feat: add WorkOS third party auth provider support (#4056)

sweatybridge · web-flow · commit 15287ddd5987 · 2025-08-20T15:43:53.000+08:00
diff --git a/pkg/config/auth.go b/pkg/config/auth.go
@@ -187,6 +187,7 @@ type (
 		Auth0    tpaAuth0    `toml:"auth0"`
 		Cognito  tpaCognito  `toml:"aws_cognito"`
 		Clerk    tpaClerk    `toml:"clerk"`
+		WorkOs   tpaWorkOs   `toml:"workos"`
 	}
 
 	rateLimit struct {
@@ -225,6 +226,12 @@ type (
 		Domain string `toml:"domain"`
 	}
 
+	tpaWorkOs struct {
+		Enabled bool `toml:"enabled"`
+
+		IssuerUrl string `toml:"issuer_url"`
+	}
+
 	email struct {
 		EnableSignup         bool                     `toml:"enable_signup"`
 		DoubleConfirmChanges bool                     `toml:"double_confirm_changes"`
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -1314,6 +1314,17 @@ func (c *tpaClerk) validate() (err error) {
 	return nil
 }
 
+func (w *tpaWorkOs) validate() error {
+	if w.IssuerUrl == "" {
+		return errors.New("Invalid config: auth.third_party.workos is enabled but without a issuer_url.")
+	}
+	return nil
+}
+
+func (w *tpaWorkOs) issuerURL() string {
+	return w.IssuerUrl
+}
+
 func (tpa *thirdParty) validate() error {
 	enabled := 0
 
@@ -1349,6 +1360,14 @@ func (tpa *thirdParty) validate() error {
 		}
 	}
 
+	if tpa.WorkOs.Enabled {
+		enabled += 1
+
+		if err := tpa.WorkOs.validate(); err != nil {
+			return err
+		}
+	}
+
 	if enabled > 1 {
 		return errors.New("Invalid config: Only one third_party provider allowed to be enabled at a time.")
 	}
@@ -1373,6 +1392,10 @@ func (tpa *thirdParty) IssuerURL() string {
 		return tpa.Clerk.issuerURL()
 	}
 
+	if tpa.WorkOs.Enabled {
+		return tpa.WorkOs.issuerURL()
+	}
+
 	return ""
 }
 
