Nextcloud SCIM Service Provider
Find a file
Hugo Renard 9066e6096b
All checks were successful
/ build (push) Successful in 32s
/ release (push) Has been skipped
ci: add compliance check
2024-12-04 12:02:00 +01:00
.forgejo/workflows ci: use forgejo & nix 2024-12-02 17:29:40 +01:00
.insomnia Fix tests. 2022-05-18 18:02:17 +02:00
appinfo chore: bump version to v1.0.0-alpha.2 2024-10-28 15:21:27 +01:00
img First commit 2022-04-29 15:58:37 +02:00
lib feat: return a scim error on unknown paths 2024-10-28 15:11:41 +01:00
screenshots Fixes readme. 2022-05-02 14:44:29 +02:00
tests/postman Use scim-server-php lib 2023-03-03 11:21:27 +00:00
.gitignore ci: use forgejo & nix 2024-12-02 17:29:40 +01:00
.php-cs-fixer.cache feat: simplify architecture 2024-02-06 11:32:35 +01:00
.php-cs-fixer.dist.php Adds psalm and Nc style check. 2022-05-18 16:28:52 +02:00
composer.json ci: use forgejo & nix 2024-12-02 17:29:40 +01:00
composer.lock ci: use forgejo & nix 2024-12-02 17:29:40 +01:00
COPYING First commit 2022-04-29 15:58:37 +02:00
flake.lock ci: add compliance check 2024-12-04 12:02:00 +01:00
flake.nix ci: add compliance check 2024-12-04 12:02:00 +01:00
LICENSE feat: simplify architecture 2024-02-06 11:32:35 +01:00
psalm.xml Adds psalm and Nc style check. 2022-05-18 16:28:52 +02:00
README.md doc: acknowledge NLnet funding 2024-09-23 10:39:37 +02:00

SCIM Service Provider

This app allows to provision users and groups in Nextcloud from a scim client. It is based on audriga/scim-server-php SCIM library.

You can see the video that shows how it works.

Installation

Like any other app, it's available on Nextcloud's app store.

Authentication

Basic and bearer authentication are supported. For now, only admin users are authorized to access SCIM APIs.

Basic authentication

You just have to generate an app password in /settings/user/security.

Bearer authentication

It requires a JWT secret, to be enabled.

php occ config:app:set scimserviceprovider jwt-secret --value="CHANGE_ME"

Then you should generate a JWT signed with this secret and with sub in the payload referring to an existing username. (Handy CLI tool)

jwt encode --secret "CHANGE_ME" '{"sub":"admin"}'

Usage

$ curl http://<path-to-nextcloud>/index.php/apps/scimserviceprovider/<Resource> -H 'Authorization: <Auth>' -H 'Content-Type: application/scim+json'

Where <Resource> designates a SCIM resource, such as Users or Groups.

With Keycloak

You can use with the SCIM plugin we developped for keycloak.

With AzureAD

You can provision users from AzureAD to Nextcloud with this app. For this, you need to setup Bearer authentication.

Running tests

Broken.

Todo

  • Meta -> (can't implement yet)
    • createdAt
    • lastModified
  • ExternalID
  • json exceptions
  • group member removal
  • pagination
  • CI/CD
    • Lint cs:check
    • test psalm
    • test insomnia
    • publish app on app store
  • Allow for simultaneous usage of basic auth and bearer token auth (see Authentication TODOs / Open issues)

Disclaimer

This app relies on the fixes, being introduced to Nextcloud in PR #34172, since Nextcloud can't properly handle the Content-Type header value for SCIM (application/scim+json) otherwise. In the meantime until this PR is merged, SCIM clients interacting with this app might need to resort to using the standard value of application/json instead.

Funding

This app was started during the Nextgov hackathon!

This project is funded through NGI0 Entrust, a fund established by NLnet with financial support from the European Commission's Next Generation Internet program. Learn more at the NLnet project page.

NLnet foundation logo NGI Zero Logo