fix: enforce user deactivation via scim_active metadata

[milan-berri]

Fixes issue where SCIM PATCH to set active=false updates metadata but doesn't prevent authentication.

Pre-Submission checklist

Please complete all items before asking a LiteLLM maintainer to review your PR

• I have Added testing in the tests/litellm/ directory, Adding at least 1 test is a hard requirement - see details
• My PR passes all unit tests on make test-unit
• My PR's scope is as isolated as possible, it only solves 1 specific problem
• I have requested a Greptile review by commenting @greptileai and received a Confidence Score of at least 4/5 before requesting a maintainer review

CI (LiteLLM team)

CI status guideline:

• 50-55 passing tests: main is stable with minor issues.
• 45-49 passing tests: acceptable but needs attention
• <= 40 passing tests: unstable; be careful with your merges and assess the risk.

• Branch creation CI run
  Link:

• CI run for the last commit
  Link:

• Merge / cherry-pick CI run
  Links:

Type

🐛 Bug Fix

Changes

• Add check in common_checks() to block users with scim_active=False
• Add unit tests for scim_active validation
• Raises ProxyException with 401 when deactivated user attempts to authenticate

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
litellm	Ready	Preview, Comment	Feb 13, 2026 11:00am

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds a SCIM user deactivation enforcement check to the common_checks() function in litellm/proxy/auth/auth_checks.py. Previously, setting active=false via SCIM PATCH only updated user metadata but did not prevent the user from authenticating. Now, users with scim_active=False in their metadata are blocked with a 401 error.

• Adds early check in common_checks() (line 211-220) to raise ProxyException with HTTP_401_UNAUTHORIZED when user_object.metadata["scim_active"] is False
• Uses strict is False comparison, so users without SCIM metadata or with scim_active=True are unaffected
• Two unit tests added: one verifying deactivated users are blocked, one verifying active users pass through
• The check only applies when user_object is not None, meaning auth paths that don't resolve a user object (master key, OAuth2, custom auth, public routes) are unaffected by design
• No new database queries or Router objects are created in the critical path — the check uses the already-fetched user_object metadata

Confidence Score: 4/5

• This PR is safe to merge — it adds a narrowly scoped auth check with no risk of breaking existing non-SCIM users.
• The implementation is correct and well-placed. The strict is False check prevents false positives. No new DB queries are added to the critical path. The change is small and focused. Minor style concerns (truthy check on metadata, user ID in error messages, test imports) don't affect correctness. The check only fires for users explicitly deactivated via SCIM.
• No files require special attention. The auth check in litellm/proxy/auth/auth_checks.py is straightforward and correctly handles edge cases.

Important Files Changed

Filename	Overview
litellm/proxy/auth/auth_checks.py	Adds SCIM deactivation check in common_checks() to block users with scim_active=False in metadata. The check is correctly placed early in the function, uses strict is False comparison, and handles None metadata safely.
tests/test_litellm/proxy/auth/test_auth_checks.py	Adds two unit tests for SCIM deactivation: one verifying blocked users and one verifying active users pass through. Tests are mock-only (no network calls). Missing edge case tests for metadata=None and metadata without scim_active key.

Sequence Diagram

sequenceDiagram
    participant C as Client
    participant A as Auth
    participant D as Database
    participant K as CommonChecks

    C->>A: Request with API key
    A->>D: Lookup user
    D-->>A: User data
    A->>K: Run common checks
    alt SCIM deactivated
        K-->>C: 401 Unauthorized
    else SCIM active or unset
        K-->>A: Passed
        A-->>C: Success
    end

Loading

_{Last reviewed commit: 56bb518}

[greptile-apps]

_{2 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}