feat: adding an OAuth provider for WorkOS

[panbanda]

We needed a way to extend our auth capabilities to allow for SSO and discovered WorkOS. It's enterprise SSO and you interact with it in an OIDC/OAuth kind of way. Their integration is OAuth ready so making an OAuth provider for WorkOS gives us the ability to use enterprise SSO with Kratos.

I didn't add any new features in this PR it's mainly just a new provider.

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got the approval (please contact
  security@ory.sh) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments

To use this provider it would look like this and you would basically set this up for each of your enterprise SSO clients

selfservice:
  methods:
    oidc:
      config:
        providers:
          - id: demo-organization
            provider: workos
            client_id: client_00000000000000000
            client_secret: sk_live_...
            workos_organization_id: org_000000000000000000
            mapper_url: "base64://..."
            scope: []

[CLAassistant]

All committers have signed the CLA.

[codecov]

Codecov Report

Attention: Patch coverage is 48.71795% with 20 lines in your changes are missing coverage. Please review.

Project coverage is 77.96%. Comparing base (da90502) to head (05e6e9e).

Files	Patch %	Lines
selfservice/strategy/oidc/provider_workos.go	48.71%	20 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3831      +/-   ##
==========================================
- Coverage   77.98%   77.96%   -0.02%     
==========================================
  Files         359      360       +1     
  Lines       25203    25242      +39     
==========================================
+ Hits        19654    19681      +27     
- Misses       4041     4054      +13     
+ Partials     1508     1507       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[aeneasr]

Thank you very much! Could you please add this provider also to the docs? :)

https://www.ory.sh/docs/kratos/social-signin/generic

[panbanda]

@aeneasr Yep! Done and done.

[panbanda]

@aeneasr Please let me know if you need anything else for this review. I was looking at tests and looks like this may be a flaky failure or something. But yeah happy to work to get this merged in.

[BrandonNoad]

Is there a way to configure/implement this so you can have a single OIDC provider that works for multiple WorkOS organizations?

[panbanda]

@BrandonNoad I think there may be a way to do that but I would need to update the UpstreamParameters sanitized attributes and schema to include organization. That kind of felt more "hacky" since this feel more like a standard list from oauth2.AuthCodeOption. Are you saying that this would be preferred?

[BrandonNoad]

Are you saying that this would be preferred?

We use Ory and WorkOS. But we have ~200 WorkOS Organizations/Connections. Having 200 different OIDC login buttons isn't practical (for us).

What we ended up doing was wrapping WorkOS in Hydra, and then we have one generic "WorkOS" OIDC provider that is associated with that Hydra.

We have a discovery step during the Login flow where we get the user's email and send that along in the OIDC request. Then in our custom Hydra Login endpoint, we use the email value to look up the WorkOS connection that we should be using.

[panbanda]

@BrandonNoad yeah thats nice. I think we were going the route of not showing the hundreds of buttons and instead having landing pages specific to the organizations which would correspond to those oauth providers ID. We were trying to keep it in kratos land but hydra sounds like an interesting route.