Passport Workos

A passport strategy for WorkOS SSO.

Installation

``sh
npm i passport-workos passport @workos-inc/node
`

Setup

Import the strategy.

`ts
import { WorkOSSSOStrategy } from "passport-workos";
`

Instantiate it with your WorkOS credentials, callbackURL, and verify function.

`ts
passport.use(
"workos",
new WorkOSSSOStrategy(
{
clientID: process.env.WORKOS_CLIENT_ID,
clientSecret: process.env.WORKOS_API_KEY,
callbackURL: "http://localhost:3000/auth/workos/callback",
},
// Verify function
(req, accessToken, refreshToken, profile, done) => {
return done(undefined, profile);
}
)
);
`

Add a route for redirecting to WorkOS login.

`ts
app.get("/auth/workos/login", passport.authenticate("workos"));
`

Add a route for code authorization callbacks.

`ts
app.get(
"/auth/workos/callback",
passport.authenticate("workos"),
(req, res) => {
// Do something once authenticated
// ..
res.redirect("/");
}
);
`

Consumption

$3

The login route will redirect to a WorkOS OAuth 2.0 authorization URL. When redirecting to this route, be sure to include one of the supported query parameters.

#### Login with email

In the likely case where the connection can't be derived by the requesting client, middleware is advised (see here).

`tsx
// Client entrypoint
app.use("/auth/email/login", (req, res, next) => {
const email = req.query.email;
// Your custom function to get connection for given email
const connection = await getConnectionForEmail(email);

// Redirect to passport strategy with supported args
res.redirect(
url.format({
pathname: "/auth/workos/login",
query: { ...req.query, connection, login_hint: email },
})
);
});

app.use("/auth/workos/login", passport.authenticate("workos"), (req, res) => {
/ ... /
});
``

$3

This will be called by WorkOS after a successful login. Be sure to configure the redirect URI with WorkOS.