WorkOS without HTTP-only cookies

Question

WorkOS without HTTP-only cookies

Closed this issue 2 months ago · 3 comments

I'm coming at WorkOS (which, fwiw, I really want to use) from many years (unhappily) working with Amazon Cognito via AWS Amplify. Currently evaluating for use within a B2B SaaS company, specifically for the features around self-service SSO.

Cognito (mostly) (almost) works, but you really have to get your hands dirty and pray to the gods of Authentication that you don't want to change things after it is set up. By comparison, WorkOS seems like a breath of fresh air, and it gives me a lot of confidence to know you count Vercel as a customer.

Aside from superior ease of use, quality of design and feature-completeness (😆), one thing that is different between Cognito and WorkOS is the ability to have a "public" client (ie no client secret, so cookies are unencrypted and accessible from the browser).

I am finding that the use of HTTP-only cookies in WorkOS makes it significantly more expensive/slow to use an external API due to the need to make a request to the Next server to create a JWT that can be attached as a Bearer token (in the usual manner).

Is there a way to use WorkOS with a public (secretless) client and non-http-only cookies? Or is my best course here to use React Context to "cache" the JWT client side after requesting it? Naturally, the external backend will have to validate the JWT header that gets sent so it isn't less secure in that sense.

Answer 1 · 2024-07-08T10:06:58.000Z

Hey there! This is good timing as we're currently working on a front-end sessions SDK that will use PKCE to authenticate, meaning it'll be "secretless".

Once that's released we'll be able to incorporate it into this library for wider use. No ETA on when it'll be released but it should be in the order of weeks.

Answer 2 · 2024-07-11T12:54:44.000Z

Hey there! This is good timing as we're currently working on a front-end sessions SDK that will use PKCE to authenticate, meaning it'll be "secretless".

Once that's released we'll be able to incorporate it into this library for wider use. No ETA on when it'll be released but it should be in the order of weeks.

That's really good to hear, thanks for the heads up

Answer 3 · 2024-09-26T13:10:56.000Z

Closing the loop here, we've now released authkit-react that I believe will satisfy your needs. We've also updated our quick start guide to show how to use the new library. Feel free to open up a new issue here or on the authkit-react repo if you encounter any issues!