feat: adds enforce SCIM auth config option

Author: danpiths

framework/configstore/clientconfig.go

@@ -45,6 +45,7 @@ type ClientConfig struct {
 	LogRetentionDays        int                              `json:"log_retention_days" validate:"min=1"` // Number of days to retain logs (minimum 1 day)
 	EnableGovernance        bool                             `json:"enable_governance"`                   // Enable governance on all requests
 	EnforceGovernanceHeader bool                             `json:"enforce_governance_header"`           // Enforce governance on all requests
+	EnforceSCIMAuth         bool                             `json:"enforce_scim_auth"`                   // Enforce SCIM auth on inference endpoints (enterprise only)
 	AllowDirectKeys         bool                             `json:"allow_direct_keys"`                   // Allow direct keys to be used for requests
 	AllowedOrigins          []string                         `json:"allowed_origins,omitempty"`           // Additional allowed origins for CORS and WebSocket (localhost is always allowed)
 	AllowedHeaders          []string                         `json:"allowed_headers,omitempty"`           // Additional allowed headers for CORS and WebSocket
@@ -100,6 +101,12 @@ func (c *ClientConfig) GenerateClientConfigHash() (string, error) {
 		hash.Write([]byte("enforceGovernanceHeader:false"))
 	}
 
+	if c.EnforceSCIMAuth {
+		hash.Write([]byte("enforceSCIMAuth:true"))
+	} else {
+		hash.Write([]byte("enforceSCIMAuth:false"))
+	}
+
 	if c.AllowDirectKeys {
 		hash.Write([]byte("allowDirectKeys:true"))
 	} else {

framework/configstore/migrations.go

@@ -250,6 +250,9 @@ func triggerMigrations(ctx context.Context, db *gorm.DB) error {
 	if err := migrationAddRateLimitToTeamsAndCustomers(ctx, db); err != nil {
 		return err
 	}
+	if err := migrationAddEnforceSCIMAuthColumn(ctx, db); err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -3409,3 +3412,34 @@ func migrationAddRateLimitToTeamsAndCustomers(ctx context.Context, db *gorm.DB)
 	}
 	return nil
 }
+
+// migrationAddEnforceSCIMAuthColumn adds the enforce_scim_auth column to the client config table
+func migrationAddEnforceSCIMAuthColumn(ctx context.Context, db *gorm.DB) error {
+	m := migrator.New(db, migrator.DefaultOptions, []*migrator.Migration{{
+		ID: "add_enforce_scim_auth_column",
+		Migrate: func(tx *gorm.DB) error {
+			tx = tx.WithContext(ctx)
+			migrator := tx.Migrator()
+			if !migrator.HasColumn(&tables.TableClientConfig{}, "enforce_scim_auth") {
+				if err := migrator.AddColumn(&tables.TableClientConfig{}, "enforce_scim_auth"); err != nil {
+					return err
+				}
+			}
+			return nil
+		},
+		Rollback: func(tx *gorm.DB) error {
+			tx = tx.WithContext(ctx)
+			migrator := tx.Migrator()
+			if migrator.HasColumn(&tables.TableClientConfig{}, "enforce_scim_auth") {
+				if err := migrator.DropColumn(&tables.TableClientConfig{}, "enforce_scim_auth"); err != nil {
+					return err
+				}
+			}
+			return nil
+		},
+	}})
+	if err := m.Migrate(); err != nil {
+		return fmt.Errorf("error running enforce SCIM auth column migration: %s", err.Error())
+	}
+	return nil
+}

framework/configstore/rdb.go

@@ -46,6 +46,7 @@ func (s *RDBConfigStore) UpdateClientConfig(ctx context.Context, config *ClientC
 		LogRetentionDays:        config.LogRetentionDays,
 		EnableGovernance:        config.EnableGovernance,
 		EnforceGovernanceHeader: config.EnforceGovernanceHeader,
+		EnforceSCIMAuth:         config.EnforceSCIMAuth,
 		AllowDirectKeys:         config.AllowDirectKeys,
 		PrometheusLabels:        config.PrometheusLabels,
 		AllowedOrigins:          config.AllowedOrigins,
@@ -208,6 +209,7 @@ func (s *RDBConfigStore) GetClientConfig(ctx context.Context) (*ClientConfig, er
 		LogRetentionDays:        dbConfig.LogRetentionDays,
 		EnableGovernance:        dbConfig.EnableGovernance,
 		EnforceGovernanceHeader: dbConfig.EnforceGovernanceHeader,
+		EnforceSCIMAuth:         dbConfig.EnforceSCIMAuth,
 		AllowDirectKeys:         dbConfig.AllowDirectKeys,
 		AllowedOrigins:          dbConfig.AllowedOrigins,
 		AllowedHeaders:          dbConfig.AllowedHeaders,

framework/configstore/tables/clientconfig.go

@@ -22,6 +22,7 @@ type TableClientConfig struct {
 	LogRetentionDays        int    `gorm:"default:365" json:"log_retention_days" validate:"min=1"` // Number of days to retain logs (minimum 1 day)
 	EnableGovernance        bool   `gorm:"" json:"enable_governance"`
 	EnforceGovernanceHeader bool   `gorm:"" json:"enforce_governance_header"`
+	EnforceSCIMAuth         bool   `gorm:"default:false" json:"enforce_scim_auth"`
 	AllowDirectKeys         bool   `gorm:"" json:"allow_direct_keys"`
 	MaxRequestBodySizeMB    int    `gorm:"default:100" json:"max_request_body_size_mb"`
 	MCPAgentDepth           int    `gorm:"default:10" json:"mcp_agent_depth"`

transports/bifrost-http/handlers/config.go

@@ -346,6 +346,11 @@ func (h *ConfigHandler) updateConfig(ctx *fasthttp.RequestCtx) {
 	}
 	updatedConfig.AllowDirectKeys = payload.ClientConfig.AllowDirectKeys
 
+	if payload.ClientConfig.EnforceSCIMAuth != currentConfig.EnforceSCIMAuth {
+		restartReasons = append(restartReasons, "Enforce SCIM auth on inference")
+	}
+	updatedConfig.EnforceSCIMAuth = payload.ClientConfig.EnforceSCIMAuth
+
 	// Only update MaxRequestBodySizeMB if explicitly provided (> 0) to avoid clearing stored value
 	if payload.ClientConfig.MaxRequestBodySizeMB > 0 {
 		if payload.ClientConfig.MaxRequestBodySizeMB != currentConfig.MaxRequestBodySizeMB {

ui/app/workspace/config/views/securityView.tsx

@@ -81,8 +81,9 @@ export default function SecurityView() {
 
 		const enforceVirtualKeyChanged = localConfig.enforce_governance_header !== config.enforce_governance_header;
 		const allowDirectKeysChanged = localConfig.allow_direct_keys !== config.allow_direct_keys;
+		const enforceSCIMAuthChanged = localConfig.enforce_scim_auth !== config.enforce_scim_auth;
 
-		return originsChanged || headersChanged || authChanged || enforceVirtualKeyChanged || allowDirectKeysChanged;
+		return originsChanged || headersChanged || authChanged || enforceVirtualKeyChanged || allowDirectKeysChanged || enforceSCIMAuthChanged;
 	}, [config, localConfig, authConfig, bifrostConfig]);
 
 	const needsRestart = useMemo(() => {
@@ -96,7 +97,9 @@ export default function SecurityView() {
 		const serverHeaders = config.allowed_headers?.slice().sort().join(",");
 		const headersChanged = localHeaders !== serverHeaders;
 
-		return originsChanged || headersChanged;
+		const enforceSCIMAuthChanged = localConfig.enforce_scim_auth !== config.enforce_scim_auth;
+
+		return originsChanged || headersChanged || enforceSCIMAuthChanged;
 	}, [config, localConfig]);
 
 	const handleAllowedOriginsChange = useCallback((value: string) => {
@@ -268,6 +271,25 @@ export default function SecurityView() {
 						/>
 					</div>
 				)}
+				{/* Enforce SCIM Auth on Inference (Enterprise Only) */}
+				{IS_ENTERPRISE && (
+					<div className="flex items-center justify-between space-x-2 rounded-lg border p-4">
+						<div className="space-y-0.5">
+							<label htmlFor="enforce-scim-auth" className="text-sm font-medium">
+								Enforce SCIM Auth on Inference
+							</label>
+							<p className="text-muted-foreground text-sm">
+								Require authentication (API keys or SCIM/OAuth tokens) for all inference endpoints. When enabled, unauthenticated requests
+								to chat completions, embeddings, etc. will be rejected.
+							</p>
+						</div>
+						<Switch
+							id="enforce-scim-auth"
+							checked={localConfig.enforce_scim_auth}
+							onCheckedChange={(checked) => handleConfigChange("enforce_scim_auth", checked)}
+						/>
+					</div>
+				)}
 				{/* Allow Direct API Keys */}
 				<div className="flex items-center justify-between space-x-2 rounded-lg border p-4">
 					<div className="space-y-0.5">

ui/lib/types/config.ts

@@ -388,6 +388,7 @@ export interface CoreConfig {
 	log_retention_days: number;
 	enable_governance: boolean;
 	enforce_governance_header: boolean;
+	enforce_scim_auth: boolean;
 	allow_direct_keys: boolean;
 	allowed_origins: string[];
 	allowed_headers: string[];
@@ -410,6 +411,7 @@ export const DefaultCoreConfig: CoreConfig = {
 	log_retention_days: 365,
 	enable_governance: true,
 	enforce_governance_header: false,
+	enforce_scim_auth: false,
 	allow_direct_keys: false,
 	allowed_origins: [],
 	max_request_body_size_mb: 100,