New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SCIM support via laravel-scim-server package, using self-generated routes, secured by current API key system #10802
Conversation
73f1c42
to
d4a59a7
Compare
Okay - I have Authorization working now - the only API keys this will work with are Superuser ones. Any other one will throw a 403. Unfortunately, that 403 is really janky-looking, even if I add an The more controversial change I made is to remove Ziggy. I couldn't get Ziggy's This means that any Vue page that has anything to do with any other Vue page should be tested pretty thoroughly. I grepped through the code pretty thoroughly, and I couldn't find any remaining instances of the word In the process here I found a vestigial build file that isn't referenced anywhere, so I removed it. Assets should still build normally (well, they do for me...). |
app/Models/SnipeSCIMConfig.php
Outdated
'validations' => [ | ||
|
||
'urn:ietf:params:scim:schemas:core:2.0:User:userName' => 'required', | ||
'urn:ietf:params:scim:schemas:core:2.0:User:password' => 'nullable', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Our passwords are not nullable - will this conflict?
This brings up a different question - will this somehow be able to bypass the model level validation and/or settings validation? If it can, we’re in a world of hurt, since we’ll enable adding bad data, which can mean saving an object will fail later in a way we don’t expect.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
GREAT question. I don’t know. I don’t have a good SCIM test-rig, but if I can figure one out, I’ll test this - and confirm or reject it.
Model-level validation should fail if given a model that is invalid, so I’d hope that’d be caught. But hope is not certainty.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, but how we fail is important here. If we don’t have a way to communicate the errors, it will add to our support load (and confusion).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the major SCIM providers I know of, SCIM will never provide a password to the application. Generally, the passwords wont be stored with reversible encryption, and will not be provided to an SCIM endpoint.
The password would need to be nullable in the model/database. The user would only be able to successfully login with SSO at that point.
Alternatively, a welcome email could be sent instructing the user to login with a randomly generated password to access Snipe IT, or provide an activation link to enter a new password. That's how I have seen other applications implement this without SSO.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair enough. If we need to, we can hardcode a 'xxxxxxx' password which is not possible to hash towards. We'll have to see how it stands up when Azure tries to SCIM us up, I guess?
app/Models/SnipeSCIMConfig.php
Outdated
'schema' => [Schema::SCHEMA_USER], | ||
|
||
//eager loading | ||
'withRelations' => [], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you know what this does? We generally do load users with relations, so I’m not sure what impact this might have.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Definitely not the answer I was hoping for, but I do appreciate your honesty lol
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left my comments inline - this looks amazing so far, just some concerns.
I am VERY excited for this PR!!
This looks great - How do we test it? I know @adagioajanes had mentioned he might be able to help with testing this. |
Great question, I’m not sure. I have some ideas -
|
@uberbrady I can at least stand up an instance, and connect my Azure AD to it to see what we get. I will let you know my results. |
That’d be awesome!!!! |
We're actually off to a great start. The SCIM endpoint is /SCIM/v2 which is easy enough. However, I am getting errors about attributes not being supported by Snipe IT. I went ahead and modified my mapping to only use the configured attributes you have for SCIM. But I am still getting an error from Snipe IT in Azure AD...
Can we add a configuration for the 'Login Enabled' setting on users, and tie it to this attribute? It seems like Azure AD really insists on this particular attribute's existence. |
VERY exciting! Thanks very much to you @uberbrady and especially you, @adagioajanes - your help has been invaluable through this. |
More great progress has been made. I am now able to provision new users with most of their attributes working. I believe @uberbrady said there is more work to be done on some more attributes. But this is definitely in a condition where some more testing is appropriate. @JemTaylorUHI I believe you mentioned in #10412 that you have some resources available for testing. If that offer still stands, could your team do some testing of the new SCIM features on this branch and let us know your results? Additionally, what SCIM vendor will you be using? |
That is fantastic news.
We are on Snipe-IT SaaS hosting so would need some work from Snipe-IT team to bring our installation to the right s/w version and apply changes as they are developed. But apart from that, this is very timely for us as we need to provision students as well as staff, in a way that would be difficult using LDAP sync. We might be best to have a development instance copied from our existing instance for the duration of trials.
So, I would spend time on this myself as well as involving Alistair my Identity Engineer if this approach is viable.
We want to use the Azure AD toolset.
Best
Jem
Jem Taylor MA MBCS Head of Strategy & Development, UHI Learning & Information
|
Hi @JemTaylorUHI - it’s not standard for us to set up customers with development instances (particularly because they can be buggy, as development branches sometimes are). Since this is additive, I’m more inclined to put this into production for v6 and then refine as we move forward. @adagioajanes has been super helpful with testing Azure, and although there are still some warts here, I’m mostly okay with this as-is. We’re seeing some errors and inconsistencies from one of the library dependencies for the SCIM server, so it’s very possible that we may end up doing a rewrite of the guts of this, but we are also MUCH better versed in how the SCIM protocol works now, so we’re in a way better position to roll our own if needed. |
Sounds good and happy to test.
At the moment we use an Azure AD non-gallery enterprise app for SAML SSO. To use it for SCIM provisioning we would need a long lived OAuth bearer token. Once the token expires, provisioning is quarantined until someone manually generates a new token so a token that lasts an hour or a day would not be suitable. Another system we integrate with using AAD can produce a 365 day bearer token.
OAuth authorization code grant is not supported on AAD non-gallery apps so we can't use it, unless we developed our own gallery app, or the community provided a gallery app.
OAuth client credentials grant is not supported by AAD at all.
If we can't generate a long lived OAuth bearer token the other option would be to plumb the SCIM endpoint into our non AAD integration flow. It basically does the same as AAD provisioning but using standard OAuth security without long lived tokens and is fed continually by our student records system via Azure Service Bus/Functions.
cheers,
Alistair
…________________________________________
From: Jem Taylor ***@***.***>
Sent: 27 March 2022 10:48
To: snipe/snipe-it; snipe/snipe-it
Cc: Mention; Alistair Young
Subject: RE: [snipe/snipe-it] SCIM support via laravel-scim-server package, using self-generated routes, secured by current API key system (PR #10802)
That is fantastic news.
We are on Snipe-IT SaaS hosting so would need some work from Snipe-IT team to bring our installation to the right s/w version and apply changes as they are developed. But apart from that, this is very timely for us as we need to provision students as well as staff, in a way that would be difficult using LDAP sync. We might be best to have a development instance copied from our existing instance for the duration of trials.
So, I would spend time on this myself as well as involving Alistair my Identity Engineer if this approach is viable.
We want to use the Azure AD toolset.
Best
Jem
Jem Taylor MA MBCS Head of Strategy & Development, UHI Learning & Information Services<http://www.uhi.ac.uk/en/lis> | 01463279322<tel:01463279322>
Flexible Working: I may send or reply to emails at a time to suit me – but please don’t respond until a time that suits you.
From: Alex Janes ***@***.***>
Sent: 25 March 2022 17:58
To: snipe/snipe-it ***@***.***>
Cc: Jem Taylor ***@***.***>; Mention ***@***.***>
Subject: Re: [snipe/snipe-it] SCIM support via laravel-scim-server package, using self-generated routes, secured by current API key system (PR #10802)
Warning. This email contains web links and originates from outside of the University.
You should only click on these links if you are certain that the email is genuine and the content is safe.
More great progress has been made. I am now able to provision new users with most of their attributes working. I believe @uberbrady<https://github.com/uberbrady> said there is more work to be done on some more attributes. But this is definitely in a condition where some more testing is appropriate.
@JemTaylorUHI<https://github.com/JemTaylorUHI> I believe you mentioned in #10412<#10412> that you have some resources available for testing. If that offer still stands, could your team do some testing of the new SCIM features on this branch and let us know your results? Additionally, what SCIM vendor will you be using?
—
Reply to this email directly, view it on GitHub<#10802 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AW5LBPBESQSBHJB7SRPSXOTVBX5DJANCNFSM5QHPMF3Q>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
|
@JemTaylorUHI So far, SCIM testing has worked for me using the API token I generated with a global admin. Expiration is controlled by Snipe IT at token creation. I haven't needed to utilize any additional OAuth features in Azure AD to make this work. Perhaps there is a feature or functionality you are talking about that I am not familiar with? |
Ooops - I forwarded your email to Alistair and he replied to me but also cc: to github. You can safely ignore his comments which are a bit out of context! |
Hello. That looks very good. Just one question, will it support other vendors, like Jumpcloud to use SCIM? Thanks. |
It should, yes. We avoid vendor-specific integrations wherever possible - but it also depends on the vendor’s implementation. If they follow the correct protocol, it should work. |
Thanks everyone for all your convo and participation in this discussion! @uberbrady ended up creating a new PR for this (squashed), and it's now merged onto |
So this does do a correct API auth check on the bearer token - which is what we want. But I'm not sure that it checks for the right permissions here. It could be fair to say that the token needs to have edit, update, list, delete - as that's what the library wants. Basically you need full dominion over the Users section for your token to work here.
BUT - if you use no token on one of the protected routes, or you use an incorrect token, you get the correct (401-style) responses. So this feels like the right general direction.
Leaving it as draft because though I may have Authn (Authentication), I'm definitely not sure about Authz (Authorization).