feat: add SCIM 2.0 user provisioning (EE)

CHANGELOG.md

@@ -39,6 +39,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Added the ability to configure email code and credentials login from the security settings. [#1303](https://github.com/sourcebot-dev/sourcebot/pull/1303)
 - Added a list of configured SSO providers from the security settings. [#1303](https://github.com/sourcebot-dev/sourcebot/pull/1303)
+- [EE] Added a SCIM 2.0 server for automated user provisioning and deprovisioning from identity providers (Okta, Entra). [#1306](https://github.com/sourcebot-dev/sourcebot/pull/1306)
 
 ### Fixed
 - Validated that `SOURCEBOT_ENCRYPTION_KEY` is exactly 32 characters at startup, failing fast with an actionable message instead of a runtime encryption error. [#1305](https://github.com/sourcebot-dev/sourcebot/pull/1305)

packages/db/prisma/migrations/20260619214548_add_scim_users_support/migration.sql

@@ -0,0 +1,29 @@
+-- AlterTable
+ALTER TABLE "Org" ADD COLUMN     "isScimEnabled" BOOLEAN NOT NULL DEFAULT false;
+
+-- AlterTable
+ALTER TABLE "UserToOrg" ADD COLUMN     "isActive" BOOLEAN NOT NULL DEFAULT true,
+ADD COLUMN     "scimExternalId" TEXT;
+
+-- CreateTable
+CREATE TABLE "ScimToken" (
+    "name" TEXT NOT NULL,
+    "hash" TEXT NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "lastUsedAt" TIMESTAMP(3),
+    "orgId" INTEGER NOT NULL,
+
+    CONSTRAINT "ScimToken_pkey" PRIMARY KEY ("hash")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "ScimToken_hash_key" ON "ScimToken"("hash");
+
+-- CreateIndex
+CREATE INDEX "ScimToken_orgId_idx" ON "ScimToken"("orgId");
+
+-- CreateIndex
+CREATE INDEX "UserToOrg_orgId_scimExternalId_idx" ON "UserToOrg"("orgId", "scimExternalId");
+
+-- AddForeignKey
+ALTER TABLE "ScimToken" ADD CONSTRAINT "ScimToken_orgId_fkey" FOREIGN KEY ("orgId") REFERENCES "Org"("id") ON DELETE CASCADE ON UPDATE CASCADE;

packages/db/prisma/schema.prisma

@@ -272,9 +272,12 @@ model Org {
   connections Connection[]
   repos       Repo[]
   apiKeys     ApiKey[]
+  scimTokens  ScimToken[]
   isOnboarded Boolean      @default(false)
   imageUrl    String?
 
+  isScimEnabled Boolean    @default(false)
+
   /// @deprecated This property can be controlled by the environment
   /// variable `REQUIRE_APPROVAL_NEW_MEMBERS`. To ensure that we use
   /// the correct setting, use the helper function `isMemberApprovalRequired`
@@ -397,7 +400,17 @@ model UserToOrg {
 
   role OrgRole @default(MEMBER)
 
+  /// SCIM soft-deactivation flag. When false, the membership is suspended by
+  /// the IdP: the user is treated as a non-member for auth purposes (see
+  /// `getAuthContext`) but the row is preserved so the IdP can reactivate it.
+  isActive Boolean @default(true)
+
+  /// The IdP-supplied `externalId` for this membership when provisioned via
+  /// SCIM. Null for members that joined through invites or self-serve sign-up.
+  scimExternalId String?
+
   @@id([orgId, userId])
+  @@index([orgId, scimExternalId])
 }
 
 model ApiKey {
@@ -414,6 +427,23 @@ model ApiKey {
   createdById String
 }
 
+/// Org-scoped bearer token presented by an IdP (Okta, Entra) to authenticate
+/// against the SCIM provisioning endpoints. Unlike `ApiKey`, a SCIM token is
+/// not tied to a user — it acts on behalf of the SCIM integration for the
+/// whole org. Only the HMAC hash of the secret is stored.
+model ScimToken {
+  name String
+  hash String @id @unique
+
+  createdAt  DateTime  @default(now())
+  lastUsedAt DateTime?
+
+  org   Org @relation(fields: [orgId], references: [id], onDelete: Cascade)
+  orgId Int
+
+  @@index([orgId])
+}
+
 model Audit {
   id        String   @id @default(cuid())
   timestamp DateTime @default(now())

packages/shared/src/constants.ts

@@ -11,6 +11,7 @@ export const LEGACY_API_KEY_PREFIX = 'sourcebot-';
 export const API_KEY_PREFIX = 'sbk_';
 export const OAUTH_ACCESS_TOKEN_PREFIX = 'sboa_';
 export const OAUTH_REFRESH_TOKEN_PREFIX = 'sbor_';
+export const SCIM_TOKEN_PREFIX = 'sbscim_';
 
 /**
  * Default settings.

packages/shared/src/crypto.ts

@@ -4,7 +4,7 @@ import { z } from 'zod';
 import { env } from './env.server.js';
 import { Token } from '@sourcebot/schemas/v3/shared.type';
 import { SecretManagerServiceClient } from "@google-cloud/secret-manager";
-import { API_KEY_PREFIX, OAUTH_ACCESS_TOKEN_PREFIX, OAUTH_REFRESH_TOKEN_PREFIX } from './constants.js';
+import { API_KEY_PREFIX, OAUTH_ACCESS_TOKEN_PREFIX, OAUTH_REFRESH_TOKEN_PREFIX, SCIM_TOKEN_PREFIX } from './constants.js';
 
 const algorithm = 'aes-256-cbc';
 const ivLength = 16; // 16 bytes for CBC
@@ -56,6 +56,16 @@ export function generateApiKey(): { key: string; hash: string } {
     };
 }
 
+export function generateScimToken(): { token: string; hash: string } {
+    const secret = crypto.randomBytes(32).toString('hex');
+    const hash = hashSecret(secret);
+
+    return {
+        token: `${SCIM_TOKEN_PREFIX}${secret}`,
+        hash,
+    };
+}
+
 export function generateOAuthToken(): { token: string; hash: string } {
     const secret = crypto.randomBytes(32).toString('hex');
     const hash = hashSecret(secret);

packages/shared/src/entitlements.ts

@@ -42,7 +42,8 @@ const ALL_ENTITLEMENTS = [
     "org-management",
     "oauth",
     "ask",
-    "mcp"
+    "mcp",
+    "scim"
 ] as const;
 export type Entitlement = (typeof ALL_ENTITLEMENTS)[number];
 

packages/shared/src/index.server.ts

@@ -58,6 +58,7 @@ export {
     decrypt,
     hashSecret,
     generateApiKey,
+    generateScimToken,
     generateOAuthToken,
     generateOAuthRefreshToken,
     verifySignature,

packages/web/next.config.mjs

@@ -59,6 +59,13 @@ const nextConfig = {
             {
                 source: "/api/mcp",
                 destination: "/api/ee/mcp",
+            },
+            // The SCIM 2.0 server lives under /api/ee/scim/v2 (EE-licensed route
+            // tree) but is exposed at the clean /scim/v2 path that IdPs (Okta,
+            // Entra) are configured to send provisioning requests to.
+            {
+                source: "/scim/v2/:path*",
+                destination: "/api/ee/scim/v2/:path*",
             }
         ];
     },

packages/web/src/__mocks__/prisma.ts

@@ -17,7 +17,7 @@ export const MOCK_ORG: Org = {
     updatedAt: new Date(),
     isOnboarded: true,
     imageUrl: null,
-    metadata: null,
+    isScimEnabled: false,
     memberApprovalRequired: false,
     isCredentialsLoginEnabled: true,
     isEmailCodeLoginEnabled: false,

packages/web/src/actions.ts

@@ -1,26 +1,20 @@
 'use server';
 
 import { createAudit } from "@/ee/features/audit/audit";
-import { env, getSMTPConnectionURL } from "@sourcebot/shared";
 import { ErrorCode } from "@/lib/errorCodes";
-import { notAuthenticated, notFound, ServiceError } from "@/lib/serviceError";
-import { __unsafePrisma } from "@/prisma";
-import { render } from "@react-email/components";
-import { generateApiKey, getTokenFromConfig } from "@sourcebot/shared";
+import { notFound, ServiceError } from "@/lib/serviceError";
+import { sew } from "@/middleware/sew";
 import { ConnectionSyncJobStatus, OrgRole, Prisma, RepoIndexingJobStatus, RepoIndexingJobType } from "@sourcebot/db";
-import { createLogger } from "@sourcebot/shared";
 import { GiteaConnectionConfig } from "@sourcebot/schemas/v3/gitea.type";
 import { GithubConnectionConfig } from "@sourcebot/schemas/v3/github.type";
 import { GitlabConnectionConfig } from "@sourcebot/schemas/v3/gitlab.type";
+import { createLogger, env, generateApiKey, getTokenFromConfig } from "@sourcebot/shared";
 import { StatusCodes } from "http-status-codes";
 import { cookies } from "next/headers";
-import { createTransport } from "nodemailer";
-import JoinRequestSubmittedEmail from "./emails/joinRequestSubmittedEmail";
-import { AGENTIC_SEARCH_TUTORIAL_DISMISSED_COOKIE_NAME, MOBILE_UNSUPPORTED_SPLASH_SCREEN_DISMISSED_COOKIE_NAME, SINGLE_TENANT_ORG_ID } from "./lib/constants";
-import { RepositoryQuery } from "./lib/types";
-import { getAuthenticatedUser, withAuth, withOptionalAuth } from "./middleware/withAuth";
 import { getBrowsePath } from "./app/(app)/browse/hooks/utils";
-import { sew } from "@/middleware/sew";
+import { AGENTIC_SEARCH_TUTORIAL_DISMISSED_COOKIE_NAME, MOBILE_UNSUPPORTED_SPLASH_SCREEN_DISMISSED_COOKIE_NAME } from "./lib/constants";
+import { RepositoryQuery } from "./lib/types";
+import { withAuth, withOptionalAuth } from "./middleware/withAuth";
 
 const logger = createLogger('web-actions');
 
@@ -375,110 +369,6 @@ export const getRepoInfoByName = async (repoName: string) => sew(() =>
         }
     }));
 
-// eslint-disable-next-line authz/require-auth-wrapper -- calls getAuthenticatedUser() directly; runs pre-org-membership so cannot use withAuth
-export const createAccountRequest = async () => sew(async () => {
-    const authResult = await getAuthenticatedUser();
-    if (!authResult) {
-        return notAuthenticated();
-    }
-
-    const { user } = authResult;
-
-    const org = await __unsafePrisma.org.findUnique({
-        where: {
-            id: SINGLE_TENANT_ORG_ID,
-        },
-    });
-
-    if (!org) {
-        return notFound("Organization not found");
-    }
-
-    const existingRequest = await __unsafePrisma.accountRequest.findUnique({
-        where: {
-            requestedById_orgId: {
-                requestedById: user.id,
-                orgId: org.id,
-            },
-        },
-    });
-
-    if (existingRequest) {
-        logger.warn(`User ${user.id} already has an account request for org ${org.id}. Skipping account request creation.`);
-        return {
-            success: true,
-            existingRequest: true,
-        }
-    }
-
-    if (!existingRequest) {
-        await __unsafePrisma.accountRequest.create({
-            data: {
-                requestedById: user.id,
-                orgId: org.id,
-            },
-        });
-
-        const smtpConnectionUrl = getSMTPConnectionURL();
-        if (smtpConnectionUrl && env.EMAIL_FROM_ADDRESS) {
-            // TODO: This is needed because we can't fetch the origin from the request headers when this is called
-            // on user creation (the header isn't set when next-auth calls onCreateUser for some reason)
-            const deploymentUrl = env.AUTH_URL;
-
-            const owners = await __unsafePrisma.user.findMany({
-                where: {
-                    orgs: {
-                        some: {
-                            orgId: org.id,
-                            role: "OWNER",
-                        },
-                    },
-                },
-            });
-
-            if (owners.length === 0) {
-                logger.error(`Failed to find any owners for org ${org.id} when drafting email for account request from ${user.id}`);
-            } else {
-                const html = await render(JoinRequestSubmittedEmail({
-                    baseUrl: deploymentUrl,
-                    requestor: {
-                        name: user.name ?? undefined,
-                        email: user.email,
-                        avatarUrl: user.image ?? undefined,
-                    },
-                    orgName: org.name,
-                    orgImageUrl: org.imageUrl ?? undefined,
-                }));
-
-                const ownerEmails = owners
-                    .map((owner) => owner.email)
-                    .filter((email): email is string => email !== null);
-
-                const transport = createTransport(smtpConnectionUrl);
-                const result = await transport.sendMail({
-                    to: ownerEmails,
-                    from: env.EMAIL_FROM_ADDRESS,
-                    subject: `New account request for ${org.name} on Sourcebot`,
-                    html,
-                    text: `New account request for ${org.name} on Sourcebot by ${user.name ?? user.email}`,
-                });
-
-                const failed = result.rejected.concat(result.pending).filter(Boolean);
-                if (failed.length > 0) {
-                    logger.error(`Failed to send account request email to ${ownerEmails.join(', ')}: ${failed}`);
-                }
-            }
-        } else {
-            logger.warn(`SMTP_CONNECTION_URL or EMAIL_FROM_ADDRESS not set. Skipping account request email to owner`);
-        }
-    }
-
-    return {
-        success: true,
-        existingRequest: false,
-    }
-});
-
 export const getSearchContexts = async () => sew(() =>
     withOptionalAuth(async ({ org, prisma }) => {
         const searchContexts = await prisma.searchContext.findMany({

packages/web/src/app/(app)/@sidebar/components/defaultSidebar/index.tsx

@@ -3,7 +3,7 @@ import { auth } from "@/auth";
 import { HOME_VIEW_COOKIE_NAME } from "@/lib/constants";
 import { HomeView } from "@/hooks/useHomeView";
 import { getConnectionStats } from "@/actions";
-import { getOrgAccountRequests } from "@/features/userManagement/actions";
+import { getOrgAccountRequests } from "@/features/membership/actions";
 import { isServiceError } from "@/lib/utils";
 import { ServiceErrorException } from "@/lib/serviceError";
 import { OrgRole } from "@prisma/client";