Nextcloud SCIM Service Provider

Find a file

Hugo Renard 8ed2bcb2be chore: bump version to v1.0.0-alpha.2		2024-10-28 15:21:27 +01:00
.insomnia	Fix tests.	2022-05-18 18:02:17 +02:00
appinfo	chore: bump version to v1.0.0-alpha.2	2024-10-28 15:21:27 +01:00
ci	feat: bump compat to nc 27-29	2024-08-20 09:06:09 +02:00
img	First commit	2022-04-29 15:58:37 +02:00
lib	feat: return a scim error on unknown paths	2024-10-28 15:11:41 +01:00
screenshots	Fixes readme.	2022-05-02 14:44:29 +02:00
tests/postman	Use scim-server-php lib	2023-03-03 11:21:27 +00:00
.gitignore	Use scim-server-php lib	2023-03-03 11:21:27 +00:00
.php-cs-fixer.cache	feat: simplify architecture	2024-02-06 11:32:35 +01:00
.php-cs-fixer.dist.php	Adds psalm and Nc style check.	2022-05-18 16:28:52 +02:00
composer.json	feat: update deps & remove unused lexer	2024-10-28 15:19:39 +01:00
composer.lock	feat: update deps & remove unused lexer	2024-10-28 15:19:39 +01:00
COPYING	First commit	2022-04-29 15:58:37 +02:00
go.mod	ci: update dagger	2024-08-20 09:07:54 +02:00
go.sum	ci: update dagger	2024-08-20 09:07:54 +02:00
LICENSE	feat: simplify architecture	2024-02-06 11:32:35 +01:00
psalm.xml	Adds psalm and Nc style check.	2022-05-18 16:28:52 +02:00
README.md	doc: acknowledge NLnet funding	2024-09-23 10:39:37 +02:00

README.md

SCIM Service Provider

This app allows to provision users and groups in Nextcloud from a scim client. It is based on audriga/scim-server-php SCIM library.

You can see the video that shows how it works.

Installation

Like any other app, it's available on Nextcloud's app store.

Authentication

Basic and bearer authentication are supported. For now, only admin users are authorized to access SCIM APIs.

Basic authentication

You just have to generate an app password in /settings/user/security.

Bearer authentication

It requires a JWT secret, to be enabled.

php occ config:app:set scimserviceprovider jwt-secret --value="CHANGE_ME"

Then you should generate a JWT signed with this secret and with sub in the payload referring to an existing username. (Handy CLI tool)

jwt encode --secret "CHANGE_ME" '{"sub":"admin"}'

Usage

$ curl http://<path-to-nextcloud>/index.php/apps/scimserviceprovider/<Resource> -H 'Authorization: <Auth>' -H 'Content-Type: application/scim+json'

Where <Resource> designates a SCIM resource, such as Users or Groups.

With Keycloak

You can use with the SCIM plugin we developped for keycloak.

With AzureAD

You can provision users from AzureAD to Nextcloud with this app. For this, you need to setup Bearer authentication.

Running tests

Broken.

Todo

Meta -> (can't implement yet)
- createdAt
- lastModified
ExternalID
- Groups - waiting for feedback
json exceptions
group member removal
pagination
CI/CD
- Lint cs:check
- test psalm
- test insomnia
- publish app on app store
Allow for simultaneous usage of basic auth and bearer token auth (see Authentication TODOs / Open issues)

Disclaimer

This app relies on the fixes, being introduced to Nextcloud in PR #34172, since Nextcloud can't properly handle the Content-Type header value for SCIM (application/scim+json) otherwise. In the meantime until this PR is merged, SCIM clients interacting with this app might need to resort to using the standard value of application/json instead.

Funding

This app was started during the Nextgov hackathon!

This project is funded through NGI0 Entrust, a fund established by NLnet with financial support from the European Commission's Next Generation Internet program. Learn more at the NLnet project page.