Canaille should implement SCIM endpoints to allow user and group management using a standard API. The task can be split in two subtasks: - [ ] Server side. Consists in implementing the basic SCIM endpoints, and allow any SCIM client to create/edit/read/delete users and group in Canaille. The server side should be based on the [scim2-models](https://scim2-models.readthedocs.io) library. We can use [scim2-cli](https://scim2-cli.readthedocs.io) to help with the development. We can take inspiration from [scim2-server](https://scim2-server.readthedocs.io). - [ ] Client side. Consists in forwarding modifications to users and groups to different SCIM servers. Events on users and groups should be listened to with #184, then delegated to a task queue like [arq](https://github.com/python-arq/arq) or Celery, and finally sent across the network with [scim2-client](https://scim2-cli.readthedocs.io). # Miscelleaneous - Currently the LDAP backend relies on `inetOrgPerson` which does no covers all the fields available in SCIM. Maybe we should think of a schema extending `inetOrgPerson` so it covers all the SCIM fields. - There is a [password management SCIM draft](https://datatracker.ietf.org/doc/html/draft-hunt-scim-password-mgmt-00) so ldap ppolicy features can be matched. - There is a [OIDC SCIM profile draft](https://openid.net/specs/openid-connect-scim-profile-1_0.html) - The SCIM client side will need #184 to be implemented first, so user and group events can be broadcasted based on signal events. # Useful links - [scim2-models](https://scim2-models.readthedocs.io) - [scim2-client](https://scim2-cli.readthedocs.io) - [scim2-cli](https://scim2-cli.readthedocs.io) - [scim2-server](https://scim2-server.readthedocs.io) - [scim2-tester](https://scim2-tester.readthedocs.io) - [RFC7642 - Definitions, Overview, Concepts, and Requirements](https://www.rfc-editor.org/rfc/rfc7642) - [RFC7643 - ore Schema](https://www.rfc-editor.org/rfc/rfc7643) - [RFC7644 - Protocol](https://www.rfc-editor.org/rfc/rfc7644) - [IETF WG documents](https://datatracker.ietf.org/wg/scim/documents/) # Server endpoints Endpoints to implement: - `/Users`: GET/POST/PUT/PATCH/DELETE - `/Groups`: GET/POST/PUT/PATCH/DELETE - `/Me`: GET/POST/PUT/PATCH/DELETE - `/ServiceProviderConfig`: GET - `/ResourceTypes`: GET - `/Schemas`: GET - `/Bulk`: POST - `[prefix]/.search`: POST For a start, we can simply implement: - `/Users`: GET/POST/PUT/DELETE - `/Groups`: GET/POST/PUT/DELETE - `/ServiceProviderConfig`: GET - `/ResourceTypes`: GET - `/Schemas`: GET # Other implementations - [Auth0](https://auth0.com/docs/authenticate/protocols/scim) ✅ - Authelia ❌ - [Authentik](https://goauthentik.io/docs/providers/scim/) ✅ - [Authentic2](https://dev.entrouvert.org/issues/70751) ❌ - [CAS](https://apereo.github.io/cas/7.0.x/integration/SCIM-Provisioning.html) ✅ - Connect2id ❌ - [Gluu](https://gluu.org/docs/gluu-server/4.0/api-guide/scim-api/) ✅ - [Hydra](https://github.com/ory/hydra/issues/235) ❌ - Keycloak, via plugins [1](https://scim-for-keycloak.de/) [2](https://lab.libreho.st/libre.sh/scim/keycloak-scim) ✅ - LemonLDAP ❌ - [Okta](https://developer.okta.com/docs/reference/scim/scim-20/) ✅