A passport strategy for WorkOS SSO.
npm i passport-workos passport @workos-inc/nodeImport the strategy.
import { WorkOSSSOStrategy } from "passport-workos";Instantiate it with your WorkOS credentials, callbackURL, and verify function.
passport.use(
"workos",
new WorkOSSSOStrategy(
{
clientID: process.env.WORKOS_CLIENT_ID,
clientSecret: process.env.WORKOS_API_KEY,
callbackURL: "http://localhost:3000/auth/workos/callback",
},
// Verify function
(req, accessToken, refreshToken, profile, done) => {
return done(undefined, profile);
}
)
);Add a route for redirecting to WorkOS login.
app.get("/auth/workos/login", passport.authenticate("workos"));Add a route for code authorization callbacks.
app.get(
"/auth/workos/callback",
passport.authenticate("workos"),
(req, res) => {
// Do something once authenticated
// ..
res.redirect("/");
}
);The login route will redirect to a WorkOS OAuth 2.0 authorization URL. When redirecting to this route, be sure to include one of the supported query parameters.
In the likely case where the connection can't be derived by the requesting client, middleware is advised (see here).
// Client entrypoint
app.use("/auth/email/login", (req, res, next) => {
const email = req.query.email;
// Your custom function to get connection for given email
const connection = await getConnectionForEmail(email);
// Redirect to passport strategy with supported args
res.redirect(
url.format({
pathname: "/auth/workos/login",
query: { ...req.query, connection, login_hint: email },
})
);
});
app.use("/auth/workos/login", passport.authenticate("workos"), (req, res) => {
/* ... */
});This will be called by WorkOS after a successful login. Be sure to configure the redirect URI with WorkOS.