@sdalezman Can you give us some more details on what you think this should look like?

Using usermanagement.GetJWKSURL, I am given the URL from where I can fetch JWKs to verify a JWT. To do the latter, I am using (or intend to use):

• github.com/golang-jwt/jwt/v5
• github.com/MicahParks/keyfunc/v3

This is a common combination. Below is the recommended approach to setup keyfunk:

usermanagement.SetAPIKey(cfg.WorkOS.APIKey)
jwksUrl, _ := usermanagement.GetJWKSURL(cfg.WorkOS.ClientID)

k, _ := keyfunc.NewDefault([]string{jwksUrl.String()})

// Error handling removed for example brevity

For now, I am expecting my application to start before writing any logic to verify JWTs, however, the last line gives the following error:

 http.go:98: ERROR Failed to refresh HTTP JWK Set from remote HTTP resource. error="failed to create JWK from JWK Marshal: failed to validate JSON Web Key: failed to validate JWK: X5TS256 in marshal does not match X5TS256 in marshalled" url=https://api.workos.com/sso/jwks/<CLIENT_ID>

I'm unfamilliar with JWKs. Is this a problem with the WorkOS implementation of a JWK, or possibly the library I am using? Any insight would be appreciated.

Edit: While I am here, I've also noticed that the decoded JWT does not have the role property in it.

With the upcoming OAuth migration we need to handle OAuth sso connections differently than non OAuth connections upon login.

Can a a method to ConnectionType be added that tells us whether it is OAuth or not.

func(c ConnectionType) IsOAuthConnection() bool {
   ...
}

Unit testing anything with global variables is a real pain, and it would make life a lot easier if each package would expose Client as an interface and then use something like https://github.com/vektra/mockery to generate mocks for all the clients so that proper testing can be easily implemented.

Similar to https://stripe.com/docs/api/pagination/auto

Can you export public error helper functions so i can easily tell what the cause of an error is?

Example of this below; a helper to tell whether an error is a bad request:

func IsErrorBadRequest(err error) bool {
	httpError, ok := err.(workos.HTTPError)
	if !ok {
		return false
	}

	return httpError.Code == http.StatusBadRequest
}

I notice that there's a function for determining if an error is a 400, but I've encountered errors where the HTTP status code is 422, for example when an email is malformed. It would be great if there were a utility method that could return the status code of a workos HTTPError - right now I'm just looking at the prefix of the error message and seeing if it start with 422.

An alternative is to expose the HTTPError struct so that the client can perform a type assertion.

Noticed directory_id and idp_id are missing on the user object in directory sync https://workos.com/docs/reference/directory-sync/user.

Also the state constant inactive is not there.

Can these be added? 🙏

OIDC and other SSO integrations support redirecting the user or calling a logout endpoint. Often, an enterprise requirement is to log the user completely out of the application and the identity provider to meet security requirements.

For example, if the user authenticates with OIDC to your application, then logs out of your application. Simply clicking login again, the user will likely not be prompted to sign in to the identity provider again and be automatically logged back in.

To combat this, OIDC implemented RP-Initiated Logout, which allows applications to send the user on logout to the Idp to be completed logged out.

This request is to add GetLogoutURL in the same style as the GetAuthorizationURL API that would build the URL for logging out the user. This method is needed because it requires access to the Well-Known config which is not readily available in the client (it can be done but requires extra code).

Ideally, the SDK would work as follows:

logoutURL, err := client.GetLogoutURL(opts GetLogoutURLOpts{
    RedirectUri: "", // required, where to land after logging out
    State: "", // optional, optional state parameter for the client
    Locale: "", // optional, hint to language of the user
}) 

The API would already know the Client ID and ID Token which are required by OIDC.

hey guys 👋

apologies if i've got this wrong but should validatePayload be exported in the webhooks package?

func validatePayload(workosHeader string, bodyString string, secret string, defaultTolerance time.Duration) (string, error)

as it stands i can only access the errors.

Applications should be able to configure metadata that will be attached to every event published to WorkOS within that process.

package main

import (
	"encoding/json"
	"fmt"
	"log"
	"net/http"

	"github.com/dewski/workos/auditlog"
)

func main() {
	auditlog.SetEventMetadata(map[string]interface{}{
		"deployment_sha": os.Getenv("DEPLOYMENT_SHA"),
	})

	http.HandleFunc("/login", func(w http.ResponseWriter, req *http.Request) {
		u := user{
			Email:      "[email protected]",
			DatabaseID: 1,
		}

		event := auditlog.NewEventWithHTTP("user.login", auditlog.Create, req)
		event.SetActor(u)
		event.SetTarget(u)
		err := event.Publish()
		if err != nil {
			// Call out to sentry
			fmt.Println("Had a problem writing this event")
		}

		body, _ := json.Marshal(event)
		fmt.Fprintf(w, string(body))
	})
	log.Fatal(http.ListenAndServe(":8081", nil))
}

It appears that LogStreams is not available in the GoSDK yet. Is this being looked into?

workos-go depends on gjson in internal/workos/http.go. gjson is used there to retrieve a field from a JSON payload, which would be just couple of lines using the stdlib only... Pulling 3rd party deps means everyone using the WorkOS Go SDK pulls them too, which in turn increases the risk of vulnerabilities ending up in our binaries (eg. GHSA-w942-gw6m-p62c - in this case not really a problem if you only parse JSON coming from WorkOS).

Easy fix to remove gjson:

diff --git a/internal/workos/http.go b/internal/workos/http.go
index c4702bc..da03b62 100644
--- a/internal/workos/http.go
+++ b/internal/workos/http.go
@@ -1,11 +1,10 @@
 package workos
 
 import (
+       "encoding/json"
        "fmt"
        "io/ioutil"
        "net/http"
-
-       "github.com/tidwall/gjson"
 )
 
 // TryGetHTTPError returns an error when the http response contains invalid
@@ -20,7 +19,7 @@ func TryGetHTTPError(r *http.Response) error {
        body, err := ioutil.ReadAll(r.Body)
        if err != nil {
                msg = err.Error()
-       } else if m := gjson.GetBytes(body, "message").Str; m != "" {
+       } else if m := getJSONErrorMessage(body); m != "" {
                msg = m
        } else {
                msg = string(body)
@@ -34,6 +33,16 @@ func TryGetHTTPError(r *http.Response) error {
        }
 }
 
+func getJSONErrorMessage(b []byte) string {
+       var response struct{ Message string }
+
+       if err := json.Unmarshal(b, &response); err != nil {
+               return ""
+       }
+
+       return response.Message
+}
+
 // HTTPError represents an http error.
 type HTTPError struct {
        Code      int

When using GetProfileAndToken, there are a few cases where we might have an error. Namely:

• The Client ID was invalid.
• The Secret key was invalid or expired.
• The code itself was invalid.

We want to handle these cases differently (e.g., have our callback handler return a 500 in the first two cases so alarm bells go off, but a 400 in the latter case since not our problem). However, it's difficult to do this because of the way that the error is returned in the SDK. The JSON bodies of these responses looks like this:

{"error":"invalid_client","error_description":"Invalid client_id."}
{"error":"invalid_client","error_description":"Invalid client secret."}
{"error":"invalid_grant","error_description":"The code 'XXXYYYZZZ' has expired or is invalid."}

...but the workos_error.HTTPError only returns the following:

Code: 400
Status: 400 Bad Request
RequestID: A UUID
ErrorCode: ""
Errors: []
FieldErrors: []
IsRequestError: true
Message (see below)

The message ends up using this logic to mash up the strings, so the three errors I talked about above would result in these Message values:

"invalid_client Invalid client_id"
"invalid_client Invalid client secret."
"invalid_grant The code 'XXXYYYZZZ' has expired or is invalid."

So in the end, while in theory the SDK gives us an error code so that a developer doesn't need to parse a string, I still end up needing to parse a string.

Ideally, the code (e.g., "invalid_client" and "invalid_grant") would be in a field like "ErrorCode.

It would be quite useful if there were structs that corresponded to webhook events, e.g. like dsync.user.updated.

For the above example, there is the directorysync.User type but it's not quite right. Compare its definition https://github.com/workos-inc/workos-go/blob/83f29941b8a27e7693d229c4ce9190bf581a47f2/pkg/directorysync/client.go#L57-L75

To the payload definition:

(The directory_id field is missing)

Hi,

Right now I'm just trying to figure out how to correctly paginate responses from WorkOS, so I looked in the repo. I saw that auto-pagination was removed in #20. Why was this? Was it faulty in some way? I think I'm probably missing some context.

When someone attaches metadata to an event it'd be nice if you could add a struct, for example:

team := Team{
	ID: 1,
	Team: "workos/owners",
}
actor := User{
	ID: 1,
	Email: "[email protected]",
}
user := User{
	ID: 2,
	Email: "[email protected]",
}

event := auditlog.NewEvent("team.add_member", auditlog.Create)
event.SetActor(actor)
event.SetTarget(team)
event.AddMetadata(map[string]interface{}{
	"user": user,
})

{
  "group": "twitter",
  "action": "team.add_member",
  "action_type": "C",
  "actor_name": "[email protected]",
  "actor_id": "user_1",
  "target_name": "workos/owners",
  "target_id": "team_1",
  "location": "1.1.1.1",
  "occured_at": "2019-05-01T01:15:55.619355Z",
  "metadata": {
    "user_name": "[email protected]",
    "user_id": "user_2"
  }
}