Documentation

docs/reference/provisioning/scim-token.md {#RefScimToken}

A bearer token that authorizes a provisioning tool to perform actions with a team. Each token corresponds to one team.

For SCIM authentication and token handling logic, see Spar.Scim.Auth.

Metadata that we store about each token.

Wrapper to work around complications with type synonym family application in instances.

Background: SparTag is used to instantiate the open type families in the classes Scim.UserTypes, Scim.GroupTypes, Scim.AuthTypes. Those type families are not injective, and in general they shouldn't be: it should be possible to map two tags to different user ids, but the same extra user info. This makes the type of the Cql instance for StoredUser tag undecidable: if the type checker encounters a constraint that gives it the user id and extra info, it can't compute the tag from that to look up the instance.

Possible solutions:

• what we're doing here: wrap the type synonyms we can't instantiate into newtypes in the code using hscim.
• do not instantiate the type synonym, but its value (in this case Web.Scim.Schema.Meta.WithMeta (Web.Scim.Schema.Common.WithId (Id U) (Scim.User tag))
• Use newtypes instead type in hscim. This will carry around the tag as a data type rather than applying it, which in turn will enable ghc to type-check instances like Cql (Scim.StoredUser tag).
• make the type classes parametric in not only the tag, but also all the values of the type families, and add functional dependencies, like this: class UserInfo tag uid extrainfo | (uid, extrainfo) -> tag, tag -> (uid, extrainfo). this will make writing the instances only a little more awkward, but the rest of the code should change very little, as long as we just apply the type families rather than explicitly imposing the class constraints.
• given a lot of time: extend ghc with something vaguely similar to AllowAmbigiousTypes, where the instance typechecks, and non-injectivity errors are raised when checking the constraint that "calls" the instance. :)

See WrappedScimStoredUser.

Extra Wire-specific data contained in a SCIM user profile.

SCIM user with all the data spar is actively processing. Constructed by validateScimUser, or manually from data obtained from brig to pass them on to scim peers. The idea is that the type we get back from hscim is too general, and we need a second round of parsing (aka validation), of which ValidScimUser is the result.

Data contained in _vsuHandle and _vsuName is guaranteed to a) correspond to the data in the User and b) be valid in regard to our own user schema requirements (only certain characters allowed in handles, etc).

Note that it's ok for us to ignore parts of the content sent to us, as explained here: "Since the server is free to alter and/or ignore POSTed content, returning the full representation can be useful to the client, enabling it to correlate the client's and server's views of the new resource."

This type carries externalId, plus email address (validated if present, unvalidated if not) and saml credentials, because those are sometimes derived from the externalId field.

Type used for request parameters to APIScimTokenCreate.

Type used for the response of APIScimTokenCreate.

Type used for responses of endpoints that return a list of SCIM tokens. Wrapped into an object to allow extensibility later on.

We don't show tokens once they have been created – only their metadata.