Integration with WorkOS

Changelog

1.0.2 – 2026-05-11

• New: WordPress password fallback — if WorkOS rejects a password, the auth endpoint can retry against WordPress’s own wp_authenticate() to cover users whose passwords were never synced to WorkOS, then link the user to WorkOS and (by default) write the password through so future logins authenticate directly. A new “Require Email Confirmation on Fallback” setting switches the post-fallback step to a magic-code email instead of syncing the plaintext password. Gated by the existing allow_password_fallback toggle.
• New: wp-config.php constant seeder — defining WORKOS_* (or env-scoped WORKOS_{PRODUCTION|STAGING}_*) constants now seeds those values into the database on boot, so the admin UI reflects them. Covers string credentials, the new boolean toggles, and WORKOS_REDIRECT_URLS arrays. Hash-skipped when nothing has changed — one autoloaded option read per request in steady state.
• Fix: Auth REST endpoints under /wp-json/workos/v1/auth/* now read the nonce from X-WorkOS-Nonce instead of X-WP-Nonce to avoid a header collision with WordPress core and other plugins. The bundled React shell is updated; external clients hitting these endpoints directly must rename the header.

1.0.1 – 2026-05-01

• New: Organization tab — manual Refresh button next to the organization dropdown re-fetches organizations from WorkOS on demand via the admin REST endpoint (no admin-ajax), bypassing the 5-minute cache. The dropdown is blocked with a spinner during the refresh and the selected organization is preserved when it still exists.
• New: ?refresh=1 query parameter on GET /wp-json/workos/v1/admin/profiles/organizations to drop the shared transient before fetching.
• Fix: Organization tab — “Save Settings” was blocked by a hidden, required org_name input. The Create Organization modal is now rendered at admin_footer so its inner <form> is no longer nested inside the settings form.
• Fix: Active environment is now stored in a single place. The admin Settings UI wrote to workos_active_environment while the runtime auth flow read from workos_global['active_environment'], so picking “Production” still loaded staging credentials and redirected to the staging AuthKit. The runtime now reads/writes the standalone option, with a one-time migration (db_version 2 → 3) that moves any legacy value out of workos_global.

1.0.0 – 2026-04-23

Custom AuthKit (WordPress-hosted login):
* React login shell on wp-login.php, [workos:login] shortcode, and /workos/login/{profile} route.
* Login Profiles — admin-defined presets for enabled methods, pinned organization, signup/invite/reset flows, MFA policy, and branding, managed at WorkOS → Login Profiles.
* Per-profile custom URL paths (e.g. /members, /team/login) on top of the canonical /workos/login/{slug} rewrite. The default profile can claim a custom path so /wp-login.php bounces to it. Reserved core paths are blocked.
* Already-signed-in visitors are 302’d to their post-login destination on every AuthKit surface (or shown an inline “You’re already signed in” notice in the shortcode).
* Per-profile forward_query_args toggle to pass marketing/analytics args onto the post-login destination (internals always stripped).
* Pinned-organization picker in the Profile editor reads live from WorkOS (with a “Custom ID…” fallback for legacy or unlisted orgs), and the Profiles list renders organization names instead of raw IDs.
* Embed & URLs section in the editor exposes copyable input fields for the canonical URL, the optional custom-path URL, and the [workos:login profile="…"] shortcode.
* Sign-in methods: email + password, magic code, social OAuth (Google, Microsoft, GitHub, Apple), passkey.
* Full MFA support — TOTP, SMS, WebAuthn/passkey with in-app enrollment + challenge.
* Self-serve sign-up, invitation acceptance, and in-app password reset.
* Branding — heading, subheading, primary color (defaults to WordPress admin-color palette), and three-mode logo control (default falls back to Site Icon → bundled WP logo, custom uses the chosen attachment, none hides the logo).
* SlotFill extensibility — ten named slots (including workos.authkit.belowCard, which renders standard wp-login.php links by default) for plugins to inject React elements into the login UI.
* Profile routing rules (redirect_to glob / referrer host / user role).
* WorkOS Radar anti-fraud integration (set WORKOS_RADAR_SITE_KEY).
* Public REST at /wp-json/workos/v1/auth/* with profile-scoped nonces, per-IP/per-email rate limits, and signature-verified tokens.
* Full browser internationalization — every user-facing React/TS/JS string ships through @wordpress/i18n with the integration-workos text domain and wp_set_script_translations() wiring.

Base platform:
* SSO login via WorkOS AuthKit (legacy redirect mode, per-profile selectable).
* Headless authentication via WorkOS API.
* Directory Sync (SCIM) for automatic user provisioning and deprovisioning.
* Role mapping between WorkOS organization roles and WordPress roles.
* Organization management with local caching and multisite support.
* Entitlement gate — require organization membership to log in.
* Webhook processing for user, organization, directory, membership, and connection events.
* REST API Bearer token authentication using WorkOS access tokens.
* Legacy login button Gutenberg block and classic widget (AuthKit-redirect flow).
* Login bypass via ?fallback=1 for native WordPress login when WorkOS is unavailable.
* Activity logging with local database table and admin viewer.
* Audit logging — forward WordPress events to WorkOS Audit Logs.
* Role-based login redirects with per-role URL configuration.
* Role-based logout redirects with per-role URL configuration.
* Password reset integration with WorkOS.
* Registration redirect to WorkOS AuthKit.
* Admin bar badge showing active environment (production/staging).
* Diagnostics page with health checks and connectivity tests.
* Onboarding wizard for guided first-time setup.
* WP-CLI commands for status, user management, organization management, and bulk sync.