apierrors/apierrors.go 27 45 60.0%
internal/models/scim_group.go 85 125 68.0%
internal/models/user.go 35 75 46.67%
internal/api/ssoadmin.go 0 72 0.0%
internal/api/scim_filter.go 28 148 18.92%
Totals Coverage Status
Change from base Build 21130794887: -0.8%
Covered Lines: 15811
Relevant Lines: 23247
💛 - Coveralls

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Bewinxed @coveralls