Skip to content

ForteFibre/nextcloud-scim-provider

BranchesTags

Repository files navigation

Nextcloud SCIM Provider

Cloudflare Workers + Hono based SCIM 2.0 bridge for provisioning authentik users and groups into Nextcloud through the OCS Provisioning API.

Setup

This provider is stateless. It does not use Cloudflare KV or any other local state store; Nextcloud is the source of truth.

Configure public variables:

NEXTCLOUD_BASE_URL=https://cloud.example.com
NEXTCLOUD_ADMIN_USER=scim-admin

Configure secrets:

pnpm wrangler secret put SCIM_BEARER_TOKEN
pnpm wrangler secret put NEXTCLOUD_ADMIN_PASSWORD

Use a dedicated Nextcloud admin account and an app password for NEXTCLOUD_ADMIN_PASSWORD.

authentik

Set the SCIM provider URL to:

https://<worker-host>/scim/v2

Use bearer-token authentication with the same value stored in SCIM_BEARER_TOKEN.

Email Behavior

Email is required when creating a user. The provider selects:

  1. the emails[] entry with primary: true
  2. otherwise, the first emails[] entry with a non-empty value

If no valid email is present, user creation fails with SCIM 400 invalidValue. The selected email is sent to Nextcloud as email, and the password field is left empty so Nextcloud sends the welcome email/password setup link.

Email updates through SCIM PUT /Users/:id and PATCH /Users/:id are forwarded to Nextcloud. Email removal is rejected because welcome-email provisioning and account recovery require an email.

Supported SCIM Operations

  • GET /scim/v2/ServiceProviderConfig
  • GET /scim/v2/Schemas
  • GET /scim/v2/ResourceTypes
  • GET|POST /scim/v2/Users
  • GET|PUT|PATCH|DELETE /scim/v2/Users/:id
  • GET|POST /scim/v2/Groups
  • GET|PUT|PATCH|DELETE /scim/v2/Groups/:id

Supported list filters:

  • userName eq "..."
  • externalId eq "..."
  • emails.value eq "..."
  • displayName eq "..."

Provisioning Notes

  • SCIM User id is the Nextcloud userid, derived from SCIM userName.
  • The provider trusts the user ID supplied by the SCIM client. externalId eq "..." lookups are treated as lookups by that same Nextcloud userid; arbitrary externalId values are not persisted.
  • User and group list responses are built by querying Nextcloud directly.
  • Changing userName after creation is rejected.
  • active=false disables the Nextcloud user.
  • DELETE /Users/:id also disables the user; it never deletes Nextcloud user data.
  • DELETE /Groups/:id deletes the Nextcloud group only.
  • Bulk SCIM, Enterprise User extension fields, password sync, and subadmin management are not implemented.

Development

pnpm install
pnpm test
pnpm exec tsc --noEmit
pnpm run dev

About

Nextcloud SCIM provider using CloudFlare Workers

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages