Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SCIM provisioning API basic implementation #17144

Open
wants to merge 55 commits into
base: develop
Choose a base branch
from

Conversation

azmeuk
Copy link
Contributor

@azmeuk azmeuk commented May 2, 2024

This is an implementation of MSC4098. It implements a subset of the SCIM provisioning protocol defined in RFC7643 and RFC7644.

It contains:

  • A SCIM servlet implementing the minimal SCIM endpoints.
    • The data edition/retrieval part largely takes inspiration (and shameless copied) from synapse/rest/admin/users.py.
    • The SCIM payload validation and production is achieved with scim2-models, a library based on pydantic which I maintain.
  • Unit tests for those endpoints.
  • Documentation on the state of the SCIM implementation, and examples of requests and response payloads.

The SCIM requires needs python 3.9+ (because of the use of typing.Anotated in scim2-models) and pydantic 2.7.0+

SCIM implementation details

Only a subset of the SCIM endpoints are implemented:

What's implemented:

  • The main endpoints:
    • /Users (GET, POST)
    • /Users/<user_id> (GET, PUT, DELETE)
    • /ServiceProviderConfig (GET)
    • /Schemas (GET)
    • /Schemas/<schema_id> (GET)
    • /ResourceTypes (GET)
    • /ResourceTypes/<resource_type_id>
  • pagination
  • The user attributes:
    • userName
    • password
    • emails
    • phoneNumbers
    • displayName
    • photos (as a MXC URI)
    • active

What is defined in the SCIM specs but not implemented here:

What do you think?

Pull Request Checklist

  • Pull request is based on the develop branch
  • Pull request includes a changelog file. The entry should:
    • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
    • Use markdown where necessary, mostly for code blocks.
    • End with either a period (.) or an exclamation mark (!).
    • Start with a capital letter.
    • Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry.
  • Code style is correct
    (run the linters)

@azmeuk azmeuk requested a review from a team as a code owner May 2, 2024 14:49
@azmeuk azmeuk marked this pull request as draft May 2, 2024 14:50
@azmeuk azmeuk force-pushed the msc4098-scim branch 4 times, most recently from ea6a6d6 to dd52360 Compare May 3, 2024 16:06
@erikjohnston erikjohnston removed the request for review from a team May 14, 2024 12:14
@erikjohnston
Copy link
Member

(I've taken this out of the review queue as its in draft, let us know if you want feedback)

@azmeuk
Copy link
Contributor Author

azmeuk commented May 27, 2024

Hi @erikjohnston
Thank you for your feedback offering. Indeed this is a draft, but I hope to take back the development soon.

There is one design question though. I see that there is a dependency to pydantic in synapse, and I recently published scim2-models that is a library that helps to parse and serialize SCIM2 payloads using pydantic. I think the SCIM implementation would greatly benefit from using scim2-models, as a big part of the specification compliance would be delegated to the library.

Would it be acceptable to add a dependency towards scim2-models in synapse, or should I continue checking and building SCIM2 payloads manually?

@azmeuk azmeuk force-pushed the msc4098-scim branch 4 times, most recently from f893967 to 81d751b Compare June 6, 2024 14:25
@azmeuk azmeuk force-pushed the msc4098-scim branch 3 times, most recently from dcd72ed to 6a1e1b2 Compare July 25, 2024 12:06
@azmeuk azmeuk marked this pull request as ready for review July 25, 2024 12:09
@azmeuk
Copy link
Contributor Author

azmeuk commented Jul 25, 2024

Hi @erikjohnston
I think the PR can be reviewed now. I edited the OP to detail what's in there.
I am available on #synapse-dev too if there are things to discuss.

Implementation of a subset of SCIM endpoint and capabilities as
described in MSC4098.

Signed-off-by: Éloi Rivard <[email protected]>
@github-actions github-actions bot deployed to PR Documentation Preview August 13, 2024 09:03 Active
@anoadragon453 anoadragon453 requested a review from a team August 13, 2024 10:20
@azmeuk

This comment was marked as outdated.

@azmeuk

This comment was marked as outdated.

@github-actions github-actions bot deployed to PR Documentation Preview November 15, 2024 09:08 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 15, 2024 14:34 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 17, 2024 15:23 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 17, 2024 15:32 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 17, 2024 17:38 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 17, 2024 19:31 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 20, 2024 09:14 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 20, 2024 09:53 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 22, 2024 09:00 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 22, 2024 10:13 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 22, 2024 13:56 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 22, 2024 13:57 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 22, 2024 14:03 Active
@azmeuk
Copy link
Contributor Author

azmeuk commented Nov 22, 2024

@reivilibre I think all your comments have been addressed now. Most of them have been fixed in the code and I responded to some with new questions.
The implementation have been tested against Keycloak with the keycloak-scim extension.

I am sorry for the many commits, the PR looks like a mess. If it is easier for the review, I can close it and open a new one. Let me know.

@reivilibre reivilibre self-requested a review December 5, 2024 16:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants