passport-workos

Passport Workos

A passport strategy for WorkOS SSO.

Installation

npm i passport-workos passport @workos-inc/node

Setup

Import the strategy.

import { WorkOSSSOStrategy } from "passport-workos";

Instantiate it with your WorkOS credentials, callbackURL, and verify function.

passport.use(
  "workos",
  new WorkOSSSOStrategy(
    {
      clientID: process.env.WORKOS_CLIENT_ID,
      clientSecret: process.env.WORKOS_API_KEY,
      callbackURL: "http://localhost:3000/auth/workos/callback",
    },
    // Verify function
    (req, accessToken, refreshToken, profile, done) => {
      return done(undefined, profile);
    }
  )
);

Add a route for redirecting to WorkOS login.

app.get("/auth/workos/login", passport.authenticate("workos"));

Add a route for code authorization callbacks.

app.get(
  "/auth/workos/callback",
  passport.authenticate("workos"),
  (req, res) => {
    // Do something once authenticated
    // ..
    res.redirect("/");
  }
);

Consumption

Login

The login route will redirect to a WorkOS OAuth 2.0 authorization URL. When redirecting to this route, be sure to include one of the supported query parameters.

Login with email

In the likely case where the connection can't be derived by the requesting client, middleware is advised (see here).

// Client entrypoint
app.use("/auth/email/login", (req, res, next) => {
  const email = req.query.email;
  // Your custom function to get connection for given email
  const connection = await getConnectionForEmail(email);

  // Redirect to passport strategy with supported args
  res.redirect(
    url.format({
      pathname: "/auth/workos/login",
      query: { ...req.query, connection, login_hint: email },
    })
  );
});

app.use("/auth/workos/login", passport.authenticate("workos"), (req, res) => {
  /* ... */
});

Callback

This will be called by WorkOS after a successful login. Be sure to configure the redirect URI with WorkOS.