scimgateway 5.0.4 → 5.0.6

package/README.md

@@ -16,11 +16,11 @@ Validated through IdP's:
   
 Latest news:  
 
-- Major version **v5.0.0** marks a shift to native TypeScript support and prioritizes [Bun](https://bun.sh/) over Node.js. This upgrade requires some modifications to existing plugins.  
+- Major version **v5** marks a shift to native TypeScript support and prioritizes [Bun](https://bun.sh/) over Node.js. This upgrade requires some modifications to existing plugins.  
 - **BREAKING**: [SCIM Stream](https://elshaug.xyz/docs/scim-stream) is the modern way of user provisioning letting clients subscribe to messages instead of traditional IGA top-down provisioning. SCIM Gateway now offers enhanced functionality with support for message subscription and automated provisioning using SCIM Stream
-- Authentication PassThrough letting plugin pass authentication directly to endpoint for avoid maintaining secrets at the gateway. Kubernetes health checks and shutdown handler support
+- Authentication PassThrough letting plugin pass authentication directly to endpoint for avoid maintaining secrets at the gateway
 - Supports OAuth Client Credentials authentication
-- Major version **v4.0.0** getUsers() and getGroups() replacing some deprecated methods. No limitations on filtering/sorting. Admin user access can be linked to specific baseEntities. New MongoDB plugin
+- Major version **v4** getUsers() and getGroups() replacing some deprecated methods. No limitations on filtering/sorting. Admin user access can be linked to specific baseEntities. New MongoDB plugin
 - ipAllowList for restricting access to allowlisted IP addresses or subnets e.g. Azure IP-range  
 - General LDAP plugin configured for Active Directory  
 - [PlugSSO](https://elshaug.xyz/docs/plugsso) using SCIM Gateway
@@ -157,7 +157,7 @@ If internet connection is blocked, we could install on another machine and copy
 
 Not needed after a fresh install  
 
-The best and easiest way to upgrade is renaming existing scimgateway package folder, create a new one and do a fresh installation. After the installation we copy `index.ts, config and lib folder` (customized plugins) from previous installation to the new installation. You should also read the version history to see custom plugins needs to be updated.
+The best and easiest way to upgrade is renaming existing scimgateway package folder, create a new one and do a fresh installation. After the installation we copy `index.ts, config and lib folder` (customized plugins) from previous installation to the new installation. You should also read the version history to see if custom plugins needs to be updated.
 
 Alternatives are:  
 
@@ -208,7 +208,6 @@ Below shows an example of config\plugin-saphana.json
 	  "scimgateway": {
 	    "port": 8884,
 	    "localhostonly": false,
-        "payloadSize": null,
         "scim": {
           "version": "2.0",
           "skipTypeConvert" : false,
@@ -281,18 +280,19 @@ Below shows an example of config\plugin-saphana.json
 	      }
 	    },
 	    "ipAllowList": [],
-	    "emailOnError": {
-	      "smtp": {
+	    "email": {
+	      "auth": {
+	        "type": "oauth",
+	        "options": {
+	          "tenantIdGUID": null,
+	          "clientId": null,
+	          "clientSecret": null
+	        }
+	      },
+	      "emailOnError": {
 	        "enabled": false,
-	        "host": null,
-	        "port": 587,
-	        "proxy": null,
-	        "authenticate": true,
-	        "username": null,
-	        "password": null,
-	        "sendInterval": 15,
-	        "to": null,
-	        "cc": null
+	        "from": null,
+	        "to": null
 	      }
 	    },
 	    "stream": {
@@ -349,15 +349,15 @@ Definitions in `scimgateway` object have fixed attributes, but values can be mod
 
 Definitions in `endpoint` object are customized according to our plugin code. Plugin typically need this information for communicating with endpoint  
 
-- **port** - Gateway will listen on this port number. Clients (e.g. Provisioning Server) will be using this port number for communicating with the gateway.  
+- **port** - Gateway will listen on this port number. Clients (e.g. Provisioning Server) will be using this port number for communicating with the gateway
 
-- **localhostonly** - true or false. False means gateway accepts incoming requests from all clients. True means traffic from only localhost (127.0.0.1) is accepted.  
+- **localhostonly** - true or false. False means gateway accepts incoming requests from all clients. True means traffic from only localhost (127.0.0.1) is accepted.
 
-- **payloadSize** - if not defined, default "1mb" will be used. There are cases which large groups could exceed default size and you may want to increase by setting your own size  
+- **idleTimeout** - default 120, sets the the number of seconds to wait before timing out a connection due to inactivity
 
-- **scim.version** - "1.1" or "2.0". Default is "2.0".  
+- **scim.version** - "1.1" or "2.0". Default is "2.0".
 
-- **scim.skipTypeConvert** - true or false, default false. Multivalue attributes supporting types e.g. emails, phoneNumbers, ims, photos, addresses, entitlements and x509Certificates (but not roles, groups and members) will be become "type converted objects" when sent to modifyUser and createUser. This for simplicity of checking attributes included and also for the endpointMapper method (used by plugin-ldap and plugin-entra-id), e.g.: 
+- **scim.skipTypeConvert** - true or false, default false. Multivalue attributes supporting types e.g. emails, phoneNumbers, ims, photos, addresses, entitlements and x509Certificates (but not roles, groups and members) will be become "type converted objects" when sent to modifyUser and createUser. This for simplicity of checking attributes included and also for the endpointMapper method (used by plugin-ldap and plugin-entra-id), e.g.:
 
 		"emails": {
 		  "work": {"value": "jsmith@example.com", "type": "work"},
@@ -375,34 +375,34 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 
 - **scim.skipMetaLocation** - true or false, default false. If set to true, `meta.location` which contains protocol and hostname from request-url, will be excluded from response e.g. `"{...,meta":{"location":"https://my-company.com/<...>"}}`. If using reverse proxy and not including headers `X-Forwarded-Proto` and `X-Forwarded-Host`, originator will be the proxy and we might not want to expose internal protocol and hostname being used by the proxy request.
 
-- **scim."groupMemberOfUser** - true or false, default false. If body contains groups and groupMemberOfUser=true, groups attribute will remain at user object (groups are member of user) instead of default user member of groups that will use modifyGroup method for maintaining group members.
+- **scim.groupMemberOfUser** - true or false, default false. If body contains groups and groupMemberOfUser=true, groups attribute will remain at user object (groups are member of user) instead of default user member of groups that will use modifyGroup method for maintaining group members.
 
 - **scim.usePutSoftSync** - true or false, default false. `PUT /Users/bjensen` will replace the user bjensen with body content. If set to `true`, only PUT body content will be replaced. Any additional existing user attributes and groups supported by plugin will remain as-is.
 
-- **log.loglevel.file** - off, error, info, or debug. Output to plugin-logfile e.g. `logs\plugin-saphana.log`  
+- **log.loglevel.file** - off, error, info, or debug. Output to plugin-logfile e.g. `logs\plugin-saphana.log`
 
-- **log.loglevel.console** - off, error, info, or debug. Output to stdout and errors to stderr.   
+- **log.loglevel.console** - off, error, info, or debug. Output to stdout and errors to stderr.
 
-- **log.customMasking** - array of attributes to be masked e.g. `"customMasking": ["SSN", "weight"]`. By default SCIM Gateway includes masking of some standard attributes like password.  
+- **log.customMasking** - array of attributes to be masked e.g. `"customMasking": ["SSN", "weight"]`. By default SCIM Gateway includes masking of some standard attributes like password.
 
 - **auth** - Contains one or more authentication/authorization methods used by clients for accessing gateway - may also include:
   - **auth.xx.readOnly** - true/false, true gives read only access - only allowing `GET` requests for corresponding admin user
   - **auth.xx.baseEntities** - array containing one or more `baseEntity` allowed for this user e.g. ["client-a"] - empty array allowing all.  
-  **Methods are disabled by setting corresponding admin user to null or remove methods not used**  
+  **Methods are disabled by setting corresponding admin user to null or remove methods not used**
 
-- **auth.basic** - Array of one ore more basic authentication objects - Basic Authentication with **username**/**password**. Note, we set a clear text password that will become encrypted when gateway is started.  
+- **auth.basic** - Array of one ore more basic authentication objects - Basic Authentication with **username**/**password**. Note, we set a clear text password that will become encrypted when gateway is started.
 
-- **auth.bearerToken** - Array of one or more bearer token objects - Shared token/secret (supported by Entra ID). Clear text value will become encrypted when gateway is started.  
+- **auth.bearerToken** - Array of one or more bearer token objects - Shared token/secret (supported by Entra ID). Clear text value will become encrypted when gateway is started.
 
-- **auth.bearerJwtAzure** - Array of one or more JWT used by Azure SyncFabric. **tenantIdGUID** must be set to Entra ID Tenant ID.  
+- **auth.bearerJwtAzure** - Array of one or more JWT used by Azure SyncFabric. **tenantIdGUID** must be set to Entra ID Tenant ID.
 
-- **auth.bearerJwt** - Array of one or more standard JWT objects. Using **secret** or **publicKey** for signature verification. publicKey should be set to the filename of public key or certificate pem-file located in `<package-root>\config\certs` or absolute path being used. Clear text secret will become encrypted when gateway is started. **options.issuer** is mandatory. Other options may also be included according to jsonwebtoken npm package definition.   
+- **auth.bearerJwt** - Array of one or more standard JWT objects. Using **secret** or **publicKey** for signature verification. publicKey should be set to the filename of public key or certificate pem-file located in `<package-root>\config\certs` or absolute path being used. Clear text secret will become encrypted when gateway is started. **options.issuer** is mandatory. Other options may also be included according to jsonwebtoken npm package definition.
 
-- **auth.bearerOAuth** - Array of one or more Client Credentials OAuth configuration objects. **`client_id`** and **`client_secret`** are mandatory. client_secret value will become encrypted when gateway is started. OAuth token request url is **/oauth/token** e.g. http://localhost:8880/oauth/token  
+- **auth.bearerOAuth** - Array of one or more Client Credentials OAuth configuration objects. **`client_id`** and **`client_secret`** are mandatory. client_secret value will become encrypted when gateway is started. OAuth token request url is **/oauth/token** e.g. http://localhost:8880/oauth/token
 
-- **auth.passThrough** - Setting **auth.passThrough.enabled=true** will bypass SCIM Gateway authentication. Gateway will instead pass ctx containing authentication header to the plugin. Plugin could then use this information for endpoint authentication and we don't have any password/token stored at the gateway. Note, this also requires plugin binary having `scimgateway.authPassThroughAllowed = true` and endpoint logic for handling/passing ctx.request.header.authorization 
+- **auth.passThrough** - Setting **auth.passThrough.enabled=true** will bypass SCIM Gateway authentication. Gateway will instead pass ctx containing authentication header to the plugin. Plugin could then use this information for endpoint authentication and we don't have any password/token stored at the gateway. Note, this also requires plugin binary having `scimgateway.authPassThroughAllowed = true` and endpoint logic for handling/passing ctx.request.header.authorization
 
-- **certificate** - If not using TLS certificate, set "key", "cert" and "ca" to **null**. When using TLS, "key" and "cert" have to be defined with the filename corresponding to the primary-key and public-certificate. Both files must be located in the `<package-root>\config\certs` directory unless absolute path being defined e.g:  
+- **certificate** - If not using TLS certificate, set "key", "cert" and "ca" to **null**. When using TLS, "key" and "cert" have to be defined with the filename corresponding to the primary-key and public-certificate. Both files must be located in the `<package-root>\config\certs` directory unless absolute path being defined e.g:
   
 		"certificate": {
 		  "key": "key.pem",
@@ -436,23 +436,34 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
           "2603:1056:2000::/48",
           "2603:1057:2::/48"
         ]
-
-- **emailOnError** - Contains configuration for sending error notifications by email. Note, only the first error will be sent until sendInterval have passed
-- **emailOnError.smtp.enabled** - true or false, value set to true will enable email notifications
-- **emailOnError.smtp.host** - Mailserver e.g. "smtp.office365.com"
-- **emailOnError.smtp.port** - Port used by mailserver e.g. 587, 25 or 465
-- **emailOnError.smtp.proxy** - If using mailproxy e.g. "http://proxy-host:1234"
-- **emailOnError.smtp.authenticate** - true or false, set to true will use username/password authentication
-- **emailOnError.smtp.username** - Mail account for authentication and also the sender of the email, e.g. "user@outlook.com"
-- **emailOnError.smtp.password** - Mail account password
-- **emailOnError.smtp.sendInterval** - Mail notifications on error are deferred until sendInterval **minutes** have passed since the last notification. Default 15 minutes
-- **emailOnError.smtp.to** - Comma separated list of recipients email addresses e.g: "someone@example.com"
-- **emailOnError.smtp.cc** - Comma separated list of cc email addresses
+- **email** - Contains configuration for sending email from plugin or automated error notifications emailOnError. Note, for emailOnError only the first error will be sent until sendInterval have passed
+- **email.host** - Mailserver e.g. "smtp.gmail.com" - mandatory when not using tenantIdGUID (Microsoft)
+- **email.port** - Port used by mailserver e.g. 587, 25 or 465 - mandatory when not using tenantIdGUID (Microsoft)
+- **email.auth** - Authentication configuration
+- **email.auth.type** - `basic` or `oauth`
+- **email.auth.options** - Authentication configuration options - note, different options for type basic and oauth
+- **email.auth.options.username (basic)** - Mail account for authentication normally same as sender of the email, e.g. "user@gmail.com"
+- **email.auth.options.password (basic)** - Mail account password
+- **email.auth.options.tenantIdGUID (oauth)** - Entra ID tenant id, mandatory/recommended when using Microsoft Exchange Online
+- **email.auth.options.tokenUrl (oauth)** - Token endpoint, mandatory when not using tenantIdGUID (Microsoft Exchange Online)
+- **email.auth.options.clientId (oauth)** - Client ID
+- **email.auth.options.clientSecret (oauth)** - Client Secret
+- **email.proxy** - Proxy configuration if using mailproxy
+- **email.proxy.host** - Proxy host e.g. `http://proxy-host:1234`
+- **email.proxy.username** - username if authentication is required
+- **email.proxy.password** - password if authentication is required
+- **email.emailOnError** - Contains configuration for sending error notifications by email. Note, only the first error will be sent until sendInterval have passed
+- **email.emailOnError.enabled** - true or false, value set to true will enable email notifications
+- **email.emailOnError.sendInterval** - Default 15. Mail notifications on error are deferred until sendInterval **minutes** have passed since the last notification.
+- **email.emailOnError.from** - Sender email addresses e.g: "noreply@example.com", note must correspond with email.auth.options being used and mailserver configuration
+- **email.emailOnError.to** - Comma separated list of recipients email addresses e.g: "someone@example.com"
+- **email.emailOnError.cc** - Optional comma separated list of cc mail addresses
+- **email.emailOnError.subject** - Optional mail subject, default `SCIM Gateway error message`
 
 - **stream** - See [SCIM Stream](https://elshaug.xyz/docs/scim-stream) for configuration details
 
-- **endpoint** - Contains endpoint specific configuration according to our **plugin code**.    
- 
+- **endpoint** - Contains endpoint specific configuration according to our **plugin code**. 
+
 #### Configuration notes
 
 - Custom Schemas, ServiceProviderConfig and ResourceType can be used if `./lib/scimdef-v2.json or scimdef-v1.json` exists. Original scimdef-v2.json/scimdef-v1.json can be copied from node_modules/scimgateway/lib to your plugin/lib and customized.
@@ -1086,6 +1097,21 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v5.0.6  
+
+[Improved]
+
+- new configuration option: `scimgateway.idleTimeout` default 120, sets the the number of seconds to wait before timing out a connection due to inactivity
+- new configuration option: `scimgateway.email` replacing legacy `scimgateway.emailOnError` (legacy still supported). Email now support oauth authentication configuration which is default and recommended for Microsoft Exchange Online.
+- removed configuration option: `scimgateway.payloadSize` Bun using default maxRequestBodySize 128MB
+- plugin may send email using method scimgateway.sendMail()
+
+### v5.0.5  
+
+[Fixed]
+
+- plugin-ldap, dn special character not correct for ascii code 128(dec)/80(hex)
+
 ### v5.0.4  
 
 [Improved] 
@@ -1098,7 +1124,7 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 - unauthorized connection when using configuration bearerJwtAzure 
 
-[Improved] 
+[Improved]
 
 - minor type definition cosmetics
 

package/config/plugin-api.json

@@ -2,7 +2,6 @@
   "scimgateway": {
     "port": 8890,
     "localhostonly": false,
-    "payloadSize": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,
@@ -75,18 +74,19 @@
       }
     },
     "ipAllowList": [],
-    "emailOnError": {
-      "smtp": {
+    "email": {
+      "auth": {
+        "type": "oauth",
+        "options": {
+          "tenantIdGUID": null,
+          "clientId": null,
+          "clientSecret": null
+        }
+      },
+      "emailOnError": {
         "enabled": false,
-        "host": null,
-        "port": 587,
-        "proxy": null,
-        "authenticate": true,
-        "username": null,
-        "password": null,
-        "sendInterval": 15,
-        "to": null,
-        "cc": null
+        "from": null,
+        "to": null
       }
     },
     "stream": {

package/config/plugin-entra-id.json

@@ -2,7 +2,6 @@
   "scimgateway": {
     "port": 8881,
     "localhostonly": false,
-    "payloadSize": null,
     "scim": {
       "version": "2.0",
       "customSchema": null,
@@ -75,18 +74,56 @@
       }
     },
     "ipAllowList": [],
-    "emailOnError": {
-      "smtp": {
+    "email": {
+      "auth": {
+        "type": "oauth",
+        "options": {
+          "tenantIdGUID": null,
+          "clientId": null,
+          "clientSecret": null
+        }
+      },
+      "emailOnError": {
+        "enabled": false,
+        "from": null,
+        "to": null
+      }
+    },
+    "stream": {
+      "baseUrls": [],
+      "certificate": {
+        "ca": null
+      },
+      "subscriber": {
         "enabled": false,
-        "host": null,
-        "port": 587,
-        "proxy": null,
-        "authenticate": true,
-        "username": null,
-        "password": null,
-        "sendInterval": 15,
-        "to": null,
-        "cc": null
+        "entity": {
+          "undefined": {
+            "nats": {
+              "tenant": null,
+              "subject": null,
+              "jwt": null,
+              "secret": null
+            },
+            "deleteUserOnLastGroupRoleRemoval": false,
+            "skipConvertRolesToGroups": false,
+            "generateUserPassword": false,
+            "modifyOnly": false,
+            "replaceDomains": []
+          }
+        }
+      },
+      "publisher": {
+        "enabled": false,
+        "entity": {
+          "undefined": {
+            "nats": {
+              "tenant": null,
+              "subject": null,
+              "jwt": null,
+              "secret": null
+            }
+          }
+        }
       }
     }
   },

package/config/plugin-ldap.json

@@ -2,7 +2,6 @@
   "scimgateway": {
     "port": 8883,
     "localhostonly": false,
-    "payloadSize": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,
@@ -75,18 +74,19 @@
       }
     },
     "ipAllowList": [],
-    "emailOnError": {
-      "smtp": {
+    "email": {
+      "auth": {
+        "type": "oauth",
+        "options": {
+          "tenantIdGUID": null,
+          "clientId": null,
+          "clientSecret": null
+        }
+      },
+      "emailOnError": {
         "enabled": false,
-        "host": null,
-        "port": 587,
-        "proxy": null,
-        "authenticate": true,
-        "username": null,
-        "password": null,
-        "sendInterval": 15,
-        "to": null,
-        "cc": null
+        "from": null,
+        "to": null
       }
     },
     "stream": {
@@ -275,4 +275,4 @@
       }
     }
   }
-}
+}

package/config/plugin-loki.json

@@ -2,7 +2,6 @@
   "scimgateway": {
     "port": 8880,
     "localhostonly": false,
-    "payloadSize": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,
@@ -75,18 +74,19 @@
       }
     },
     "ipAllowList": [],
-    "emailOnError": {
-      "smtp": {
+    "email": {
+      "auth": {
+        "type": "oauth",
+        "options": {
+          "tenantIdGUID": null,
+          "clientId": null,
+          "clientSecret": null
+        }
+      },
+      "emailOnError": {
         "enabled": false,
-        "host": null,
-        "port": 587,
-        "proxy": null,
-        "authenticate": true,
-        "username": null,
-        "password": null,
-        "sendInterval": 15,
-        "to": null,
-        "cc": null
+        "from": null,
+        "to": null
       }
     },
     "stream": {

package/config/plugin-mongodb.json

@@ -2,7 +2,6 @@
   "scimgateway": {
     "port": 8885,
     "localhostonly": false,
-    "payloadSize": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,
@@ -81,18 +80,19 @@
       }
     },
     "ipAllowList": [],
-    "emailOnError": {
-      "smtp": {
+    "email": {
+      "auth": {
+        "type": "oauth",
+        "options": {
+          "tenantIdGUID": null,
+          "clientId": null,
+          "clientSecret": null
+        }
+      },
+      "emailOnError": {
         "enabled": false,
-        "host": null,
-        "port": 587,
-        "proxy": null,
-        "authenticate": true,
-        "username": null,
-        "password": null,
-        "sendInterval": 15,
-        "to": null,
-        "cc": null
+        "from": null,
+        "to": null
       }
     },
     "stream": {
@@ -151,4 +151,4 @@
       }
     }
   }
-}
+}

package/config/plugin-mssql.json

@@ -2,7 +2,6 @@
   "scimgateway": {
     "port": 8888,
     "localhostonly": false,
-    "payloadSize": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,
@@ -75,18 +74,19 @@
       }
     },
     "ipAllowList": [],
-    "emailOnError": {
-      "smtp": {
+    "email": {
+      "auth": {
+        "type": "oauth",
+        "options": {
+          "tenantIdGUID": null,
+          "clientId": null,
+          "clientSecret": null
+        }
+      },
+      "emailOnError": {
         "enabled": false,
-        "host": null,
-        "port": 587,
-        "proxy": null,
-        "authenticate": true,
-        "username": null,
-        "password": null,
-        "sendInterval": 15,
-        "to": null,
-        "cc": null
+        "from": null,
+        "to": null
       }
     },
     "stream": {
@@ -133,18 +133,18 @@
       "authentication": {
         "type": "default",
         "options": {
-          "userName": "sa",
+          "userName": "scimgateway",
           "password": "password"
         }
       },
       "options": {
         "instanceName": "",
         "port": 1433,
-        "database": "MyDatabase",
+        "database": "scimgateway",
         "useColumnNames": true,
         "rowCollectionOnRequestCompletion": true,
         "encrypt": false
       }
     }
   }
-}
+}

package/config/plugin-saphana.json

@@ -2,7 +2,6 @@
   "scimgateway": {
     "port": 8884,
     "localhostonly": false,
-    "payloadSize": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,
@@ -75,18 +74,19 @@
       }
     },
     "ipAllowList": [],
-    "emailOnError": {
-      "smtp": {
+    "email": {
+      "auth": {
+        "type": "oauth",
+        "options": {
+          "tenantIdGUID": null,
+          "clientId": null,
+          "clientSecret": null
+        }
+      },
+      "emailOnError": {
         "enabled": false,
-        "host": null,
-        "port": 587,
-        "proxy": null,
-        "authenticate": true,
-        "username": null,
-        "password": null,
-        "sendInterval": 15,
-        "to": null,
-        "cc": null
+        "from": null,
+        "to": null
       }
     },
     "stream": {
@@ -134,4 +134,4 @@
     "password": "password",
     "saml_provider": "saml_provider_name"
   }
-}
+}

package/config/plugin-scim.json

@@ -2,7 +2,6 @@
   "scimgateway": {
     "port": 8886,
     "localhostonly": false,
-    "payloadSize": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,
@@ -75,18 +74,19 @@
       }
     },
     "ipAllowList": [],
-    "emailOnError": {
-      "smtp": {
+    "email": {
+      "auth": {
+        "type": "oauth",
+        "options": {
+          "tenantIdGUID": null,
+          "clientId": null,
+          "clientSecret": null
+        }
+      },
+      "emailOnError": {
         "enabled": false,
-        "host": null,
-        "port": 587,
-        "proxy": null,
-        "authenticate": true,
-        "username": null,
-        "password": null,
-        "sendInterval": 15,
-        "to": null,
-        "cc": null
+        "from": null,
+        "to": null
       }
     },
     "stream": {

package/config/plugin-soap.json

@@ -2,7 +2,6 @@
   "scimgateway": {
     "port": 8882,
     "localhostonly": false,
-    "payloadSize": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,
@@ -75,18 +74,19 @@
       }
     },
     "ipAllowList": [],
-    "emailOnError": {
-      "smtp": {
+    "email": {
+      "auth": {
+        "type": "oauth",
+        "options": {
+          "tenantIdGUID": null,
+          "clientId": null,
+          "clientSecret": null
+        }
+      },
+      "emailOnError": {
         "enabled": false,
-        "host": null,
-        "port": 587,
-        "proxy": null,
-        "authenticate": true,
-        "username": null,
-        "password": null,
-        "sendInterval": 15,
-        "to": null,
-        "cc": null
+        "from": null,
+        "to": null
       }
     },
     "stream": {

package/lib/helper-rest.ts

@@ -4,7 +4,7 @@ import { Buffer } from 'node:buffer'
 import fs from 'node:fs'
 import querystring from 'querystring'
 import * as utils from './utils.ts'
-import type ScimGateway from 'scimgateway'
+import ScimGateway from 'scimgateway'
 
 /**
  * HelperRest includes function doRequest() for doing REST calls
@@ -14,12 +14,16 @@ export class HelperRest {
   private _serviceClient: Record<string, any> = {}
   private config_entity: any
   private scimgateway: ScimGateway
+  private idleTimeout: number
   private graphUrl = 'https://graph.microsoft.com/beta' // beta instead of 'v1.0' gives all user attributes when no $select
 
-  constructor(scimgateway: ScimGateway) {
+  constructor(scimgateway: ScimGateway, optionalEntities?: Record<string, any>) {
+    if (!(scimgateway instanceof ScimGateway)) throw new Error('HelperRest initialization error: argument scimgateway is not of type ScimGateway')
     this.scimgateway = scimgateway
-    const config = scimgateway.getConfig()
-    this.config_entity = config.entity
+    this.idleTimeout = (scimgateway as any)?.config?.scimgateway.idleTimeout || 120
+    this.idleTimeout = this.idleTimeout - 1
+    if (optionalEntities && optionalEntities.entity) this.config_entity = utils.copyObj(optionalEntities.entity)
+    else this.config_entity = utils.copyObj(scimgateway.getConfig())?.entity
     let entityFound = false
     let connectionFound = false
     for (const baseEntity in this.config_entity) {
@@ -31,15 +35,12 @@ export class HelperRest {
           }
         }
         connectionFound = true
-        if (!this.config_entity[baseEntity].connection.baseUrls
-          || !Array.isArray(this.config_entity[baseEntity].connection.baseUrls)
-          || this.config_entity[baseEntity].connection.baseUrls.length < 1) {
-          throw new Error('HelperRest initialization error: missing configuration \'endpoint.entity.<name>.connection.baseUrls\'')
-        }
       }
     }
-    if (!entityFound) throw new Error('HelperRest initialization error: missing configuration \'endpoint.entity.<name>\'')
-    if (!connectionFound) throw new Error('HelperRest initialization error: missing configuration \'endpoint.entity.<name>.connection\'')
+    let errMsg = ''
+    if (!entityFound) errMsg = 'HelperRest initialization error: missing configuration \'endpoint.entity.<name>\''
+    else if (!connectionFound) errMsg = 'HelperRest initialization error: missing configuration \'endpoint.entity.<name>.connection\''
+    if (errMsg) this.scimgateway.logError('undefined', errMsg)
   }
 
   /**
@@ -68,12 +69,12 @@ export class HelperRest {
   }
 
   /**
-   * getAccessToken returns oauth accesstoken
+   * getAccessToken returns oauth accesstoken object
    * @param baseEntity 
    * @param ctx 
-   * @returns oauth accesstoken
+   * @returns oauth accesstoken object
    */
-  private async getAccessToken(baseEntity: string, ctx: Record<string, any> | undefined) {
+  public async getAccessToken(baseEntity: string, ctx?: Record<string, any> | undefined) { // public in case token is needed for other logic e.g. sending mail
     await this.lock.acquire()
     const clientIdentifier = this.getClientIdentifier(ctx)
     const d = Math.floor(Date.now() / 1000) // seconds (unix time)
@@ -417,7 +418,7 @@ export class HelperRest {
       } else delete options.headers['Content-Type']
       const controller = new AbortController()
       const signal = controller.signal
-      const timeout = setTimeout(() => controller.abort(), options.abortTimeout ? options.abortTimeout * 1000 : 120 * 1000) // 120 seconds default abort timeout
+      const timeout = setTimeout(() => controller.abort(), options.abortTimeout ? options.abortTimeout * 1000 : this.idleTimeout * 1000) // 120 seconds default abort timeout
       options.signal = signal
       const url = `${options.protocol}//${options.host}${options.port ? ':' + options.port : ''}${options.path}`
       // execute request
@@ -486,7 +487,7 @@ export class HelperRest {
       if (!retryCount) retryCount = 0
       let urlObj
       try { urlObj = new URL(path) } catch (err) { void 0 }
-      if (!urlObj && (err.code === 'ECONNREFUSED' || err.code === 'ENOTFOUND' || err.code === 'ETIMEDOUT' || retryAfter)) {
+      if (!urlObj && (err.code === 'ECONNREFUSED' || err.code === 'ENOTFOUND' || err.code === 'ABORT_ERR' || err.code === 'ETIMEDOUT' || retryAfter)) {
         if (retryAfter) {
           this.scimgateway.logDebug(baseEntity, `doRequest ${method} ${path} throttle/ratelimit error - awaiting ${retryAfter} seconds before automatic retry`)
           await new Promise(resolve => setTimeout(function () {

package/lib/logger.ts

@@ -4,9 +4,7 @@
 // Author:  Jarle Elshaug
 // ==============================================================
 
-// import * as winston from 'winston' // level: silly=0(lowest), debug=1, verbose=2, info=3, warn=4, error=5(highest)
-// import winston, { Logger } from 'winston'
-import winston, { Logger } from 'winston'
+import winston, { Logger } from 'winston' // level: silly=0, debug=1, verbose=2, info=3, warn=4, error=5
 
 // Wrong time if not setting timestamp. Timezone did not work.
 // moment-timezone is also an alternative to the timestamp() function.

package/lib/plugin-ldap.ts

@@ -1452,7 +1452,7 @@ const doRequest = async (baseEntity: string, method: string, base: any, options:
                 obj.dn = obj.dn.replace(/\\\\/g, '__') // temp
                 let conv = obj.dn.replace(/\\([0-9A-Fa-f]{2})/g, (_: any, hex: any) => {
                   const intAscii = parseInt(hex, 16)
-                  if (intAscii > 128) { // extended ascii - will be unescaped by decodeURIComponent
+                  if (intAscii > 127) { // extended ascii - will be unescaped by decodeURIComponent
                     return '%' + hex
                   } else { // use character escape
                     return '\\' + String.fromCharCode(intAscii)

package/lib/scimgateway.ts

@@ -27,6 +27,7 @@ import * as utils from './utils.ts'
 import * as utilsScim from './utils-scim.ts'
 import * as stream from './scim-stream.js'
 export * from './helper-rest.ts'
+import { HelperRest } from './helper-rest.ts'
 
 export class ScimGateway {
   private config: any
@@ -39,6 +40,8 @@ export class ScimGateway {
   private getMemberOf: any
   private getAppRoles: any
   private pub: any
+  // @ts-expect-error: has no initializer
+  private helperRest: HelperRest
   /** pluginName is the name of plugin e.g., plugin-loki */
   readonly pluginName: string
   /** configDir is full path to plugin ./config directory */
@@ -402,12 +405,50 @@ export class ScimGateway {
     this.config.scimgateway.auth.oauthTokenStore = {}
     if (!this.config.scimgateway.certificate) this.config.scimgateway.certificate = {}
     if (!this.config.scimgateway.certificate.pfx) this.config.scimgateway.certificate.pfx = {}
-    if (!this.config.scimgateway.emailOnError) this.config.scimgateway.emailOnError = {}
-    if (!this.config.scimgateway.emailOnError.smtp) this.config.scimgateway.emailOnError.smtp = {}
+
+    if (!this.config.scimgateway.email) this.config.scimgateway.email = {}
+    if (!this.config.scimgateway.email.auth) this.config.scimgateway.email.auth = {}
+    if (!this.config.scimgateway.email.auth.options) this.config.scimgateway.email.auth.options = {}
+    if (!this.config.scimgateway.email.emailOnError) this.config.scimgateway.email.emailOnError = {}
+
     if (!this.config.scimgateway.stream) this.config.scimgateway.stream = {}
     if (!this.config.scimgateway.stream.subscriber) this.config.scimgateway.stream.subscriber = {}
     if (!this.config.scimgateway.stream.publisher) this.config.scimgateway.stream.publisher = {}
 
+    // start - legacy support
+    if (!this.config.scimgateway.emailOnError) this.config.scimgateway.emailOnError = {}
+    if (!this.config.scimgateway.emailOnError.smtp) this.config.scimgateway.emailOnError.smtp = {}
+    if (this.config.scimgateway.emailOnError.smtp.host) {
+      this.config.scimgateway.email.host = this.config.scimgateway.emailOnError.smtp.host
+    }
+    if (this.config.scimgateway.emailOnError.smtp.port) {
+      this.config.scimgateway.email.port = this.config.scimgateway.emailOnError.smtp.port
+    }
+    if (this.config.scimgateway.emailOnError.smtp.proxy) {
+      this.config.scimgateway.email.proxy = this.config.scimgateway.emailOnError.smtp.proxy
+    }
+    if (this.config.scimgateway.emailOnError.smtp.username) {
+      this.config.scimgateway.email.emailOnError.from = this.config.scimgateway.emailOnError.smtp.username
+      this.config.scimgateway.email.auth.options.username = this.config.scimgateway.emailOnError.smtp.username
+    }
+    if (this.config.scimgateway.emailOnError.smtp.password) {
+      this.config.scimgateway.email.auth.options.password = this.config.scimgateway.emailOnError.smtp.password
+      this.config.scimgateway.email.auth.type = 'basic'
+    }
+    if (this.config.scimgateway.emailOnError.smtp.enabled) {
+      this.config.scimgateway.email.emailOnError.enabled = this.config.scimgateway.emailOnError.smtp.enabled
+    }
+    if (this.config.scimgateway.emailOnError.smtp.sendInterval) {
+      this.config.scimgateway.email.emailOnError.sendInterval = this.config.scimgateway.emailOnError.smtp.sendInterval
+    }
+    if (this.config.scimgateway.emailOnError.smtp.to) {
+      this.config.scimgateway.email.emailOnError.to = this.config.scimgateway.emailOnError.smtp.to
+    }
+    if (this.config.scimgateway.emailOnError.smtp.cc) {
+      this.config.scimgateway.email.emailOnError.cc = this.config.scimgateway.emailOnError.smtp.cc
+    }
+    // end - legacy support
+
     if (this.config.scimgateway.ipAllowList && Array.isArray(this.config.scimgateway.ipAllowList) && this.config.scimgateway.ipAllowList.length > 0) {
       ipAllowListChecker = createChecker(this.config.scimgateway.ipAllowList)
     }
@@ -896,7 +937,7 @@ export class ScimGateway {
       const baseEntity = ctx.routeObj.baseEntity
       const id = decodeURIComponent(path.basename(ctx.routeObj.id || '', '.json')) // supports <id>.json
 
-      if (!id || id.includes('/')) {
+      if (!id) {
         ctx.response.status = 500
         const err = new Error('missing id')
         const [e, customErrorCode] = utilsScim.jsonErr(this.config.scimgateway.scim.version, pluginName, ctx.response.status, err)
@@ -2119,7 +2160,7 @@ export class ScimGateway {
         const attributes = ['id', 'displayName']
         logger.debug(`${gwName}[${pluginName}][${baseEntity}] calling "${handler.groups.getMethod}" and awaiting result - groups to be included`)
         res = await (this as any)[handler.groups.getMethod](baseEntity, ob, attributes, ctxPassThrough)
-      } catch (err) { } // ignore errors
+      } catch (err) { void 0 }
       if (res && res.Resources && Array.isArray(res.Resources) && res.Resources.length > 0) {
         for (let i = 0; i < res.Resources.length; i++) {
           if (!res.Resources[i].id) continue
@@ -2358,14 +2399,14 @@ export class ScimGateway {
         hostname = 'localhost'
       }
       try {
-      // using fs.readFileSync() instead of Bun.file() for nodejs compability
+        // using fs.readFileSync() instead of Bun.file() for nodejs compability
         if (this.config.scimgateway?.certificate?.key && this.config.scimgateway?.certificate?.cert) {
-        // TLS
+          // TLS
           tls.key = this.config.scimgateway.certificate.key ? fs.readFileSync(this.config.scimgateway.certificate.key) : undefined
           tls.cert = this.config.scimgateway.certificate.cert ? fs.readFileSync(this.config.scimgateway.certificate.cert) : undefined
-        // loading tls.ca would require client certificates to be used
+          // loading tls.ca would require client certificates to be used
         } else if (this.config.scimgateway?.certificate?.pfx && this.config.scimgateway?.certificate?.pfx?.bundle) {
-        // TLS PFX / PKCS#12
+          // TLS PFX / PKCS#12
           tls.pfx = this.config.scimgateway.certificate.pfx.bundle ? fs.readFileSync(this.config.scimgateway.certificate.pfx.bundle) : undefined
           tls.passphrase = this.config.scimgateway.certificate.pfx.password ? utils.getSecret('scimgateway.certificate.pfx.password', this.configFile) : undefined
         }
@@ -2439,6 +2480,7 @@ export class ScimGateway {
         server = Bun.serve({
           port: this.config.scimgateway.port,
           reusePort: false,
+          idleTimeout: this.config.scimgateway.idleTimeout || 120,
           hostname, // hostname === 'localhost' ? hostname : undefined, // bun defaults to '0.0.0.0', but using '0.0.0.0.' or other ip like '127.0.0.1' becomes extremly slow - bun bug
           tls,
           async fetch(req, srv) {
@@ -2583,49 +2625,27 @@ export class ScimGateway {
     logger.setLoglevelConsole(this.config?.scimgateway?.log?.loglevel?.console) // revert temporary info console loglevel, use config
 
     logger.setEmailOnError(async (msg: string) => { // logger sending email on error
-      if (!this.config.scimgateway.emailOnError || !this.config.scimgateway.emailOnError.smtp || !(this.config.scimgateway.emailOnError.smtp.enabled === true) || isMailLock) return null // not sending mail
+      if (!(this.config.scimgateway.email.emailOnError.enabled === true) || isMailLock) return null // not sending mail
       isMailLock = true
 
       setTimeout(function () { // release lock after "sendInterval" minutes
         isMailLock = false
-      }, (this.config.scimgateway.emailOnError.smtp.sendInterval || 15) * 1000 * 60)
-
-      const bodyHtml = `<html><body> 
-            <p>${msg}</p> 
-            <br> 
-            <p><strong>This is an automatically generated email - please do NOT reply to this email or forward to others</strong></p> 
-            </body></html>`
-
-      const smtpConfig: { [key: string]: any } = {
-        host: this.config.scimgateway.emailOnError.smtp.host, // e.g. smtp.office365.com
-        port: this.config.scimgateway.emailOnError.smtp.port || 587,
-        proxy: this.config.scimgateway.emailOnError.smtp.proxy || null,
-        secure: (this.config.scimgateway.emailOnError.smtp.port === 465), // false on 25/587
-        tls: { ciphers: 'TLSv1.2' },
-      }
-      if (this.config.scimgateway.emailOnError.smtp.authenticate) {
-        smtpConfig.auth = {}
-        smtpConfig.auth.user = this.config.scimgateway.emailOnError.smtp.username
-        smtpConfig.auth.pass = this.config.scimgateway.emailOnError.smtp.password
-      }
-
-      const transporter = nodemailer.createTransport(smtpConfig)
-      const mailOptions = {
-        from: this.config.scimgateway.emailOnError.smtp.username, // sender address
-        to: this.config.scimgateway.emailOnError.smtp.to, // list of receivers - comma separated
-        cc: this.config.scimgateway.emailOnError.smtp.cc,
-        subject: 'SCIM Gateway error message',
-        html: bodyHtml, // 'text': bodyText
-      }
-
-      const smtp_to = this.config.scimgateway.emailOnError.smtp.to
-      const smtp_cc = this.config.scimgateway.emailOnError.smtp.cc
-      transporter.sendMail(mailOptions, function (err) {
-        if (err != null) logger.error(`${gwName}[${pluginName}] mailOnError sending failed: ${err.message}`)
-        else logger.debug(`${gwName}[${pluginName}] mailOnError sent to: ${smtp_to}${(smtp_cc) ? ',' + smtp_cc : ''}`)
-      })
-      return null
-    }) // emailOnError
+      }, (this.config.scimgateway.email.emailOnError.sendInterval || 15) * 1000 * 60)
+      const msgHtml = `<html><body> 
+        <p>${msg}</p> 
+        <br> 
+        <p><strong>This is an automatically generated email - please do NOT reply to this email or forward to others</strong></p> 
+        </body></html>`
+
+      const msgObj = {
+        from: this.config.scimgateway.email.emailOnError.from,
+        to: this.config.scimgateway.email.emailOnError.to,
+        cc: this.config.scimgateway.email.emailOnError.cc,
+        subject: this.config.scimgateway.email.emailOnError.subject ? this.config.scimgateway.email.emailOnError.subject : 'SCIM Gateway error message',
+        content: msgHtml,
+      }
+      this.sendMail(msgObj, true)
+    })
 
     const gracefulShutdown = async function () {
       if (server) {
@@ -2642,6 +2662,7 @@ export class ScimGateway {
         if (typeof Bun !== 'undefined') {
           await Bun.sleep(400) // give in-flight requests a chance to complete, also plugins may use SIGTERM/SIGINT
           server.stop()
+          process.exit(0)
         } else {
           server.close(function () {
             setTimeout(function () { // plugins may also use SIGTERM/SIGINT
@@ -2800,6 +2821,205 @@ export class ScimGateway {
   */
   endpointMapper = utilsScim.endpointMapper
 
+  /**
+  * sendMail sends a mail using scimgateway.email configuraration
+  * @param msgObj mail object
+  * @param isHtml set to true if msgObj.content is HTML encoded, else false for plain text
+  * @remarks
+  * msgObj example:  
+  * ```
+  * {
+  *   from: 'firstname.lastname@company.com',
+  *   to: 'servicedesk@company.com',
+  *   cc: 'operators@company.com',
+  *   subject: 'SCIM Gateway message',
+  *   content: '<html><body><p>Testing <b>HTML encoded</b> message</p></body></html>',
+  * }
+  * ```
+  * email server and authentication being used is defiend in configuration file setting scimgateway.email  
+  * example below using **SMTP AUTH**  
+  * note, msgObj.from should normally correspond with configuration auth.options.username
+  * ```
+  * {
+  *   "scimgateway": {
+  *     "email": {
+  *       "host": "<host>", // smtp.gmail.com
+  *       "port": <port>, // 587
+  *       "auth": {
+  *         "type": "basic",
+  *         "options": {
+  *           "username": "<email address>",
+  *           "password": "<password>" // app password
+  *         }
+  *       },
+  *       "proxy": {
+  *         "host": null, // http://proxy-host:1234
+  *         "username": null,
+  *         "password": null
+  *        }
+  *     },
+  *    ...
+  *   }
+  * }
+  * ```
+  * example below using recommended **OAuth**  
+  * note, Microsoft do not default support SMTP AUTH anymore and OAuth should be used   
+  * ```
+  * {
+  *   "scimgateway": {
+  *     "email": {
+  *       "host": "<host>", // required when not using tenantIdGUID (Microsoft)
+  *       "port": <port>, // required when not using tenantIdGUID (Microsoft)
+  *       "auth": {
+  *         "type": "oauth",
+  *         "options": {
+  *           "tenantIdGUID": "<tenantId>", // used for Microsoft Exchange Online
+  *           "tokenUrl": "<tokenUrl>",     // required when not using tenantIdGUID (Microsoft)
+  *           "clientId": "<clientId>",
+  *           "clientSecret": "<clientSecret>"
+  *         }
+  *       },
+  *       "proxy": {
+  *         "host": null, // http://proxy-host:1234
+  *         "username": null,
+  *         "password": null
+  *        }
+  *     },
+  *    ...
+  *   }
+  * }
+  * ```
+  * Some notes when using OAuth and tenantIdGUID - Microsoft Exchange:  
+  * Entra ID application must have application permissions "**Mail.Send**"  
+  *   
+  * For not allowing send email from all mailboxes, ExO **ApplicationAccessPolicy** must be defined through PowerShell.  
+  * First create a mail-enabled security-group that only includes users (mailboxes) the app is allowed to send from  
+  * Note, "mail enabled security" cannot be created from portal, only from admin or admin.exchange console  
+  * ```
+  * ##Connect to Exchange
+  * Install-Module -Name ExchangeOnlineManagement
+  * Connect-ExchangeOnline
+  * 
+  * ##Create ApplicationAccessPolicy
+  * New-ApplicationAccessPolicy -AppId $AppClientID -PolicyScopeGroupId $MailEnabledSecurityGrpId -AccessRight RestrictAccess -Description "Restrict app to specific mailboxes"
+  * ```
+  **/
+  async sendMail(msgObj: Record<string, any>, isHtml: boolean = false) {
+    const gwName = this.gwName
+    const pluginName = this.pluginName
+    const logger = this.logger
+    const authType = this.config.scimgateway?.email?.auth?.type ? this.config.scimgateway.email.auth.type.toLowerCase() : ''
+
+    if (typeof msgObj !== 'object' || !msgObj.from || !msgObj.to || !msgObj.content) {
+      logger.error(`${gwName}[${pluginName}] sendMail failed: missing or invalid msgObj argument`)
+      return
+    }
+
+    if (authType === 'oauth') {
+      if (!this.helperRest) this.helperRest = new HelperRest(this, { entity: { undefined: { connection: this.config.scimgateway.email } } })
+      if (this.config.scimgateway.email.auth?.options?.tenantIdGUID) {
+        // Graph API
+        const emailMessage: Record<string, any> = {
+          message: {
+            subject: msgObj.subject ? msgObj.subject : 'SCIM Gateway message',
+            body: {
+              content: msgObj.content,
+              contentType: isHtml ? 'HTML' : 'Text',
+            },
+            toRecipients: [],
+            ccRecipients: [],
+          },
+          saveToSentItems: 'false',
+        }
+
+        if (msgObj.to) {
+          let arr = msgObj.to.split(',')
+          for (let i = 0; i < arr.length; i++) {
+            emailMessage.message.toRecipients.push({
+              emailAddress: {
+                address: arr[i],
+              },
+            })
+          }
+        }
+        if (msgObj.cc) {
+          const arr = msgObj.cc.split(',')
+          for (let i = 0; i < arr.length; i++) {
+            emailMessage.message.ccRecipients.push({
+              emailAddress: {
+                address: arr[i],
+              },
+            })
+          }
+        }
+        if (emailMessage.message.toRecipients.length === 0) delete emailMessage.message.toRecipients
+        if (emailMessage.message.ccRecipients.length === 0) delete emailMessage.message.ccRecipients
+
+        const path = `/users/${msgObj.from}/sendMail`
+        try {
+          await this.helperRest.doRequest('undefined', 'POST', path, emailMessage)
+          logger.debug(`${gwName}[${pluginName}] sendMail subject '${emailMessage.message.subject}' sent to: ${msgObj.to}${(msgObj.cc) ? ',' + msgObj.cc : ''}`)
+        } catch (err: any) {
+          logger.error(`${gwName}[${pluginName}] sendMail subject '${emailMessage.message.subject}' sending failed: ${err.message}`)
+        }
+        return
+      }
+    }
+
+    // nodemailer
+    if (!this.config.scimgateway?.email?.host) {
+      logger.error(`${gwName}[${pluginName}] sendMail subject '${msgObj.subject}' sending failed: some missing scimgateway.email configuration`)
+      return
+    }
+    const smtpConfig: { [key: string]: any } = {
+      host: this.config.scimgateway.email.host, // e.g. smtp.office365.com
+      port: this.config.scimgateway.email.port || 587,
+      proxy: this.config.scimgateway.email.proxy || null,
+      secure: (this.config.scimgateway.email.port === 465), // false on 25/587
+      tls: { ciphers: 'TLSv1.2' },
+    }
+    if (authType) {
+      smtpConfig.auth = {}
+      if (authType === 'basic') {
+        smtpConfig.auth.user = this.config.scimgateway.email.auth.options.username
+        smtpConfig.auth.pass = this.config.scimgateway.email.auth.options.password
+      } else if (authType === 'oauth') {
+        smtpConfig.auth.type = 'OAuth2'
+      }
+    }
+
+    const transporter = nodemailer.createTransport(smtpConfig)
+
+    const mailOptions: Record<string, any> = {
+      from: msgObj.from, // sender address
+      to: msgObj.to, // list of receivers - comma separated
+      cc: msgObj.cc,
+      subject: msgObj.subject ? msgObj.subject : 'SCIM Gateway message',
+    }
+
+    if (authType === 'oauth') {
+      mailOptions.auth = {}
+      mailOptions.auth.user = msgObj.from
+      transporter.set('oauth2_provision_cb', async (user, renew, callback) => {
+        const aObj = await this.helperRest.getAccessToken('undefined')
+        const accessToken = aObj ? aObj?.access_token : null
+        if (!accessToken) {
+          return callback(new Error('missing access token'))
+        } else {
+          return callback(null, accessToken)
+        }
+      })
+    }
+
+    if (isHtml) mailOptions.html = msgObj.content
+    else mailOptions.text = msgObj.content
+
+    transporter.sendMail(mailOptions, function (err) {
+      if (err != null) logger.error(`${gwName}[${pluginName}] sendMail subject '${mailOptions.subject}' sending failed: ${err.message}`)
+      else logger.debug(`${gwName}[${pluginName}] sendMail subject '${mailOptions.subject}' sent to: ${msgObj.to}${(msgObj.cc) ? ',' + msgObj.cc : ''}`)
+    })
+  }
+
   // processConfig updates this.config and return found.<auth method>
   // config external process.env/file/text replaced with actual values
   // config encryption/decryption for keys named: 'password', 'secret', 'clientSecret', 'token', 'apikey'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "5.0.4",
+  "version": "5.0.6",
   "type": "module",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",