feat(SCIM): user endpoints

[Dschoordsch]

Description

Fixes #11051

Demo

[If possible, please include a screenshot or gif/video, it'll make it easier for reviewers to understand the scope of the changes and how the change is supposed to work. If you're introducing something new or changing the existing patterns, please share a Loom and explain what decisions you've made and under what circumstances]

Testing scenarios

[Please list all the testing scenarios a reviewer has to check before approving the PR]

• Scenario A

  • Step 1
  • Step 2...

• Scenario B

  • Step 1
  • Step 2....

Final checklist

• I checked the code review guidelines
• I have added Metrics Representative as reviewer(s) if my PR invovles metrics/data/analytics related changes
• I have performed a self-review of my code, the same way I'd do it for any other team member
• I have tested all cases I listed in the testing scenarios and I haven't found any issues or regressions
• Whenever I took a non-obvious choice I added a comment explaining why I did it this way
• I added the label Skip Maintainer Review Indicating the PR only requires reviewer review and can be merged right after it's approved if the PR introduces only minor changes, does not contain any architectural changes or does not introduce any new patterns and I think one review is sufficient'
• PR title is human readable and could be used in changelog

[Dschoordsch]

This was taken from Okta (referenced here). I removed 1 optional group test and fixed one which passed an invalid email but was supposed to fail on something else.
It's a Runscope/Radar spec, but the test parses this file and runs it.

[Dschoordsch]

+1 we need active for Okta, so maybe we should do soft delete to please MS folks

[mattkrick]

still valid comment? did you mean Entra by chance? or do both okta and MS require it?

[Dschoordsch]

Yes. Okta requires it to be present for egress. It actually doesn't properly delete users, so we'll have to implement this in a follow-up.
For Entra it's configurable but recommended to allow deactivation of users.

[mattkrick]

+1 what's the harm in calling getReqAuth up here? if it's an empty token, then we know it's a 401 & we can remove the check down on L88

[Dschoordsch]

You can chose OAuth or a simple bearer token for SCIM. If the user choses bearer token, then I want only 1 token to be valid at any time, the one stored in the DB. I want to make it a JWT so I can encode the scimId in it so all tenants can use the same endpoint. I don't want to sign it so it's still valid after a server secret rotation. That's why I only peak in it without checking the signature here and only check it for OAuth, for bearer token we check with the DB.

[mattkrick]

still valid comment? did you mean Entra by chance? or do both okta and MS require it?