zitadel/internal/api/scim/metadata/metadata.go

package metadata

import (
	"context"
	"strings"

	"github.com/zitadel/zitadel/internal/query"
)

type Key string
type ScopedKey string

const (
	externalIdProvisioningDomainPlaceholder = "{provisioningDomain}"

	KeyPrefix                     = "urn:zitadel:scim:"
	KeyProvisioningDomain     Key = KeyPrefix + "provisioningDomain"
	KeyIgnorePasswordOnCreate Key = KeyPrefix + "ignorePasswordOnCreate"

	KeyExternalId               Key = KeyPrefix + "externalId"
	keyScopedExternalIdTemplate     = KeyPrefix + externalIdProvisioningDomainPlaceholder + ":externalId"
	KeyMiddleName               Key = KeyPrefix + "name.middleName"
	KeyHonorificPrefix          Key = KeyPrefix + "name.honorificPrefix"
	KeyHonorificSuffix          Key = KeyPrefix + "name.honorificSuffix"
	KeyProfileUrl               Key = KeyPrefix + "profileUrl"
	KeyTitle                    Key = KeyPrefix + "title"
	KeyLocale                   Key = KeyPrefix + "locale"
	KeyTimezone                 Key = KeyPrefix + "timezone"
	KeyIms                      Key = KeyPrefix + "ims"
	KeyPhotos                   Key = KeyPrefix + "photos"
	KeyAddresses                Key = KeyPrefix + "addresses"
	KeyEntitlements             Key = KeyPrefix + "entitlements"
	KeyRoles                    Key = KeyPrefix + "roles"
	KeyEmails                   Key = KeyPrefix + "emails"
)

var (
	ScimUserRelevantMetadataKeys = []Key{
		KeyExternalId,
		KeyMiddleName,
		KeyHonorificPrefix,
		KeyHonorificSuffix,
		KeyProfileUrl,
		KeyTitle,
		KeyLocale,
		KeyTimezone,
		KeyIms,
		KeyPhotos,
		KeyAddresses,
		KeyEntitlements,
		KeyRoles,
		KeyEmails,
	}

	AttributePathToMetadataKeys = map[string][]Key{
		"externalid":           {KeyExternalId},
		"name":                 {KeyMiddleName, KeyHonorificPrefix, KeyHonorificSuffix},
		"name.middlename":      {KeyMiddleName},
		"name.honorificprefix": {KeyHonorificPrefix},
		"name.honorificsuffix": {KeyHonorificSuffix},
		"profileurl":           {KeyProfileUrl},
		"title":                {KeyTitle},
		"locale":               {KeyLocale},
		"timezone":             {KeyTimezone},
		"ims":                  {KeyIms},
		"photos":               {KeyPhotos},
		"addresses":            {KeyAddresses},
		"entitlements":         {KeyEntitlements},
		"roles":                {KeyRoles},
		"emails":               {KeyEmails},
	}
)

func ScopeExternalIdKey(provisioningDomain string) ScopedKey {
	return ScopedKey(strings.Replace(keyScopedExternalIdTemplate, externalIdProvisioningDomainPlaceholder, provisioningDomain, 1))
}

func ScopeKey(ctx context.Context, key Key) ScopedKey {
	// only the externalID is scoped
	if key == KeyExternalId {
		return GetScimContextData(ctx).ExternalIDScopedMetadataKey
	}

	return ScopedKey(key)
}

func MapToScopedKeyMap(md map[string][]byte) map[ScopedKey][]byte {
	result := make(map[ScopedKey][]byte, len(md))
	for k, v := range md {
		result[ScopedKey(k)] = v
	}

	return result
}

func MapListToScopedKeyMap(metadataList []*query.UserMetadata) map[ScopedKey][]byte {
	metadataMap := make(map[ScopedKey][]byte, len(metadataList))
	for _, entry := range metadataList {
		metadataMap[ScopedKey(entry.Key)] = entry.Value
	}

	return metadataMap
}
feat: create user scim v2 endpoint (#9132) # Which Problems Are Solved - Adds infrastructure code (basic implementation, error handling, middlewares, ...) to implement the SCIM v2 interface - Adds support for the user create SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user create SCIM v2 endpoint under `POST /scim/v2/{orgID}/Users` # Additional Context Part of #8140 2025-01-09 12:46:36 +01:00			`package metadata`

			`import (`
			`"context"`
			`"strings"`
feat: patch user scim v2 endpoint (#9219) # Which Problems Are Solved * Adds support for the patch user SCIM v2 endpoint # How the Problems Are Solved * Adds support for the patch user SCIM v2 endpoint under `PATCH /scim/v2/{orgID}/Users/{id}` # Additional Context Part of #8140 2025-01-27 13:36:07 +01:00
			`"github.com/zitadel/zitadel/internal/query"`
feat: create user scim v2 endpoint (#9132) # Which Problems Are Solved - Adds infrastructure code (basic implementation, error handling, middlewares, ...) to implement the SCIM v2 interface - Adds support for the user create SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user create SCIM v2 endpoint under `POST /scim/v2/{orgID}/Users` # Additional Context Part of #8140 2025-01-09 12:46:36 +01:00			`)`

			`type Key string`
			`type ScopedKey string`

			`const (`
			`externalIdProvisioningDomainPlaceholder = "{provisioningDomain}"`

fix(scim): add a metadata config to ignore random password sent during SCIM create (#10296) <!-- Please inform yourself about the contribution guidelines on submitting a PR here: https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr. Take note of how PR/commit titles should be written and replace the template texts in the sections below. Don't remove any of the sections. It is important that the commit history clearly shows what is changed and why. Important: By submitting a contribution you agree to the terms from our Licensing Policy as described here: https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions. --> # Which Problems Are Solved Okta sends a random password in the request to create a user during SCIM provisioning, irrespective of whether the `Sync Password` option is enabled or disabled on Okta, and this password does not comply with the default password complexity set in Zitadel. This PR adds a workaround to create users without issues in such cases. # How the Problems Are Solved - A new metadata configuration called `urn:zitadel:scim:ignorePasswordOnCreate` is added to the Machine User that is used for provisioning - During SCIM user creation requests, if the `urn:zitadel:scim:ignorePasswordOnCreate` is set to `true` in the Machine User's metadata, the password set in the create request is ignored # Additional Changes # Additional Context The random password is ignored (if set in the metadata) only during customer creation. This change does not affect SCIM password updates. - Closes #10009 --------- Co-authored-by: Marco A. <marco@zitadel.com> 2025-07-23 10:47:05 +02:00			`KeyPrefix = "urn:zitadel:scim:"`
			`KeyProvisioningDomain Key = KeyPrefix + "provisioningDomain"`
			`KeyIgnorePasswordOnCreate Key = KeyPrefix + "ignorePasswordOnCreate"`
feat: create user scim v2 endpoint (#9132) # Which Problems Are Solved - Adds infrastructure code (basic implementation, error handling, middlewares, ...) to implement the SCIM v2 interface - Adds support for the user create SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user create SCIM v2 endpoint under `POST /scim/v2/{orgID}/Users` # Additional Context Part of #8140 2025-01-09 12:46:36 +01:00
			`KeyExternalId Key = KeyPrefix + "externalId"`
			`keyScopedExternalIdTemplate = KeyPrefix + externalIdProvisioningDomainPlaceholder + ":externalId"`
			`KeyMiddleName Key = KeyPrefix + "name.middleName"`
			`KeyHonorificPrefix Key = KeyPrefix + "name.honorificPrefix"`
			`KeyHonorificSuffix Key = KeyPrefix + "name.honorificSuffix"`
fix: unified scim metadata key casing (#9244) # Which Problems Are Solved - SCIM user metadata mapping keys have differing case styles. # How the Problems Are Solved - key casing style is unified to strict camelCase # Additional Context Part of #8140 Although this is technically a breaking change, it is considered acceptable because the SCIM feature is still in the preview stage and not fully implemented yet. Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> 2025-01-27 14:51:58 +01:00			`KeyProfileUrl Key = KeyPrefix + "profileUrl"`
feat: create user scim v2 endpoint (#9132) # Which Problems Are Solved - Adds infrastructure code (basic implementation, error handling, middlewares, ...) to implement the SCIM v2 interface - Adds support for the user create SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user create SCIM v2 endpoint under `POST /scim/v2/{orgID}/Users` # Additional Context Part of #8140 2025-01-09 12:46:36 +01:00			`KeyTitle Key = KeyPrefix + "title"`
			`KeyLocale Key = KeyPrefix + "locale"`
			`KeyTimezone Key = KeyPrefix + "timezone"`
			`KeyIms Key = KeyPrefix + "ims"`
			`KeyPhotos Key = KeyPrefix + "photos"`
			`KeyAddresses Key = KeyPrefix + "addresses"`
			`KeyEntitlements Key = KeyPrefix + "entitlements"`
			`KeyRoles Key = KeyPrefix + "roles"`
fix(scim): add type attribute to ScimEmail (#9690) # Which Problems Are Solved - SCIM PATCH operations for users from Entra ID for the `emails` attribute fails due to missing `type` subattribute # How the Problems Are Solved - Adds the `type` attribute to the `ScimUser` struct and sets the default value to `"work"` in the `mapWriteModelToScimUser()` method. # Additional Changes # Additional Context The SCIM handlers for POST and PUT ignore multiple emails and only uses the primary email for a given user, or falls back to the first email if none are marked as primary. PATCH operations however, will attempt to resolve the provided filter in `operations[].path`. Some services, such as Entra ID, only support patching emails by filtering for `emails[type eq "(work\|home\|other)"].value`, which fails with Zitadel as the ScimUser struct (and thus the generated schema) doesn't include the `type` field. This commit adds the `type` field to work around this issue, while still preserving compatibility with filters such as `emails[primary eq true].value`. - https://discord.com/channels/927474939156643850/927866013545025566/1356556668527448191 --------- Co-authored-by: Christer Edvartsen <christer.edvartsen@nav.no> Co-authored-by: Thomas Siegfried Krampl <thomas.siegfried.krampl@nav.no> 2025-06-19 11:42:44 +02:00			`KeyEmails Key = KeyPrefix + "emails"`
feat: create user scim v2 endpoint (#9132) # Which Problems Are Solved - Adds infrastructure code (basic implementation, error handling, middlewares, ...) to implement the SCIM v2 interface - Adds support for the user create SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user create SCIM v2 endpoint under `POST /scim/v2/{orgID}/Users` # Additional Context Part of #8140 2025-01-09 12:46:36 +01:00			`)`

feat: patch user scim v2 endpoint (#9219) # Which Problems Are Solved * Adds support for the patch user SCIM v2 endpoint # How the Problems Are Solved * Adds support for the patch user SCIM v2 endpoint under `PATCH /scim/v2/{orgID}/Users/{id}` # Additional Context Part of #8140 2025-01-27 13:36:07 +01:00			`var (`
			`ScimUserRelevantMetadataKeys = []Key{`
			`KeyExternalId,`
			`KeyMiddleName,`
			`KeyHonorificPrefix,`
			`KeyHonorificSuffix,`
			`KeyProfileUrl,`
			`KeyTitle,`
			`KeyLocale,`
			`KeyTimezone,`
			`KeyIms,`
			`KeyPhotos,`
			`KeyAddresses,`
			`KeyEntitlements,`
			`KeyRoles,`
fix(scim): add type attribute to ScimEmail (#9690) # Which Problems Are Solved - SCIM PATCH operations for users from Entra ID for the `emails` attribute fails due to missing `type` subattribute # How the Problems Are Solved - Adds the `type` attribute to the `ScimUser` struct and sets the default value to `"work"` in the `mapWriteModelToScimUser()` method. # Additional Changes # Additional Context The SCIM handlers for POST and PUT ignore multiple emails and only uses the primary email for a given user, or falls back to the first email if none are marked as primary. PATCH operations however, will attempt to resolve the provided filter in `operations[].path`. Some services, such as Entra ID, only support patching emails by filtering for `emails[type eq "(work\|home\|other)"].value`, which fails with Zitadel as the ScimUser struct (and thus the generated schema) doesn't include the `type` field. This commit adds the `type` field to work around this issue, while still preserving compatibility with filters such as `emails[primary eq true].value`. - https://discord.com/channels/927474939156643850/927866013545025566/1356556668527448191 --------- Co-authored-by: Christer Edvartsen <christer.edvartsen@nav.no> Co-authored-by: Thomas Siegfried Krampl <thomas.siegfried.krampl@nav.no> 2025-06-19 11:42:44 +02:00			`KeyEmails,`
feat: patch user scim v2 endpoint (#9219) # Which Problems Are Solved * Adds support for the patch user SCIM v2 endpoint # How the Problems Are Solved * Adds support for the patch user SCIM v2 endpoint under `PATCH /scim/v2/{orgID}/Users/{id}` # Additional Context Part of #8140 2025-01-27 13:36:07 +01:00			`}`

			`AttributePathToMetadataKeys = map[string][]Key{`
			`"externalid": {KeyExternalId},`
			`"name": {KeyMiddleName, KeyHonorificPrefix, KeyHonorificSuffix},`
			`"name.middlename": {KeyMiddleName},`
			`"name.honorificprefix": {KeyHonorificPrefix},`
			`"name.honorificsuffix": {KeyHonorificSuffix},`
			`"profileurl": {KeyProfileUrl},`
			`"title": {KeyTitle},`
			`"locale": {KeyLocale},`
			`"timezone": {KeyTimezone},`
			`"ims": {KeyIms},`
			`"photos": {KeyPhotos},`
			`"addresses": {KeyAddresses},`
			`"entitlements": {KeyEntitlements},`
			`"roles": {KeyRoles},`
fix(scim): add type attribute to ScimEmail (#9690) # Which Problems Are Solved - SCIM PATCH operations for users from Entra ID for the `emails` attribute fails due to missing `type` subattribute # How the Problems Are Solved - Adds the `type` attribute to the `ScimUser` struct and sets the default value to `"work"` in the `mapWriteModelToScimUser()` method. # Additional Changes # Additional Context The SCIM handlers for POST and PUT ignore multiple emails and only uses the primary email for a given user, or falls back to the first email if none are marked as primary. PATCH operations however, will attempt to resolve the provided filter in `operations[].path`. Some services, such as Entra ID, only support patching emails by filtering for `emails[type eq "(work\|home\|other)"].value`, which fails with Zitadel as the ScimUser struct (and thus the generated schema) doesn't include the `type` field. This commit adds the `type` field to work around this issue, while still preserving compatibility with filters such as `emails[primary eq true].value`. - https://discord.com/channels/927474939156643850/927866013545025566/1356556668527448191 --------- Co-authored-by: Christer Edvartsen <christer.edvartsen@nav.no> Co-authored-by: Thomas Siegfried Krampl <thomas.siegfried.krampl@nav.no> 2025-06-19 11:42:44 +02:00			`"emails": {KeyEmails},`
feat: patch user scim v2 endpoint (#9219) # Which Problems Are Solved * Adds support for the patch user SCIM v2 endpoint # How the Problems Are Solved * Adds support for the patch user SCIM v2 endpoint under `PATCH /scim/v2/{orgID}/Users/{id}` # Additional Context Part of #8140 2025-01-27 13:36:07 +01:00			`}`
			`)`
feat: create user scim v2 endpoint (#9132) # Which Problems Are Solved - Adds infrastructure code (basic implementation, error handling, middlewares, ...) to implement the SCIM v2 interface - Adds support for the user create SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user create SCIM v2 endpoint under `POST /scim/v2/{orgID}/Users` # Additional Context Part of #8140 2025-01-09 12:46:36 +01:00
			`func ScopeExternalIdKey(provisioningDomain string) ScopedKey {`
			`return ScopedKey(strings.Replace(keyScopedExternalIdTemplate, externalIdProvisioningDomainPlaceholder, provisioningDomain, 1))`
			`}`

			`func ScopeKey(ctx context.Context, key Key) ScopedKey {`
			`// only the externalID is scoped`
			`if key == KeyExternalId {`
			`return GetScimContextData(ctx).ExternalIDScopedMetadataKey`
			`}`

			`return ScopedKey(key)`
			`}`
feat: patch user scim v2 endpoint (#9219) # Which Problems Are Solved * Adds support for the patch user SCIM v2 endpoint # How the Problems Are Solved * Adds support for the patch user SCIM v2 endpoint under `PATCH /scim/v2/{orgID}/Users/{id}` # Additional Context Part of #8140 2025-01-27 13:36:07 +01:00
			`func MapToScopedKeyMap(md map[string][]byte) map[ScopedKey][]byte {`
			`result := make(map[ScopedKey][]byte, len(md))`
			`for k, v := range md {`
			`result[ScopedKey(k)] = v`
			`}`

			`return result`
			`}`

			`func MapListToScopedKeyMap(metadataList []*query.UserMetadata) map[ScopedKey][]byte {`
			`metadataMap := make(map[ScopedKey][]byte, len(metadataList))`
			`for _, entry := range metadataList {`
			`metadataMap[ScopedKey(entry.Key)] = entry.Value`
			`}`

			`return metadataMap`
			`}`