supabase · Bewinxed · Dec 10, 2025 · Dec 10, 2025 · Dec 10, 2025 · Dec 10, 2025
@@ -40,6 +40,7 @@ require (
 	github.com/consensys/gnark-crypto v0.18.1 // indirect
 	github.com/crate-crypto/go-eth-kzg v1.4.0 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect
+	github.com/di-wu/parser v0.2.2 // indirect
 	github.com/ethereum/c-kzg-4844/v2 v2.1.5 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.5 // indirect
 	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
@@ -96,6 +97,7 @@ require (
 	github.com/golang-jwt/jwt/v5 v5.3.1
 	github.com/lestrrat-go/jwx/v2 v2.1.0
 	github.com/oapi-codegen/runtime v1.1.1
+	github.com/scim2/filter-parser/v2 v2.2.0
 	github.com/standard-webhooks/standard-webhooks/libraries v0.0.0-20240303152453-e0e82adf1721
 	github.com/supabase/hibp v0.0.0-20231124125943-d225752ae869
 	github.com/xeipuuv/gojsonschema v1.2.0

@@ -74,6 +74,8 @@ github.com/decred/dcrd/crypto/blake256 v1.0.1 h1:7PltbUIQB7u/FfZ39+DGa/ShuMyJ5il
 github.com/decred/dcrd/crypto/blake256 v1.0.1/go.mod h1:2OfgNZ5wDpcsFmHmCK5gZTPcCXqlm2ArzUIkw9czNJo=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 h1:rpfIENRNNilwHwZeG5+P150SMrnNEcHYvcCuK6dPZSg=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
+github.com/di-wu/parser v0.2.2 h1:I9oHJ8spBXOeL7Wps0ffkFFFiXJf/pk7NX9lcAMqRMU=
+github.com/di-wu/parser v0.2.2/go.mod h1:SLp58pW6WamdmznrVRrw2NTyn4wAvT9rrEFynKX7nYo=
 github.com/didip/tollbooth/v5 v5.1.1 h1:QpKFg56jsbNuQ6FFj++Z1gn2fbBsvAc1ZPLUaDOYW5k=
 github.com/didip/tollbooth/v5 v5.1.1/go.mod h1:d9rzwOULswrD3YIrAQmP3bfjxab32Df4IaO6+D25l9g=
 github.com/emicklei/dot v1.6.2 h1:08GN+DD79cy/tzN6uLCT84+2Wk9u+wvqP+Hkx/dIR8A=
@@ -362,6 +364,8 @@ github.com/russellhaering/goxmldsig v1.6.0 h1:8fdWXEPh2k/NZNQBPFNoVfS3JmzS4ZprY/
 github.com/russellhaering/goxmldsig v1.6.0/go.mod h1:TrnaquDcYxWXfJrOjeMBTX4mLBeYAqaHEyUeWPxZlBM=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
+github.com/scim2/filter-parser/v2 v2.2.0 h1:QGadEcsmypxg8gYChRSM2j1edLyE/2j72j+hdmI4BJM=
+github.com/scim2/filter-parser/v2 v2.2.0/go.mod h1:jWnkDToqX/Y0ugz0P5VvpVEUKcWcyHHj+X+je9ce5JA=
 github.com/sebest/xff v0.0.0-20160910043805-6c115e0ffa35 h1:eajwn6K3weW5cd1ZXLu2sJ4pvwlBiCWY4uDejOr73gM=
 github.com/sebest/xff v0.0.0-20160910043805-6c115e0ffa35/go.mod h1:wozgYq9WEBQBaIJe4YZ0qTSFAMxmcwBhQH0fO0R34Z0=
 github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=

@@ -129,6 +129,7 @@ GOTRUE_SECURITY_CAPTCHA_PROVIDER="hcaptcha"
 GOTRUE_SECURITY_CAPTCHA_SECRET="0x0000000000000000000000000000000000000000"
 GOTRUE_SECURITY_CAPTCHA_TIMEOUT="10s"
 GOTRUE_SAML_ENABLED="true"
+GOTRUE_SCIM_ENABLED="true"
 GOTRUE_SAML_PRIVATE_KEY="MIIEowIBAAKCAQEAszrVveMQcSsa0Y+zN1ZFb19cRS0jn4UgIHTprW2tVBmO2PABzjY3XFCfx6vPirMAPWBYpsKmXrvm1tr0A6DZYmA8YmJd937VUQ67fa6DMyppBYTjNgGEkEhmKuszvF3MARsIKCGtZqUrmS7UG4404wYxVppnr2EYm3RGtHlkYsXu20MBqSDXP47bQP+PkJqC3BuNGk3xt5UHl2FSFpTHelkI6lBynw16B+lUT1F96SERNDaMqi/TRsZdGe5mB/29ngC/QBMpEbRBLNRir5iUevKS7Pn4aph9Qjaxx/97siktK210FJT23KjHpgcUfjoQ6BgPBTLtEeQdRyDuc/CgfwIDAQABAoIBAGYDWOEpupQPSsZ4mjMnAYJwrp4ZISuMpEqVAORbhspVeb70bLKonT4IDcmiexCg7cQBcLQKGpPVM4CbQ0RFazXZPMVq470ZDeWDEyhoCfk3bGtdxc1Zc9CDxNMs6FeQs6r1beEZug6weG5J/yRn/qYxQife3qEuDMl+lzfl2EN3HYVOSnBmdt50dxRuX26iW3nqqbMRqYn9OHuJ1LvRRfYeyVKqgC5vgt/6Tf7DAJwGe0dD7q08byHV8DBZ0pnMVU0bYpf1GTgMibgjnLjK//EVWafFHtN+RXcjzGmyJrk3+7ZyPUpzpDjO21kpzUQLrpEkkBRnmg6bwHnSrBr8avECgYEA3pq1PTCAOuLQoIm1CWR9/dhkbJQiKTJevlWV8slXQLR50P0WvI2RdFuSxlWmA4xZej8s4e7iD3MYye6SBsQHygOVGc4efvvEZV8/XTlDdyj7iLVGhnEmu2r7AFKzy8cOvXx0QcLg+zNd7vxZv/8D3Qj9Jje2LjLHKM5n/dZ3RzUCgYEAzh5Lo2anc4WN8faLGt7rPkGQF+7/18ImQE11joHWa3LzAEy7FbeOGpE/vhOv5umq5M/KlWFIRahMEQv4RusieHWI19ZLIP+JwQFxWxS+cPp3xOiGcquSAZnlyVSxZ//dlVgaZq2o2MfrxECcovRlaknl2csyf+HjFFwKlNxHm2MCgYAr//R3BdEy0oZeVRndo2lr9YvUEmu2LOihQpWDCd0fQw0ZDA2kc28eysL2RROte95r1XTvq6IvX5a0w11FzRWlDpQ4J4/LlcQ6LVt+98SoFwew+/PWuyLmxLycUbyMOOpm9eSc4wJJZNvaUzMCSkvfMtmm5jgyZYMMQ9A2Ul/9SQKBgB9mfh9mhBwVPIqgBJETZMMXOdxrjI5SBYHGSyJqpT+5Q0vIZLfqPrvNZOiQFzwWXPJ+tV4Mc/YorW3rZOdo6tdvEGnRO6DLTTEaByrY/io3/gcBZXoSqSuVRmxleqFdWWRnB56c1hwwWLqNHU+1671FhL6pNghFYVK4suP6qu4BAoGBAMk+VipXcIlD67mfGrET/xDqiWWBZtgTzTMjTpODhDY1GZck1eb4CQMP5j5V3gFJ4cSgWDJvnWg8rcz0unz/q4aeMGl1rah5WNDWj1QKWMS6vJhMHM/rqN1WHWR0ZnV83svYgtg0zDnQKlLujqW4JmGXLMU7ur6a+e6lpa1fvLsP"
 GOTRUE_MAX_VERIFIED_FACTORS=10
 GOTRUE_SMS_TEST_OTP_VALID_UNTIL=""

@@ -299,7 +299,7 @@ func (a *API) adminUserUpdate(w http.ResponseWriter, r *http.Request) error {
 		}
 
 		if banDuration != nil {
-			if terr := user.Ban(tx, *banDuration); terr != nil {
+			if terr := user.Ban(tx, *banDuration, nil); terr != nil {
 				return terr
 			}
 		}
@@ -493,7 +493,7 @@ func (a *API) adminUserCreate(w http.ResponseWriter, r *http.Request) error {
 		}
 
 		if banDuration != nil {
-			if terr := user.Ban(tx, *banDuration); terr != nil {
+			if terr := user.Ban(tx, *banDuration, nil); terr != nil {
 				return terr
 			}
 		}

@@ -211,6 +211,48 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 		r.Post("/", api.ExternalProviderCallback)
 	})
 
+	// SCIM v2 API endpoints
+	if api.config.SCIM.Enabled {
+		r.Route("/scim/v2", func(r *router) {
+			r.Use(api.requireSCIMAuthentication)
+
+			// SCIM-specific NotFound handler for proper error format
+			r.NotFound(api.scimNotFound)
+			r.MethodNotAllowed(api.scimMethodNotAllowed)
+
+			// Service Provider Configuration
+			r.Get("/ServiceProviderConfig", api.scimServiceProviderConfig)
+			r.Get("/ResourceTypes", api.scimResourceTypes)
+			r.Get("/ResourceTypes/{resource_type_id}", api.scimResourceTypeByID)
+			r.Get("/Schemas", api.scimSchemas)
+			r.Get("/Schemas/{schema_id}", api.scimSchemaByID)
+
+			// User endpoints
+			r.Route("/Users", func(r *router) {
+				r.Get("/", api.scimListUsers)
+				r.Post("/", api.scimCreateUser)
+				r.Route("/{user_id}", func(r *router) {
+					r.Get("/", api.scimGetUser)
+					r.Put("/", api.scimReplaceUser)
+					r.Patch("/", api.scimPatchUser)
+					r.Delete("/", api.scimDeleteUser)
+				})
+			})
+
+			// Group endpoints
+			r.Route("/Groups", func(r *router) {
+				r.Get("/", api.scimListGroups)
+				r.Post("/", api.scimCreateGroup)
+				r.Route("/{group_id}", func(r *router) {
+					r.Get("/", api.scimGetGroup)
+					r.Put("/", api.scimReplaceGroup)
+					r.Patch("/", api.scimPatchGroup)
+					r.Delete("/", api.scimDeleteGroup)
+				})
+			})
+		})
+	}
+
 	r.Route("/", func(r *router) {
 
 		r.Use(api.isValidExternalHost)
@@ -390,6 +432,16 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 						r.Get("/", api.adminSSOProvidersGet)
 						r.Put("/", api.adminSSOProvidersUpdate)
 						r.Delete("/", api.adminSSOProvidersDelete)
+
+						// SCIM management endpoints
+						if api.config.SCIM.Enabled {
+							r.Route("/scim", func(r *router) {
+								r.Get("/", api.adminSSOProviderGetSCIM)
+								r.Post("/", api.adminSSOProviderEnableSCIM)
+								r.Delete("/", api.adminSSOProviderDisableSCIM)
+								r.Post("/rotate", api.adminSSOProviderRotateSCIMToken)
+							})
+						}
 					})
 				})
 			})

@@ -120,3 +120,81 @@ func (e *HTTPError) WithInternalMessage(fmtString string, args ...any) *HTTPErro
 	e.InternalMessage = fmt.Sprintf(fmtString, args...)
 	return e
 }
+
+// SCIMHTTPError is an error with SCIM-specific format per RFC 7644 Section 3.12
+type SCIMHTTPError struct {
+	HTTPStatus      int    `json:"-"`
+	Schemas         []string `json:"schemas"`
+	Status          string   `json:"status"`
+	Detail          string   `json:"detail,omitempty"`
+	ScimType        string   `json:"scimType,omitempty"`
+	InternalError   error    `json:"-"`
+	InternalMessage string   `json:"-"`
+}
+
+const SCIMSchemaError = "urn:ietf:params:scim:api:messages:2.0:Error"
+
+func NewSCIMHTTPError(httpStatus int, detail string, scimType string) *SCIMHTTPError {
+	return &SCIMHTTPError{
+		HTTPStatus: httpStatus,
+		Schemas:    []string{SCIMSchemaError},
+		Status:     fmt.Sprintf("%d", httpStatus),
+		Detail:     detail,
+		ScimType:   scimType,
+	}
+}
+
+func NewSCIMBadRequestError(detail string, scimType string) *SCIMHTTPError {
+	return NewSCIMHTTPError(http.StatusBadRequest, detail, scimType)
+}
+
+func NewSCIMNotFoundError(detail string) *SCIMHTTPError {
+	return NewSCIMHTTPError(http.StatusNotFound, detail, "")
+}
+
+func NewSCIMUnauthorizedError(detail string) *SCIMHTTPError {
+	return NewSCIMHTTPError(http.StatusUnauthorized, detail, "")
+}
+
+func NewSCIMConflictError(detail string, scimType string) *SCIMHTTPError {
+	return NewSCIMHTTPError(http.StatusConflict, detail, scimType)
+}
+
+func NewSCIMForbiddenError(detail string) *SCIMHTTPError {
+	return NewSCIMHTTPError(http.StatusForbidden, detail, "")
+}
+
+func NewSCIMRequestTooLargeError(detail string) *SCIMHTTPError {
+	return NewSCIMHTTPError(http.StatusRequestEntityTooLarge, detail, "")
+}
+
+func NewSCIMInternalServerError(detail string) *SCIMHTTPError {
+	return NewSCIMHTTPError(http.StatusInternalServerError, detail, "")
+}
+
+func (e *SCIMHTTPError) Error() string {
+	if e.InternalMessage != "" {
+		return e.InternalMessage
+	}
+	return fmt.Sprintf("%d: %s", e.HTTPStatus, e.Detail)
+}
+
+// Cause returns the root cause error
+func (e *SCIMHTTPError) Cause() error {
+	if e.InternalError != nil {
+		return e.InternalError
+	}
+	return e
+}
+
+// WithInternalError adds internal error information to the error
+func (e *SCIMHTTPError) WithInternalError(err error) *SCIMHTTPError {
+	e.InternalError = err
+	return e
+}
+
+// WithInternalMessage adds internal message information to the error
+func (e *SCIMHTTPError) WithInternalMessage(fmtString string, args ...any) *SCIMHTTPError {
+	e.InternalMessage = fmt.Sprintf(fmtString, args...)
+	return e
+}
@@ -29,6 +29,7 @@ const (
 	ErrorCodeOAuthInvalidState                 ErrorCode = "oauth_invalid_state"
 	ErrorCodeSignupDisabled                    ErrorCode = "signup_disabled"
 	ErrorCodeUserBanned                        ErrorCode = "user_banned"
+	ErrorCodeUserLocked                        ErrorCode = "user_locked"
 	ErrorCodeProviderEmailNeedsVerification    ErrorCode = "provider_email_needs_verification"
 	ErrorCodeInviteNotFound                    ErrorCode = "invite_not_found"
 	ErrorCodeBadOAuthState                     ErrorCode = "bad_oauth_state"
@@ -62,6 +63,7 @@ const (
 	ErrorCodeUserAlreadyExists                 ErrorCode = "user_already_exists"
 	ErrorCodeSSOProviderNotFound               ErrorCode = "sso_provider_not_found"
 	ErrorCodeSSOProviderDisabled               ErrorCode = "sso_provider_disabled"
+	ErrorCodeSCIMDisabled ErrorCode = "scim_disabled"
 	ErrorCodeSAMLMetadataFetchFailed           ErrorCode = "saml_metadata_fetch_failed"
 	ErrorCodeSAMLIdPAlreadyExists              ErrorCode = "saml_idp_already_exists"
 	ErrorCodeSSODomainAlreadyExists            ErrorCode = "sso_domain_already_exists"

@@ -188,6 +188,19 @@ func HandleResponseError(err error, w http.ResponseWriter, r *http.Request) {
 			log.WithError(jsonErr).Warn("Failed to send JSON on ResponseWriter")
 		}
 
+	case *apierrors.SCIMHTTPError:
+		switch {
+		case e.HTTPStatus >= http.StatusInternalServerError:
+			log.WithError(e.Cause()).Error(e.Error())
+		case e.HTTPStatus == http.StatusTooManyRequests:
+			log.WithError(e.Cause()).Warn(e.Error())
+		default:
+			log.WithError(e.Cause()).Info(e.Error())
+		}
+		if jsonErr := sendSCIMJSON(w, e.HTTPStatus, e); jsonErr != nil && jsonErr != context.DeadlineExceeded {
+			log.WithError(jsonErr).Warn("Failed to send JSON on ResponseWriter")
+		}
+
 	case ErrorCause:
 		HandleResponseError(e.Cause(), w, r)
 

@@ -389,6 +389,10 @@ func (a *API) createAccountFromExternalIdentity(tx *storage.Connection, r *http.
 		return 0, nil, apierrors.NewForbiddenError(apierrors.ErrorCodeUserBanned, "User is banned")
 	}
 
+	if user.IsLocked() {
+		return 0, nil, apierrors.NewForbiddenError(apierrors.ErrorCodeUserLocked, "User account is locked")
+	}
+
 	hasEmails := providerType != "web3" && !(emailOptional && decision.CandidateEmail.Email == "")
 
 	if hasEmails && !user.IsConfirmed() {

@@ -383,6 +383,10 @@ func (s *Server) handleAuthorizationCodeGrant(ctx context.Context, w http.Respon
 		return apierrors.NewOAuthError("access_denied", "User is banned")
 	}
 
+	if user.IsLocked() {
+		return apierrors.NewOAuthError("access_denied", "User account is locked")
+	}
+
 	// Exchange the authorization code for tokens
 	var tokenResponse *tokens.AccessTokenResponse
 	var grantParams models.GrantParams

@@ -54,6 +54,14 @@ func (r *router) UseBypass(fn func(next http.Handler) http.Handler) {
 	r.chi.Use(fn)
 }
 
+func (r *router) NotFound(fn apiHandler) {
+	r.chi.NotFound(handler(fn))
+}
+
+func (r *router) MethodNotAllowed(fn apiHandler) {
+	r.chi.MethodNotAllowed(handler(fn))
+}
+
 func (r *router) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	r.chi.ServeHTTP(w, req)
 }