azure-active-directoryoktaoneloginscimscim2

What are usually the token grant type needed for the secret token in scim provisioning?


From the service providers documents. Access or bear token is mentioned. It does not say what is the token grant type needed….


Solution

  • I work with SCIM but know some of the auth stuff as a side effect of that. My best effort at answering this is:

    Typical implementations of SCIM either provide long-lived bearer tokens or leverage OAuth 2.0.

    For long-lived bearer tokens (typically JWT), which can be issued however you prefer - I see them issued via customers making API calls directly or through some form of admin UI.

    For OAuth 2.0, typically it'd be either Authorization Code Grant flow or Client Credentials Grant flow.

    Keep in mind that "typical" here is in the context of interoperability of applications connected to a major IDP's SCIM client (AAD, Okta, OneLogin, etc). Given the tags on this post mention all of those IDPs, it seemed like a contextual hint.