外掛標籤
開發者團隊
原文外掛簡介
Integration with WorkOS connects your WordPress site with WorkOS for enterprise-grade identity management.
Requirements
WordPress 6.2 or higher
PHP 7.4 or higher
A WorkOS account with API credentials
Custom AuthKit
WordPress-hosted React login — no redirect to WorkOS for password, magic code, signup, invitation, or MFA. Mounts on wp-login.php, a shortcode ([workos:login]), and a dedicated /workos/login/{profile} route.
Login Profiles — admin-defined presets (enabled sign-in methods, pinned organization, signup/invite toggles, MFA policy, branding) edited from WorkOS → Login Profiles. The organization picker loads live from WorkOS so admins pick an org by name instead of pasting raw IDs.
Per-profile custom URL paths — assign any profile its own URL (e.g. /members, /team/login) on top of the canonical /workos/login/{profile} rewrite. When the default profile owns a custom path, /wp-login.php 302s to it (preserving every inbound query arg). Reserved core paths can’t be claimed.
Already-signed-in handling — visitors who hit any AuthKit surface while logged in are 302’d to their post-login destination (or, in the shortcode, see an inline “You’re already signed in” notice with a Continue link).
forward_query_args per-profile toggle — opt-in passing of marketing/analytics query args (utm_*, ref, etc.) onto the post-login destination. WP and plugin internals are always stripped.
Sign-in methods — email + password, magic code, social OAuth (Google, Microsoft, GitHub, Apple), and passkey. Each profile chooses its own subset.
MFA — TOTP, SMS, and WebAuthn/passkey with in-app enrollment + challenge. Profile-level mfa.enforce (never/if_required/always) and factor allowlist are applied at login time.
Self-serve sign-up + invitation acceptance + in-app password reset — all handled by the React shell; no third-party pages.
Branding controls — per-profile heading, subheading, primary color (with WordPress admin-color presets), and logo with a three-mode toggle (default falls back to the Site Icon then a bundled WP logo, custom uses the chosen image, none hides the logo).
Embed & URLs in the editor — every Login Profile shows copyable input fields for its canonical URL, optional custom-path URL, and shortcode so admins can paste them into pages or share them with users.
WorkOS Radar anti-fraud integration optional via WORKOS_RADAR_SITE_KEY.
Profile routing rules — send incoming logins to a specific profile based on redirect_to, referrer host, or user role.
Authentication
Single Sign-On (SSO) — legacy AuthKit redirect mode, per-profile selectable for SAML/OIDC connections.
Headless mode — intercept WordPress’s authenticate filter for custom login forms.
Legacy Login Button — Gutenberg block and classic widget (AuthKit-redirect flow).
Login Bypass — Access the native WordPress login form via ?fallback=1 when WorkOS is unavailable.
Password Reset Integration — Redirect password reset to WorkOS or fall back to WordPress.
Registration Redirect — Redirect registration to WorkOS AuthKit.
REST API Authentication — Verify WorkOS access tokens for headless/API usage.
User & Organization Management
Directory Sync — Automatic user provisioning and deprovisioning via SCIM.
Role Mapping — Map WorkOS organization roles to WordPress roles.
Organization Management — Multi-tenant organization support.
Entitlement Gate — Require organization membership to log in.
Redirects
Role-Based Login Redirects — Send users to different URLs after login based on their WordPress role.
Role-Based Logout Redirects — Send users to different URLs after logout based on their WordPress role.
Admin Tools
Activity Logging — Local database table with admin viewer for tracking authentication and sync events.
Audit Logging — Forward WordPress events to WorkOS Audit Logs.
Diagnostics Page — System health checks, configuration status, and connectivity tests.
Onboarding Wizard — Guided setup for initial plugin configuration and user sync.
Admin Bar Badge — Shows the active WorkOS environment in the admin bar.
WP-CLI Commands — Full CLI access for scripting, bulk operations, and diagnostics.
Privacy & Security
This plugin transmits user data (email, name) to WorkOS for authentication and directory sync. No data is sent until you configure API credentials and users authenticate. API keys are stored in the WordPress database or can be defined as constants in wp-config.php. See the “External services” section for full details on data transmitted.
Support
Documentation & Source Code
Report a Bug
WorkOS Documentation
External services
This plugin connects to the WorkOS API (https://api.workos.com) to provide enterprise identity management features for WordPress.
Authentication (SSO)
When a user logs in via WorkOS AuthKit or headless mode, the plugin sends an authorization code (and, in headless mode, the user’s email and password) to WorkOS to exchange for user identity data and access tokens. This happens each time a user authenticates through WorkOS.
User Management
When the site administrator creates, updates, or syncs users between WordPress and WorkOS, the plugin sends user profile data (email, first name, last name) to the WorkOS API.
Directory Sync
The plugin receives incoming webhook requests from WorkOS containing directory and user data for automatic provisioning and deprovisioning. The webhook endpoint URL is registered with WorkOS by the site administrator.
Organization Management
When managing organizations, the plugin sends and retrieves organization data (name, membership details, role assignments) to and from the WorkOS API.
Audit Logging
When audit logging is enabled, the plugin sends WordPress event data (action performed, actor, target, and metadata) to the WorkOS Audit Logs API on each tracked event.
Token Verification
When REST API authentication is enabled, the plugin fetches JSON Web Key Sets (JWKS) from WorkOS (https://api.workos.com/sso/jwks/{client_id}) to verify access tokens. The JWKS response is cached locally for one hour.
Service links
WorkOS is provided by WorkOS, Inc.
Terms of Service
Privacy Policy