[RFC] SCIM support for auto-provisioning

[nextgens]

trafficstars

We should look into System for Cross-domain Identity Management support for auto-provisioning.

I've seen many requests for "oAuth2" that are in fact requests for "centrally managing identities elsewhere". Well, guess what? Even if we enable account creation on first use (like we did with PROXY_AUTH_CREATE) it will not handle their lifecycle (when accounts get disabled or renamed - off-boarding).

This has been briefly discussed on #mailu-dev and the current consensus of those that said they would use OIDC is that it is overkill. This issue is open to track interest, add a thumb up if you require it (with or without OIDC).

#783 #823 #1984 #2378 #2575 #3675

[strugee]

This has been briefly discussed on #mailu-dev and the current consensus of those that said they would use OIDC is that it is overkill.

That what is overkill? OIDC or SCIM?

[nextgens]

SCIM

[strugee]

Ah, gotcha. Honestly, having implemented a (basic) SCIM endpoint at $dayjob, this surprises me. It's not exactly a trivial protocol, but it isn't that complex. OIDC AFAICT is a lot more complicated, but to be fair, I learned that OIDC supports provisioning literally from this issue. So take that assessment with a large pile of salt.

I do not think it will be complicated to implement or maintain a SCIM API. Honestly I'd even consider doing it as a completely separately maintained bridge server, just to make maintenance and runtime operation simpler. All the server would need to do is translate SCIM API calls into calls to Mailu's existing REST API - you don't even need to store any state because you can have the SCIM bridge just pass through whatever authentication token it receives unchanged.

[nextgens]

I do not think it will be complicated to implement or maintain a SCIM API.

I agree and this is why I've created this ticket.

IMHO we could just add new endpoints, we don't need a bridge server.