Our friends from IndieHosters provide a rich catalog of services to their users. They are specialized in infrastructure management of those services, and one of the major aspects of their work is the management of user accounts.
When a new user account is created against an identity server, most of the time the access token that the users provide to the services contains information about the user. This information is generally enough to create the users account on the service provider. Let us study an example with the Keycloak identity provider and a the Nextcloud file management service.
- the users create their account against Keycloak (for instance by filling a subscription form),
- they try to access Nextcloud, but they have no open session, so they get redirected to Keycloak,
- they log in, Keycloak generates a token containing their personal information,
- this token is forwarded to Nextcloud,
- Nextcloud reads the personal information from the token. If the user account does not exist on Nextcloud, then it is created. Otherwise, the personal information is updated on Nextcloud.
- Nextcloud finally gives access to the user.
This is convenient, but this does not cover all the use cases:
- How to share a document with users that never logged in yet? For the moment it is needed to wait for a first user login on Nextcloud before its Nextcloud account is created.
- Users edit their personal information on the identity server (for instance, their display name). How to instantly spread the modification on all the services? Currently, personal information are only updated when users log-in anew on the services.
- How to delete or deactivate user accounts on all the services, once they have been created?
To achieve all those operations, it is needed to use a provisioning protocol. Provisioning is the action of forwarding objects (often user and groups) modifications between several services. These days, the industry standard is SCIM. IndieHosters started a nice presentation webpage about SCIM.
They obtained a NLNet grant to develop SCIM in the ecosystem of their tools, and hired Yaal Coop for a part of the project. We had several missions:
- Provide a command line interface that would allow to easily communicate with a SCIM server, and test the conformity of a SCIM server towards the specifications.
This project gave birth to several sub-projects:
- scim2-models, a SCIM resources validation and serialization Python library. It relies on Pydantic, provides native objects that implement the SCIM specification. It aims to be used as a building block for SCIM server and client applications.
- scim2-client, a Python library that creates and validates SCIM network requests. It uses httpx to handle the network part.
- scim2-server, a SCIM server prototype that uses scim2-models developped by CONTACT Software, and co-maintained by Yaal Coop.
- scim2-tester, a SCIM compliance testing Python library. It uses scim2-client to send various requests to a SCIM server, and check if it behaves as expected by the SCIM specifications.
- scim2-cli, a command line utility that uses scim2-client and scim2-tester, and provides an interface to perform various operations on SCIM servers.
- Discuss the adoption of SCIM as the official provisioning protocol for the instant messaging protocol Matrix. We redacted an evolution request for the protocol (MSC4098), for which discussions are still opened. To this day the proposition has not been adopted, the main argument against is that provisioning is out of scope of the Matrix protocol.
- In parallel, we developed a SCIM implementation in synapse, the most famous Matrix server currently. The implementation uses scim2-models.
SCIM appears to us a future standard for provisioning and we hope that the libraries developed will help its development, thanks to new Python tools and eventually without limiting this language. Provisioning is an useful technique for alternative online service providers, such as the ones in the CHATONS collective. They deploy heterogeneous sets of services, and specifications such as SCIM help those services to communicate. We hope that in the long run our work will have an impact on the quality of service of those little providers, and help them grow.