1. [Define your authentication/authorization logic](#define-your-authenticationauthorization-logic)
1. [Define your authentication/authorization middleware](#define-your-authenticationauthorization-middleware)
1. [Add your authentication/authorization middleware to the SCIM server](#add-your-authenticationauthorization-middleware-to-the-scim-server)
1. [Full example](#full-example)
1. [Acknowledgements](#acknowledgements)
---
## Info
**scim-server-php** is a PHP library which makes it easy to implement [SCIM v2.0](https://datatracker.ietf.org/wg/scim/documents/) server endpoints for various systems.
It is built on the following IETF approved RFCs: [RFC7642](https://datatracker.ietf.org/doc/html/rfc7642), [RFC7643](https://datatracker.ietf.org/doc/html/rfc7643) and [RFC7644](https://datatracker.ietf.org/doc/html/rfc7644)
This is a **work in progress** project. It already works pretty well but some features will be added in the future and some bugs may still be arround 😉
The **scim-server-php** project currently includes the following:
* A [Postfix Admin](https://github.com/postfixadmin/postfixadmin) SCIM API based on **scim-server-php** is available at https://github.com/audriga/postfixadmin-scim-api
* The [Nextcloud SCIM](https://lab.libreho.st/libre.sh/scim/scimserviceprovider) application provides a SCIM API to [NextCloud](https://nextcloud.com/) and uses **scim-server-php** for its SCIM resource models
Note that you can of course use the standard and custom SCIM resources implementations with your own HTTP server if you don't want to use the one provided by **scim-server-php**.
## Prerequisites
* **scim-server-php** requires PHP 7.4
* Dependencies are managed with [composer](https://getcomposer.org/)
* You will now need to send a valid JWT token with all your requests to the mock server
* A JWT token will be considered as valid by the mock server if its secret is identical to the secret set in the `jwt` section of `config/config[.default].php`
* To generate a token, use the script located at `bin/generate_jwt.php`
* Note that this script generates a JWT token including a `user` claim set by the `--user` parameter. You can use any value here in the mock server case.
### Use scim-server-php for your own project
#### SCIM resources
* You can directly reuse the SCIM resources implementation from the `src/Models/SCIM/` folder in any PHP project
* Here are the provided resources implementations
*`src/Models/SCIM/Standard/Users/CoreUser.php` implements the Core User resource from the SCIM standard
*`src/Models/SCIM/Standard/Users/EnterpriseUser.php` implements the Enterprise User extension from the SCIM standard
*`src/Models/SCIM/Standard/Groups/CoreGroup.php` implements the Core Group resource from the SCIM standard
*`src/Models/SCIM/Custom/Domains/Domain.php` implements the custom Domain resource
*`src/Models/SCIM/Custom/Users/ProvisioningUser.php` implements the custom Provisioning User extension of the Core User
#### SCIM server
* You can use **scim-server-php** to easily create a full-fledged SCIM server for your own data source
* **scim-server-php** uses the [Repository Pattern](https://martinfowler.com/eaaCatalog/repository.html) and the [Adapter Pattern](https://en.wikipedia.org/wiki/Adapter_pattern) in order to be as flexible and portable to different systems for provisioning as possible
* You can use the embedded mock server implementation as an example ;)
* Concretelly, you will need to implement the following for each resource type of your data source
*`Model` classes representing your resources
* See e.g. `src/Models/Mock/MockUsers`
*`DataAccess` classes defining how to access your data source
* See e.g. `src/DataAccess/Users/MockUserDataAccess.php`
*`Adapter` classes, extending `AbstractAdapter` and defining how to convert your resources to/from SCIM resources
* See e.g. `src/Adapters/Users/MockUserAdapter.php`
*`Repository` classes, extending `Opf\Repositories\Repository` and defining the operations available on your resources
* See e.g. `src/Repositories/Users/MockUsersRepository.php`
* If you want to define new SCIM resources, you will also need to implement new `Controllers` (see `src/Controllers`) and SCIM `Model`s (see `src/Models/SCIM`)
* Create a `dependencies` file reusing the pattern of `src/Dependencies/mock-dependencies.php`
* The "Auth middleware" and "Authenticators" sections are explained in the [Authentication/Authorization](#authenticationauthorization) section bellow
* Your `Repository` classes will get the corresponding `DataAccess` and `Adapter` classes through the **scim-server-php** container
* Instantiate a `ScimServer` and feed it with your `dependencies` file as shown in `public/index.php`
* The "Authentication Middleware" section is explained in the [Authentication/Authorization](#authenticationauthorization) section bellow
### Authentication/Authorization
#### Define your authentication/authorization logic
* Authentication is mostly delegated to the system using **scim-server-php**
* A basic JWT based authentication implementation is provided as an example in `src/Util/Authentication/SimpleBearerAuthenticator`
* Define your own `Authenticator` class(es) by implementing the `AuthenticatorInterface` available in `Util/Authentication`
* A script generating a JWT token containing a single `user` claim is provided in `bin/generate_jwt.php`
* Authorization is delegated to the system using **scim-server-php**
#### Define your authentication/authorization middleware
* The **scim-server-php** HTTP server is based on the [Slim](https://www.slimframework.com/) framework and reuses its [Middleware](https://www.slimframework.com/docs/v4/concepts/middleware.html) concept
* Authentication and authorization should therefore be implemented as "Middleware(s)"
* This means implementing the `MiddlewareInterface`
* The authentication middleware should then delegate the actual authentication process to your `Authenticator`
* The authorization implementation is up to you
* You can either integrate it in the `Authenticator` (and so, in the authentication middleware)
* Or you can implement an independent authentication middleware
* You can use `src/Middleware/SimpleAuthMiddleware` as an example
#### Add your authentication/authorization middleware to the SCIM server
* Add your middleware to your dependencies file
* You can use `src/Dependencies/mock-dependencies.php` as an example
* Note that the mock `SimpleAuthMiddleware` also uses the **scim-server-php** container to gets the authenticator to use
* Hence `src/Dependencies/mock-dependencies.php` defines a `'BearerAuthenticator'` which is then used in `SimpleAuthMiddleware`
### Full example
* We advise to use https://github.com/audriga/postfixadmin-scim-api as a full **scim-server-php** implementation example
This software is part of the [Open Provisioning Framework](https://www.audriga.com/en/User_provisioning/Open_Provisioning_Framework) project that has received funding from the European Union's Horizon 2020 research and innovation program under grant agreement No. 871498.