Description
Let's use WorkOS for this. Seems pretty simple to integrate. Pricing also looks good.
Endpoints
Redirect
Use the normal create token endpoint. Add an SSO_REQUIRED error code when the current account or user requires SSO.
POST /v1/tokens
401 Unauthorized
Location: <authorization_url>
{
"errors": [
{
"title": "Unauthorized",
"detail": "single sign on is required",
"code": "SSO_REQUIRED"
}
],
"links": {
"redirect": "<authorization_url>"
}
}
The client i.e. Portal MUST manually redirect to the WorkOS authorization URL.
Docs: https://workos.com/docs/reference/sso/get-authorization-url
Callback
The callback is contains a code query param that can be exchanged for a user profile. After retrieving the user, we MAY need to create the user, and then we MUST generate a token for the authenticated user.
We can optionally use the state query param to store additional state, such as account or redirect URL.
After the user has been authenticated, we redirect to Portal.
GET /v1/workos?code=<code>&state=<account>
301 Temporary Redirect
Location: https://portal.keygen.sh/<account>
I'm thinking we should generate an SSO-specific token that can only be used via Portal e.g. using a strict/secure cookie. But using cookies creates other problems, such as accounts using a self-hosted Portal not being able to use SSO. (We COULD keep the If this becomes a problem, we can manually set a Referrer in the state parameter of the authorization URL, but that introduces an open redirect attack vector...)sso_redirect_url column for accounts using SSO.
Docs: https://workos.com/docs/reference/sso/get-authorization-url/redirect-uri