.forgejo/workflows | ||
.insomnia | ||
appinfo | ||
img | ||
lib | ||
screenshots | ||
tests/postman | ||
.gitignore | ||
.php-cs-fixer.cache | ||
.php-cs-fixer.dist.php | ||
composer.json | ||
composer.lock | ||
COPYING | ||
flake.lock | ||
flake.nix | ||
LICENSE | ||
psalm.xml | ||
README.md |
SCIM Service Provider
This app allows to provision users and groups in Nextcloud from a scim client. It is based on audriga/scim-server-php SCIM library.
You can see the video that shows how it works.
Installation
Like any other app, it's available on Nextcloud's app store.
Authentication
Basic and bearer authentication are supported. For now, only admin users are authorized to access SCIM APIs.
Basic authentication
You just have to generate an app password in /settings/user/security
.
Bearer authentication
It requires a JWT secret, to be enabled.
php occ config:app:set scimserviceprovider jwt-secret --value="CHANGE_ME"
Then you should generate a JWT signed with this secret and with sub
in the payload referring to an existing username. (Handy CLI tool)
jwt encode --secret "CHANGE_ME" '{"sub":"admin"}'
Usage
$ curl http://<path-to-nextcloud>/index.php/apps/scimserviceprovider/<Resource> -H 'Authorization: <Auth>' -H 'Content-Type: application/scim+json'
Where <Resource>
designates a SCIM resource, such as Users
or Groups
.
With Keycloak
You can use with the SCIM plugin we developped for keycloak.
With AzureAD
You can provision users from AzureAD to Nextcloud with this app. For this, you need to setup Bearer authentication.
Running tests
Broken.
Todo
- Meta -> (can't implement yet)
- createdAt
- lastModified
- ExternalID
- Groups - waiting for feedback
- json exceptions
- group member removal
- pagination
- CI/CD
- Lint cs:check
- test psalm
- test insomnia
- publish app on app store
- Allow for simultaneous usage of basic auth and bearer token auth (see Authentication TODOs / Open issues)
Disclaimer
This app relies on the fixes, being introduced to Nextcloud in PR #34172, since Nextcloud can't properly handle the Content-Type
header value for SCIM (application/scim+json
) otherwise. In the meantime until this PR is merged, SCIM clients interacting with this app might need to resort to using the standard value of application/json
instead.
Funding
This app was started during the Nextgov hackathon!
This project is funded through NGI0 Entrust, a fund established by NLnet with financial support from the European Commission's Next Generation Internet program. Learn more at the NLnet project page.