providers/scim: save attributes returned from remote system like google workspace and entra ID (#13459)

providers/scim: save attributes returned from remote system like google workspace and entra

Signed-off-by: Jens Langhammer <[email protected]>

Author: BeryJu

authentik/providers/scim/api/groups.py

@@ -24,7 +24,9 @@ class Meta:
             "group",
             "group_obj",
             "provider",
+            "attributes",
         ]
+        extra_kwargs = {"attributes": {"read_only": True}}
 
 
 class SCIMProviderGroupViewSet(

authentik/providers/scim/api/users.py

@@ -24,7 +24,9 @@ class Meta:
             "user",
             "user_obj",
             "provider",
+            "attributes",
         ]
+        extra_kwargs = {"attributes": {"read_only": True}}
 
 
 class SCIMProviderUserViewSet(

authentik/providers/scim/clients/groups.py

@@ -102,7 +102,7 @@ def create(self, group: Group):
         if not scim_id or scim_id == "":
             raise StopSync("SCIM Response with missing or invalid `id`")
         connection = SCIMProviderGroup.objects.create(
-            provider=self.provider, group=group, scim_id=scim_id
+            provider=self.provider, group=group, scim_id=scim_id, attributes=response
         )
         users = list(group.users.order_by("id").values_list("id", flat=True))
         self._patch_add_users(connection, users)

authentik/providers/scim/clients/users.py

@@ -77,25 +77,30 @@ def create(self, user: User):
                 if len(users_res) < 1:
                     raise exc
                 return SCIMProviderUser.objects.create(
-                    provider=self.provider, user=user, scim_id=users_res[0]["id"]
+                    provider=self.provider,
+                    user=user,
+                    scim_id=users_res[0]["id"],
+                    attributes=users_res[0],
                 )
             else:
                 scim_id = response.get("id")
                 if not scim_id or scim_id == "":
                     raise StopSync("SCIM Response with missing or invalid `id`")
                 return SCIMProviderUser.objects.create(
-                    provider=self.provider, user=user, scim_id=scim_id
+                    provider=self.provider, user=user, scim_id=scim_id, attributes=response
                 )
 
     def update(self, user: User, connection: SCIMProviderUser):
         """Update existing user"""
         scim_user = self.to_schema(user, connection)
         scim_user.id = connection.scim_id
-        self._request(
+        response = self._request(
             "PUT",
             f"/Users/{connection.scim_id}",
             json=scim_user.model_dump(
                 mode="json",
                 exclude_unset=True,
             ),
         )
+        connection.attributes = response
+        connection.save()

authentik/providers/scim/migrations/0012_scimprovidergroup_attributes_and_more.py

@@ -0,0 +1,23 @@
+# Generated by Django 5.0.12 on 2025-03-11 13:51
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_scim", "0011_scimprovider_dry_run"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="scimprovidergroup",
+            name="attributes",
+            field=models.JSONField(default=dict),
+        ),
+        migrations.AddField(
+            model_name="scimprovideruser",
+            name="attributes",
+            field=models.JSONField(default=dict),
+        ),
+    ]

authentik/providers/scim/models.py

@@ -22,6 +22,7 @@ class SCIMProviderUser(SerializerModel):
     scim_id = models.TextField()
     user = models.ForeignKey(User, on_delete=models.CASCADE)
     provider = models.ForeignKey("SCIMProvider", on_delete=models.CASCADE)
+    attributes = models.JSONField(default=dict)
 
     @property
     def serializer(self) -> type[Serializer]:
@@ -43,6 +44,7 @@ class SCIMProviderGroup(SerializerModel):
     scim_id = models.TextField()
     group = models.ForeignKey(Group, on_delete=models.CASCADE)
     provider = models.ForeignKey("SCIMProvider", on_delete=models.CASCADE)
+    attributes = models.JSONField(default=dict)
 
     @property
     def serializer(self) -> type[Serializer]:

schema.yml

@@ -55897,7 +55897,10 @@ components:
           readOnly: true
         provider:
           type: integer
+        attributes:
+          readOnly: true
       required:
+      - attributes
       - group
       - group_obj
       - id
@@ -55984,7 +55987,10 @@ components:
           readOnly: true
         provider:
           type: integer
+        attributes:
+          readOnly: true
       required:
+      - attributes
       - id
       - provider
       - scim_id

web/src/admin/providers/scim/SCIMProviderGroupList.ts

@@ -24,6 +24,7 @@ export class SCIMProviderGroupList extends Table<SCIMProviderGroup> {
         return true;
     }
 
+    expandable = true;
     checkbox = true;
     clearOnRefresh = true;
 
@@ -81,6 +82,13 @@ export class SCIMProviderGroupList extends Table<SCIMProviderGroup> {
             html`${item.id}`,
         ];
     }
+    renderExpanded(item: SCIMProviderGroup): TemplateResult {
+        return html`<td role="cell" colspan="4">
+            <div class="pf-c-table__expandable-row-content">
+                <pre>${JSON.stringify(item.attributes, null, 4)}</pre>
+            </div>
+        </td>`;
+    }
 }
 
 declare global {

web/src/admin/providers/scim/SCIMProviderUserList.ts

@@ -24,6 +24,7 @@ export class SCIMProviderUserList extends Table<SCIMProviderUser> {
         return true;
     }
 
+    expandable = true;
     checkbox = true;
     clearOnRefresh = true;
 
@@ -82,6 +83,13 @@ export class SCIMProviderUserList extends Table<SCIMProviderUser> {
             html`${item.id}`,
         ];
     }
+    renderExpanded(item: SCIMProviderUser): TemplateResult {
+        return html`<td role="cell" colspan="4">
+            <div class="pf-c-table__expandable-row-content">
+                <pre>${JSON.stringify(item.attributes, null, 4)}</pre>
+            </div>
+        </td>`;
+    }
 }
 
 declare global {