As already mentioned here I think it would be a nice feature if Discourse would support the SCIM protocol. SCIM is a standard proposed by the IETF through RFC7644 and RFC7643 which aims to provide solution for user/group management through a simple Rest API. Our use case would be to manage user identities and group memberships via a separate service that acts as a SCIM client, Keycloak in our case. Discourse would act as a SCIM service provider. In addition to any existing SSO and centralized account creation that would have the following advantages:
assign users to groups;
change user information immediately in several apps;
delete the user when they are removed from the SSO;
get the list of users or groups in a standard way;
…
We received some funding from NGI via NLNet for SCIM implementations, you can read the proposal and about related work in our forum here. I would try to implement a first solution in a Discourse plugin for now, but it would be nice to integrate this into Discourse core at some point. Let me know about any thoughts and opinions!
It seems odd that their spec uses /Users and /Groups rather than something like .well-known/scim/Users. It seems assured that it will conflict with existing routes on many applications.
I’d be happy to help out with that if you’ve got some budget to spare.
I can imagine that if it were well-written and widely-used (or required by several enterprise customers) that it might become an offical plugin.
I don’t imagine that it would ever become part of core–even Oauth2 is a plugin.
I think it’s possible to use any path as prefix for the SCIM endpoints, e.g. api/scim/v2/Users or well-known paths that you suggest.
Yeah, I understand the concerns with the core, so maybe a goal can be that it becomes an official plugin. Thanks also for the offer to help, there is no additional budget but let’s see in the future how this develops.
Ah. That makes sense. I figured that must be the case but didn’t see that in my quick read. I’d take a look at the other authentication plugins as a reference.
Here are official plugins with ‘auth’ in their name
A first version of the plugin is now available here:
The mapping is still very simple, just the basic fields of users and groups will work. I tested with the keycloak SCIM plugin and you can already add/modify users on Keycloak which will then be crested/updated on Discourse. The keycloak SCIM plugin is here:
Any feedback is very welcome We will test more with keycloak in our environment and I still want to test it with authentik.
We will test more with keycloak in our environment and I still want to test it with authentik.