Add multiple roles support #473
Conversation
csrbarber
requested review from
atainter,
gcarvelli,
kendallstrautman and
nicknisi
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Greptile Summary
This PR adds comprehensive support for multiple roles in organization memberships and session authentication to the WorkOS Python SDK. The changes extend the existing single-role system to support multiple role assignments while maintaining full backward compatibility.
The core modifications include:
Organization Membership Enhancements: The OrganizationMembership type now includes an optional roles field alongside the existing role field. The user management module adds a new role_slugs parameter to both create_organization_membership and update_organization_membership methods, which is mutually exclusive with the existing role_slug parameter. This allows users to assign multiple roles when creating or updating memberships.
Session Authentication Support: Session handling has been extended to extract and process multiple roles from JWT tokens. The AuthenticateWithSessionCookieSuccessResponse type includes a new roles field, and the session module's authentication methods (authenticate, refresh) now decode the roles array from JWT claims alongside the existing role field.
Implementation Strategy: The changes follow a dual-field approach where both legacy (role, role_slug) and new (roles, role_slugs) fields coexist. This ensures existing applications continue working unchanged while new implementations can leverage multiple roles functionality. All changes are implemented consistently across both synchronous and asynchronous APIs.
Testing Coverage: Comprehensive test coverage has been added, including dedicated test cases for multiple roles scenarios and verification that both single-role and multi-role JWT tokens are properly handled during authentication flows.
This enhancement aligns with WorkOS's platform evolution toward more granular permission systems where users can hold multiple organizational roles simultaneously.
Confidence score: 4/5
- This PR is safe to merge with minimal risk as it maintains backward compatibility while adding well-structured new functionality
- Score reflects clean implementation patterns and comprehensive test coverage, though the multiple field approach adds some complexity to the API surface
- Pay attention to workos/user_management.py for the mutually exclusive parameter validation logic
5 files reviewed, no comments
kendallstrautman
left a comment
kendallstrautman
left a comment
There was a problem hiding this comment.
A few small questions 👍🏻
Description
rolesto organization membership resource responses (get, list, create, update, deactivate, reactivate)roleSlugsparameter to organization membership create and update optionsrolessupport to session authentication and JWT decodingDocumentation
Does this require changes to the WorkOS Docs? E.g. the API Reference or code snippets need updates.
If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required.
Will update the docs for these changes in ENT-3687
Testing
Tested locally against a team with multiple roles enabled and a team with multiple roles disabled. I tested OM get and update, along with the user management auth flow.