SCIM

[GregorShear]

Summary

• Add SCIM 2.0 API endpoints for partial user deprovisioning, allowing enterprise IdPs (Okta, Entra, etc.) to automatically revoke access when users are removed
• Implement bearer token authentication via SHA-256 hashed tokens stored in a new internal.scim_tokens table, scoped per-tenant
• Support SCIM discovery endpoints (ServiceProviderConfig, Schemas, ResourceTypes) for IdP setup, and User endpoints (list, get, patch) for deprovisioning
• Deprovisioning (PATCH active=false) revokes user grants, refresh tokens, and auth sessions in a single transaction

Details

New files:

• scim/mod.rs — Router, ScimContext extractor (token auth + tenant resolution), rejection types
• scim/discovery.rs — Static SCIM capability discovery responses
• scim/users.rs — List/get/patch user handlers; only active=false patch is supported
• Migration 20260330120000_scim_tokens.sql — internal.scim_tokens table with unique index on token hash

Scope: This is intentionally a deprovisioning-only SCIM implementation — no user creation, no group management. Users are scoped to the tenant's SSO provider via auth.identities.

Test plan

• Verify discovery endpoints return valid SCIM JSON without auth
• Verify user endpoints reject requests without a valid bearer token
• Test list users with and without userName eq "..." filter
• Test PATCH deprovisioning: grants, refresh tokens, and sessions are deleted
• Test token rotation (multiple tokens per tenant)
• Run supabase db reset to verify migration applies cleanly