Storing SCIM-related data
Reference: {#DevScimStorage}
Author: Artyom Kazak, Matthias Fischmann
Storing user data {#DevScimStorageUsers}
SCIM user data is validated by the spar service and stored as brig users. All fields that wire doesn’t care about are silently dropped. GET /scim/v2/Users
will trigger a lookup in brig, and the data thus obtained is synthesized back into a SCIM record.
Time stamps created_at
and last_updated_at
for the SCIM metadata are stored in spar.scim_user_times
. The are kept in sync with the users that are otherwise stored in brig. (Rationale: we briefly considered using select writetime(*) from brig.user
for last update and select writetime(activated) from brig.user
for creation, but this has a drawback: we don’t have the time stamps when storing the record, so the POST
handler would need to do a database write and a consecutive lookup, or an insert if not exists
.)
Users created by SCIM set the ManagedBy
field in brig to ManagedByScim
. This should lead to brig disallowing certain update operations (since the single source of truth should be the SCIM peer that has created and is updating the user), but we never got around to implementing that (as of Wed 15 Jul 2020 10:59:11 AM CEST). See also {@SparBrainDump} (grep for ManagedBy
).
Storing SCIM tokens {#DevScimStorageTokens}
SCIM tokens are stored in two tables in Spar:
team_provisioning_by_token
fortoken -> token info
lookups; used to perform authentication.team_provisioning_by_team
forteam -> [token info]
and(team, token ID) -> token info
lookups; used to display tokens in team settings, and to decide which tokens should be deleted when the whole team is deleted.