feat: add support for SCIM provisioning (#1182)

2026-02-14 17:37:27 +00:00 · 2026-01-02 17:54:20 +01:00
parent e4a8ca476c
commit 579cfdc678
37 changed files with 1963 additions and 34 deletions
--- a/backend/internal/service/oidc_service.go
+++ b/backend/internal/service/oidc_service.go
@@ -168,7 +168,7 @@ func (s *OidcService) Authorize(ctx context.Context, input dto.AuthorizeOidcClie
 		return "", "", err
 	}

-	if !s.IsUserGroupAllowedToAuthorize(user, client) {
+	if !IsUserGroupAllowedToAuthorize(user, client) {
 		return "", "", &common.OidcAccessDeniedError{}
 	}

@@ -224,7 +224,7 @@ func (s *OidcService) hasAuthorizedClientInternal(ctx context.Context, clientID,
 }

 // IsUserGroupAllowedToAuthorize checks if the user group of the user is allowed to authorize the client
-func (s *OidcService) IsUserGroupAllowedToAuthorize(user model.User, client model.OidcClient) bool {
+func IsUserGroupAllowedToAuthorize(user model.User, client model.OidcClient) bool {
 	if !client.IsGroupRestricted {
 		return true
 	}
@@ -1325,7 +1325,7 @@ func (s *OidcService) VerifyDeviceCode(ctx context.Context, userCode string, use
 		return fmt.Errorf("error finding user groups: %w", err)
 	}

-	if !s.IsUserGroupAllowedToAuthorize(user, deviceAuth.Client) {
+	if !IsUserGroupAllowedToAuthorize(user, deviceAuth.Client) {
 		return &common.OidcAccessDeniedError{}
 	}

@@ -1829,7 +1829,7 @@ func (s *OidcService) GetClientPreview(ctx context.Context, clientID string, use
 		return nil, err
 	}

-	if !s.IsUserGroupAllowedToAuthorize(user, client) {
+	if !IsUserGroupAllowedToAuthorize(user, client) {
 		return nil, &common.OidcAccessDeniedError{}
 	}

@@ -1956,7 +1956,7 @@ func (s *OidcService) IsClientAccessibleToUser(ctx context.Context, clientID str
 		return false, err
 	}

-	return s.IsUserGroupAllowedToAuthorize(user, client), nil
+	return IsUserGroupAllowedToAuthorize(user, client), nil
 }

 var errLogoTooLarge = errors.New("logo is too large")
@@ -2116,3 +2116,16 @@ func (s *OidcService) updateClientLogoType(ctx context.Context, clientID string,

 	return nil
 }
+
+func (s *OidcService) GetClientScimServiceProvider(ctx context.Context, clientID string) (model.ScimServiceProvider, error) {
+	var provider model.ScimServiceProvider
+	err := s.db.
+		WithContext(ctx).
+		First(&provider, "oidc_client_id = ?", clientID).
+		Error
+	if err != nil {
+		return model.ScimServiceProvider{}, err
+	}
+
+	return provider, nil
+}