Using WorkOS SSO with Cerbos

Published by Alex Olivier on March 03, 2022
image

Single Sign-On (SSO) is the most frequently occurring requirement for enterprise organisations looking to adopt new SaaS applications. WorkOS is single integration which enables your application to support SSO for all of the most popular identity providers.

As identity is such a key part to authorization, today we released a starter project that connects WorkOS and Cerbos. It demonstrates how an identity object, passed from WorkOS, can be mapped into the principal information in the call to Cerbos. By doing this, all the profile information can be used, regardless of the source, to define policies and conditions.

The benefit of integrating an authentication and identity provider with Cerbos is that the rich context about the user can be used in policy conditions. It enables going beyond simplistic role-based access controls (RBAC) to more complex attribute-based access control (ABAC) without the need to have complicated logic written directly in your code.

Cerbos integrates with many authentication providers. Our WorkOS integration works with the same principle that all of our other Authentication integrations (Okta, Auth0, FusionAuth etc). It relies on getting the identity object and combining it with the resource that user is trying to access and ask the question whether that user is allowed to do that action on the said principal. For example, “can a user who is a manager in the northeast region approve an expense report that belongs to an employee from the south region in the amount of $5000?”

WorkOS with cerbos

Following is an example of what this may look like in your application code. It simply grabs the profile from WorkOS and passes it over to Cerbos in the principal object. You can see a full example on GitHub.

// get the profile for WorkOS
const { profile } = await workos.sso.getProfileAndToken({
  code,
  clientID,
});

// check access
const authorized = await cerbos.check({
  principal: {
    id: profile.id,
    roles: ["user"], //populate based on your user roles
    attr: profile.raw_attributes,
  },
  resource: ...,
  actions: [...]
})

You can find out more about WorkOS on their site, our integration, as well as our other integrations such as Auth0, Okta and FusionAuth and more on the Ecosystem page.

DOCUMENTATION
GUIDE
INTEGRATION

Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team