Integrate WorkOS SSO for Open Web UI

[vdimarco]

Summary

• Integrates WorkOS SSO to enable enterprise-grade SSO via WorkOS SDK
• Adds WorkOS-based login flow with organization_id or connection_id validation
• Adds UI button to initiate WorkOS login when configured
• Introduces tests for WorkOS configuration, provider loading, login/callback flows, and mapping
• Adds WorkOS dependency and related config support

Changes

Backend

• Config: Added WorkOS configuration options to backend/open_webui/config.py
  • WORKOS_CLIENT_ID, WORKOS_API_KEY, WORKOS_ORGANIZATION_ID, WORKOS_CONNECTION_ID, WORKOS_REDIRECT_URI
• OAuth provider loading: Updated load_oauth_providers to register WorkOS when credentials exist and mark it as using the WorkOS SDK
  • Excludes WorkOS from standard OPENID logout warning logic
• OAuth manager: Enhanced in backend/open_webui/utils/oauth.py
  • Conditional WorkOS client initialization using WorkOSClient when configured
  • Skips standard OAuth flow for WorkOS via uses_workos_sdk flag
  • Added _handle_workos_login to initiate WorkOS login (redirect to WorkOS authorize URL)
  • Added _handle_workos_callback to process WorkOS callback, including profile extraction, domain/organization validation, user/session handling, and JWT/cookie setup
  • Ensures WorkOS login requires either WORKOS_ORGANIZATION_ID or WORKOS_CONNECTION_ID
  • Handles user creation, updates, and optional signup webhook flow when enabled
• Tests: Added new test suite at backend/open_webui/test/apps/webui/utils/test_workos_oauth.py
  • Verifies WorkOS config variables exist, provider loading behavior with/without credentials, and WorkOS login/callback flow coverage (SDK import, availability flag, provider handling, profile mapping, domain validation, etc.)

Frontend

• UI: Updated src/routes/auth/+page.svelte to render a WorkOS login button when configured
  • Button navigates to /oauth/workos/login and uses a localized label if available
  • Includes a WorkOS-like SVG icon for visual consistency

Dependencies

• pyproject.toml: Added WorkOS SDK dependency
  • workos>=5.0.0

UI Integration

• Text and button label: Uses config-driven label (e.g., WorkOS SSO) or default if not configured
• Route integration: Leverages existing OAuth flow routing to /oauth/workos/login and /oauth/workos/callback

Testing

• Run the test suite (pytest) and verify all tests pass or are skipped if WorkOS SDK is not installed in the environment
• Manual flow verification (when configured):
  • Navigate to /auth and confirm a WorkOS SSO button appears
  • Click button to initiate WorkOS login and be redirected to the WorkOS authorization URL
  • Simulate a callback with a valid code and verify a JWT cookie and oauth_session cookie are set, and user/session data is correctly created/updated

Notes

• WorkOS integration is opt-in via environment config (WORKOS_* variables). If the WorkOS SDK is not installed, the code gracefully keeps a non-breaking behavior and the SDK availability flag is false.
• The tests rely on the presence of the WorkOS SDK; if unavailable, some tests will be skipped to preserve CI stability.

🌿 Generated by Terry

---

ℹ️ Tag @terragon-labs to ask questions and address PR feedback

📎 Task: https://www.terragonlabs.com/task/8499bebf-e7ee-452a-9872-bf7b5e27d933

---

Note

Enables enterprise SSO via WorkOS with a dedicated SDK-driven flow, config persistence, and UI entry point.

• Backend: Adds WORKOS_* configs in config.py; registers workos provider (flagged uses_workos_sdk) and excludes it from OpenID logout warnings
• OAuth manager (utils/oauth.py): Initializes WorkOSClient; new _handle_workos_login and _handle_workos_callback paths using organization_id/connection_id, domain/org validation, user creation/merge, role/group updates, JWT and oauth_session cookie handling
• Tests: New test_workos_oauth.py covering config presence, provider loading, SDK availability flag, login precondition, profile mapping, domain checks, and auth URL generation
• Frontend: src/routes/auth/+page.svelte shows a WorkOS SSO button that routes to /oauth/workos/login
• Config/Deps: .env.example docs for WORKOS_*; add workos>=5.0.0 to pyproject.toml

^{Written by Cursor Bugbot for commit 9f9c9bf. This will update automatically on new commits. Configure here.}

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[cursor]

Missing profile ID validation in WorkOS callback

The WorkOS callback extracts profile.id at line 1500 without validating it's not None or empty, then uses it at line 1517 to build provider_sub. The standard OAuth callback validates that sub is present (lines 1218-1220) before using it. If profile.id is unexpectedly None or empty, this could create users with oauth_sub values like "workos@None" or "workos@", potentially causing multiple users to share the same identifier and leading to account confusion or unauthorized access.