Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MSC4098: Use the SCIM protocol for provisioning #4098

Open
wants to merge 16 commits into
base: main
Choose a base branch
from

Conversation

azmeuk
Copy link

@azmeuk azmeuk commented Feb 9, 2024

@azmeuk azmeuk changed the title Proposal to use the SCIM protocol for provisioning MSC4098: Use the SCIM protocol for provisioning Feb 9, 2024
@azmeuk
Copy link
Author

azmeuk commented Feb 9, 2024

I am wondering how far to push the implementation I have started, since discussions about the MSC may change the scope of the implementation. So far it covers the nominal cases, but no error cases nor any advanced features. Basically, I added a bunch of endpoints for the basic SCIM thing, but I am not sure what is needed for this MSC to go forward.

@anoadragon453 anoadragon453 added proposal A matrix spec change proposal needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. labels Feb 9, 2024
@turt2live turt2live added the kind:feature MSC for not-core and not-maintenance stuff label Feb 9, 2024
@dubiousgit
Copy link

I'm a big fan of SCIM provisioning because I think it solves a well-understood problem in the Enterprise space, and reduces the management overhead greatly. It also opens the door for default room provisioning with specific group membership I believe, which I would also approve. Waiting on this one with interest.

@azmeuk azmeuk force-pushed the scim branch 2 times, most recently from 3105ab8 to 0224a06 Compare April 18, 2024 16:27
@azmeuk azmeuk marked this pull request as ready for review April 18, 2024 16:28

## Unstable prefix

The unstable prefix to use for the root SCIM endpoint is `/_matrix/client/unstable/coop.yaal/scim/`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The proposal is missing what the stable location of this would be.

Copy link
Author

@azmeuk azmeuk Apr 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure about this. Would /_scim/ or /_matrix/scim/ be good candidates?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, probably /_scim/ would be better as it is a whole different spec than Matrix.

user account [provisioning](https://en.wikipedia.org/wiki/Account_provisioning), fix several use cases uncovered
by the specification, and in the end help reduce friction for system administrators managing Matrix servers.

## Proposal
Copy link
Member

@clokep clokep Apr 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## Proposal

This whole section seems like background, not part of the proposal. I'd rename the "Detailed implementation proposal" to "Proposal" (and place it as an H2) as that gets into the actual proposed changes.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your review. I reorganized the sections and tried to describe a better chain of ideas :

  • some use-cases are not covered by the spec
  • → a provisioning protocol would cover them
  • → having provisioning in the spec would help interoperability
  • → adopting an existing provisioning standard would help interoperability even better, and save some design time
  • → SCIM is the only relevant provisioning standard

Comment on lines 69 to 72
To paraphrase
[MSC1779](https://github.com/matrix-org/matrix-spec-proposals/blob/main/proposals/1779-open-governance.md),
*"interoperability is better than fragmentation*". This is why this proposal advises to use SCIM as
a standard provisioning protocol for Matrix.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that using a standard (SCIM) over the custom implementation is better... but I think this MSC fails to mention why this is important to be in the spec as opposed to an implementation specific set of endpoints.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I attempted to answer to this in the A common protocol for the Matrix ecosystem paragraph.

@sandhose
Copy link
Member

sandhose commented May 2, 2024

I'm sceptical of adding SCIM specifically to the Matrix C-S API.
Fundamentally, Matrix isn't a user and identity management API, it's not supposed to be.
It doesn't mean however that multiple homeserver implementation can't agree implementing SCIM with a specific schema, just that I don't think it makes sense within the Matrix spec.

What does make sense would be to define Matrix-specific SCIM schemas (mostly the MXID, as everything else has a 1-1 mapping with existing SCIM attributes?), but I wouldn't tie it to Matrix-specific auth, nor to a specific C-S endpoint

@pierreozoux
Copy link

@sandhose @pmaier1 currently, from my understanding, Matrix spec has a user and identity management API, is it correct? (sorry, I'm no specialist of matrix spec, discovering this world)

The idea of this proposal is to first add a new standard API for user provisioning.

Copy link

@Xiretza Xiretza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some copy editing

proposals/4098-provisioning-with-scim.md Outdated Show resolved Hide resolved
proposals/4098-provisioning-with-scim.md Outdated Show resolved Hide resolved
proposals/4098-provisioning-with-scim.md Outdated Show resolved Hide resolved
proposals/4098-provisioning-with-scim.md Outdated Show resolved Hide resolved
proposals/4098-provisioning-with-scim.md Outdated Show resolved Hide resolved
proposals/4098-provisioning-with-scim.md Outdated Show resolved Hide resolved
proposals/4098-provisioning-with-scim.md Outdated Show resolved Hide resolved
proposals/4098-provisioning-with-scim.md Outdated Show resolved Hide resolved
proposals/4098-provisioning-with-scim.md Outdated Show resolved Hide resolved
proposals/4098-provisioning-with-scim.md Outdated Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind:feature MSC for not-core and not-maintenance stuff needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. proposal A matrix spec change proposal
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants