Skip to content

How does SCIM relate to OAuth

OAuth differentiates between three roles:

  • Client: The application that is attempting to get access to the user's account. It needs to get permission from the user before it can do so.

  • Authorization Server: The server that authenticates the user and issues access tokens after getting proper authorization. In this context, it would handle the user's login and consent.

  • Resource Server: The server hosting the protected resources. This is the API you want to access.

In OAuth terminology, a SCIM server is a Resource Server. This means that the SCIM server hosts the resources (like user accounts and group information) that the client wants to access.

OAuth is used in conjunction with SCIM to secure access to these resources. The client must first obtain an access token from the Authorization Server (usually after authenticating the user). This access token is then included in the SCIM requests to authenticate the client and authorize access to the resources.

This way, SCIM can leverage OAuth's capabilities to provide secure delegated access to its resources, without needing to handle user authentication itself.