-
Notifications
You must be signed in to change notification settings - Fork 381
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSC4098: Use the SCIM protocol for provisioning #4098
base: main
Are you sure you want to change the base?
Conversation
I am wondering how far to push the implementation I have started, since discussions about the MSC may change the scope of the implementation. So far it covers the nominal cases, but no error cases nor any advanced features. Basically, I added a bunch of endpoints for the basic SCIM thing, but I am not sure what is needed for this MSC to go forward. |
I'm a big fan of SCIM provisioning because I think it solves a well-understood problem in the Enterprise space, and reduces the management overhead greatly. It also opens the door for default room provisioning with specific group membership I believe, which I would also approve. Waiting on this one with interest. |
3105ab8
to
0224a06
Compare
|
||
## Unstable prefix | ||
|
||
The unstable prefix to use for the root SCIM endpoint is `/_matrix/client/unstable/coop.yaal/scim/`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The proposal is missing what the stable location of this would be.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure about this. Would /_scim/
or /_matrix/scim/
be good candidates?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, probably /_scim/
would be better as it is a whole different spec than Matrix.
user account [provisioning](https://en.wikipedia.org/wiki/Account_provisioning), fix several use cases uncovered | ||
by the specification, and in the end help reduce friction for system administrators managing Matrix servers. | ||
|
||
## Proposal |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
## Proposal |
This whole section seems like background, not part of the proposal. I'd rename the "Detailed implementation proposal" to "Proposal" (and place it as an H2) as that gets into the actual proposed changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your review. I reorganized the sections and tried to describe a better chain of ideas :
- some use-cases are not covered by the spec
- → a provisioning protocol would cover them
- → having provisioning in the spec would help interoperability
- → adopting an existing provisioning standard would help interoperability even better, and save some design time
- → SCIM is the only relevant provisioning standard
To paraphrase | ||
[MSC1779](https://github.com/matrix-org/matrix-spec-proposals/blob/main/proposals/1779-open-governance.md), | ||
*"interoperability is better than fragmentation*". This is why this proposal advises to use SCIM as | ||
a standard provisioning protocol for Matrix. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree that using a standard (SCIM) over the custom implementation is better... but I think this MSC fails to mention why this is important to be in the spec as opposed to an implementation specific set of endpoints.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I attempted to answer to this in the A common protocol for the Matrix ecosystem paragraph.
Signed-off-by: Éloi Rivard <[email protected]>
I'm sceptical of adding SCIM specifically to the Matrix C-S API. What does make sense would be to define Matrix-specific SCIM schemas (mostly the MXID, as everything else has a 1-1 mapping with existing SCIM attributes?), but I wouldn't tie it to Matrix-specific auth, nor to a specific C-S endpoint |
@sandhose @pmaier1 currently, from my understanding, Matrix spec has a user and identity management API, is it correct? (sorry, I'm no specialist of matrix spec, discovering this world) The idea of this proposal is to first add a new standard API for user provisioning. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some copy editing
Co-authored-by: Xiretza <[email protected]>
Co-authored-by: Xiretza <[email protected]>
Co-authored-by: Xiretza <[email protected]>
Co-authored-by: Xiretza <[email protected]>
Co-authored-by: Xiretza <[email protected]>
Co-authored-by: Xiretza <[email protected]>
Co-authored-by: Xiretza <[email protected]>
Co-authored-by: Xiretza <[email protected]>
Co-authored-by: Xiretza <[email protected]>
Co-authored-by: Xiretza <[email protected]>
Co-authored-by: Xiretza <[email protected]>
Co-authored-by: Xiretza <[email protected]>
Co-authored-by: Xiretza <[email protected]>
Co-authored-by: Xiretza <[email protected]>
Rendered
Implementation PR in synapse