Add SCIM support as service provider

As already mentioned here I think it would be a nice feature if Discourse would support the SCIM protocol. SCIM is a standard proposed by the IETF through RFC7644 and RFC7643 which aims to provide solution for user/group management through a simple Rest API. Our use case would be to manage user identities and group memberships via a separate service that acts as a SCIM client, Keycloak in our case. Discourse would act as a SCIM service provider. In addition to any existing SSO and centralized account creation that would have the following advantages:

  • assign users to groups;
  • change user information immediately in several apps;
  • delete the user when they are removed from the SSO;
  • get the list of users or groups in a standard way;

We received some funding from NGI via NLNet for SCIM implementations, you can read the proposal and about related work in our forum here. I would try to implement a first solution in a Discourse plugin for now, but it would be nice to integrate this into Discourse core at some point. Let me know about any thoughts and opinions!

3 Likes

It seems odd that their spec uses /Users and /Groups rather than something like .well-known/scim/Users. It seems assured that it will conflict with existing routes on many applications.

I’d be happy to help out with that if you’ve got some budget to spare.

I can imagine that if it were well-written and widely-used (or required by several enterprise customers) that it might become an offical plugin.

I don’t imagine that it would ever become part of core–even Oauth2 is a plugin.

4 Likes

I think it’s possible to use any path as prefix for the SCIM endpoints, e.g. api/scim/v2/Users or well-known paths that you suggest.

Yeah, I understand the concerns with the core, so maybe a goal can be that it becomes an official plugin. Thanks also for the offer to help, there is no additional budget but let’s see in the future how this develops.

1 Like

Ah. That makes sense. I figured that must be the case but didn’t see that in my quick read. I’d take a look at the other authentication plugins as a reference.

Here are official plugins with ‘auth’ in their name

discourse-apple-auth/                  discourse-microsoft-auth/
discourse-authentication-validations/  discourse-oauth2-basic/
discourse-auth-no-email/               discourse-vk-auth/
discourse-development-auth/            discourse-wikimedia-auth/

Sounds like an interesting project

1 Like

A first version of the plugin is now available here:

The mapping is still very simple, just the basic fields of users and groups will work. I tested with the keycloak SCIM plugin and you can already add/modify users on Keycloak which will then be crested/updated on Discourse. The keycloak SCIM plugin is here:

Any feedback is very welcome :slight_smile: We will test more with keycloak in our environment and I still want to test it with authentik.

3 Likes

This is cool, great idea. Looking forward to testing this. thanks!

It would be great if you could post it as a topic in the Plugin category :slight_smile: