Nextcloud SCIM Service Provider
Find a file
2024-11-06 15:42:00 +01:00
.forgejo/workflows ci: try nc workflows 2024-11-06 15:42:00 +01:00
.insomnia Fix tests. 2022-05-18 18:02:17 +02:00
appinfo chore: bump version to v1.0.0-alpha.2 2024-10-28 15:21:27 +01:00
ci ci: use nextcloud 28 image 2024-10-28 16:48:24 +01:00
img First commit 2022-04-29 15:58:37 +02:00
lib feat: return a scim error on unknown paths 2024-10-28 15:11:41 +01:00
screenshots Fixes readme. 2022-05-02 14:44:29 +02:00
tests/postman Use scim-server-php lib 2023-03-03 11:21:27 +00:00
.gitignore Use scim-server-php lib 2023-03-03 11:21:27 +00:00
.php-cs-fixer.cache feat: simplify architecture 2024-02-06 11:32:35 +01:00
.php-cs-fixer.dist.php Adds psalm and Nc style check. 2022-05-18 16:28:52 +02:00
composer.json feat: update deps & remove unused lexer 2024-10-28 15:19:39 +01:00
composer.lock feat: update deps & remove unused lexer 2024-10-28 15:19:39 +01:00
COPYING First commit 2022-04-29 15:58:37 +02:00
go.mod ci: update dagger 2024-08-20 09:07:54 +02:00
go.sum ci: update dagger 2024-08-20 09:07:54 +02:00
LICENSE feat: simplify architecture 2024-02-06 11:32:35 +01:00
psalm.xml Adds psalm and Nc style check. 2022-05-18 16:28:52 +02:00
README.md doc: acknowledge NLnet funding 2024-09-23 10:39:37 +02:00

SCIM Service Provider

This app allows to provision users and groups in Nextcloud from a scim client. It is based on audriga/scim-server-php SCIM library.

You can see the video that shows how it works.

Installation

Like any other app, it's available on Nextcloud's app store.

Authentication

Basic and bearer authentication are supported. For now, only admin users are authorized to access SCIM APIs.

Basic authentication

You just have to generate an app password in /settings/user/security.

Bearer authentication

It requires a JWT secret, to be enabled.

php occ config:app:set scimserviceprovider jwt-secret --value="CHANGE_ME"

Then you should generate a JWT signed with this secret and with sub in the payload referring to an existing username. (Handy CLI tool)

jwt encode --secret "CHANGE_ME" '{"sub":"admin"}'

Usage

$ curl http://<path-to-nextcloud>/index.php/apps/scimserviceprovider/<Resource> -H 'Authorization: <Auth>' -H 'Content-Type: application/scim+json'

Where <Resource> designates a SCIM resource, such as Users or Groups.

With Keycloak

You can use with the SCIM plugin we developped for keycloak.

With AzureAD

You can provision users from AzureAD to Nextcloud with this app. For this, you need to setup Bearer authentication.

Running tests

Broken.

Todo

  • Meta -> (can't implement yet)
    • createdAt
    • lastModified
  • ExternalID
  • json exceptions
  • group member removal
  • pagination
  • CI/CD
    • Lint cs:check
    • test psalm
    • test insomnia
    • publish app on app store
  • Allow for simultaneous usage of basic auth and bearer token auth (see Authentication TODOs / Open issues)

Disclaimer

This app relies on the fixes, being introduced to Nextcloud in PR #34172, since Nextcloud can't properly handle the Content-Type header value for SCIM (application/scim+json) otherwise. In the meantime until this PR is merged, SCIM clients interacting with this app might need to resort to using the standard value of application/json instead.

Funding

This app was started during the Nextgov hackathon!

This project is funded through NGI0 Entrust, a fund established by NLnet with financial support from the European Commission's Next Generation Internet program. Learn more at the NLnet project page.

NLnet foundation logo NGI Zero Logo