ory
feat: adding an OAuth provider for WorkOS
We needed a way to extend our auth capabilities to allow for SSO and discovered WorkOS. It's enterprise SSO and you interact with it in an OIDC/OAuth kind of way. Their integration is OAuth ready so making an OAuth provider for WorkOS gives us the ability to use enterprise SSO with Kratos.
I didn't add any new features in this PR it's mainly just a new provider.
Checklist
- [x] I have read the contributing guidelines.
- [ ] I have referenced an issue containing the design document if my change introduces a new feature.
- [x] I am following the contributing code guidelines.
- [x] I have read the security policy.
- [x] I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security vulnerability, I confirm that I got the approval (please contact [email protected]) from the maintainers to push the changes.
- [x] I have added tests that prove my fix is effective or that my feature works.
- [x] I have added or changed the documentation.
Further Comments
To use this provider it would look like this and you would basically set this up for each of your enterprise SSO clients
selfservice:
methods:
oidc:
config:
providers:
- id: demo-organization
provider: workos
client_id: client_00000000000000000
client_secret: sk_live_...
workos_organization_id: org_000000000000000000
mapper_url: "base64://..."
scope: []
Codecov Report
Attention: Patch coverage is 48.71795% with 20 lines in your changes are missing coverage. Please review.
Project coverage is 77.96%. Comparing base (
da90502) to head (05e6e9e).
| Files | Patch % | Lines |
|---|---|---|
| selfservice/strategy/oidc/provider_workos.go | 48.71% | 20 Missing :warning: |
Additional details and impacted files
@@ Coverage Diff @@
## master #3831 +/- ##
==========================================
- Coverage 77.98% 77.96% -0.02%
==========================================
Files 359 360 +1
Lines 25203 25242 +39
==========================================
+ Hits 19654 19681 +27
- Misses 4041 4054 +13
+ Partials 1508 1507 -1
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thank you very much! Could you please add this provider also to the docs? :)
https://www.ory.sh/docs/kratos/social-signin/generic
@aeneasr Please let me know if you need anything else for this review. I was looking at tests and looks like this may be a flaky failure or something. But yeah happy to work to get this merged in.
Is there a way to configure/implement this so you can have a single OIDC provider that works for multiple WorkOS organizations?
@BrandonNoad I think there may be a way to do that but I would need to update the UpstreamParameters sanitized attributes and schema to include organization. That kind of felt more "hacky" since this feel more like a standard list from oauth2.AuthCodeOption. Are you saying that this would be preferred?
Are you saying that this would be preferred?
We use Ory and WorkOS. But we have ~200 WorkOS Organizations/Connections. Having 200 different OIDC login buttons isn't practical (for us).
What we ended up doing was wrapping WorkOS in Hydra, and then we have one generic "WorkOS" OIDC provider that is associated with that Hydra.
We have a discovery step during the Login flow where we get the user's email and send that along in the OIDC request. Then in our custom Hydra Login endpoint, we use the email value to look up the WorkOS connection that we should be using.
@BrandonNoad yeah thats nice. I think we were going the route of not showing the hundreds of buttons and instead having landing pages specific to the organizations which would correspond to those oauth providers ID. We were trying to keep it in kratos land but hydra sounds like an interesting route.