workos 5.19.0 → 5.21.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b64aa946db63d75ad0e7b560a904f441d2acfe4f320138c90884c5382a8da26e
-  data.tar.gz: 9038133e40d856eee210c2298739995e3aa8cceae91b1415542955c6bea16226
+  metadata.gz: 44c2f0a70f0a653685d6e7a8ca2601b64c4a1ff43276680ff52d0fcd2c80f5b3
+  data.tar.gz: 1d3aa7e958196efbe79018014e2ffd5be229dc93812a60725d05a958afcd1c20
 SHA512:
-  metadata.gz: c16ee35f4494b5acd119ae6a354d0ba3fa7d9e892310d8388133ff54c0e0930f3d19a20c96d3ebe5b99d7fccd8acf213eb78e6d679967c972c4c4abc15ad3cfd
-  data.tar.gz: 88a97b1723b6dd505b19e8911c6eccef2b2adda01e996959cffa73ec82d71bf85d1011e517f660085d5c388f6474dad2eb7f0b78352e5f5b458671510b936813
+  metadata.gz: f51ad812297b13109f943a23d15592991b14f2d1c18ba91505c4227fffc64c2ac7912c32df163e974eb95a1f8069b3289f33b1bf783c18e757ba56e7869717d7
+  data.tar.gz: 5a5428749ac62c22f4fa33db0ad5a491e262c01e445a8318210d09e654e6123a17dec582e9d8b54f09913f123679f1ebe8bc57a2fec7d032f690acf28d77b8a4

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    workos (5.19.0)
+    workos (5.21.0)
       encryptor (~> 3.0)
       jwt (~> 2.8)
 

data/lib/workos/authentication_response.rb

@@ -12,7 +12,8 @@ module WorkOS
                   :access_token,
                   :refresh_token,
                   :authentication_method,
-                  :sealed_session
+                  :sealed_session,
+                  :oauth_tokens
 
     # rubocop:disable Metrics/AbcSize
     def initialize(authentication_response_json, session = nil)
@@ -27,6 +28,7 @@ module WorkOS
                            reason: impersonator_json[:reason],)
         end
       @authentication_method = json[:authentication_method]
+      @oauth_tokens = json[:oauth_tokens] ? WorkOS::OAuthTokens.new(json[:oauth_tokens].to_json) : nil
       @sealed_session =
         if session && session[:seal_session]
           WorkOS::Session.seal_data({
@@ -49,6 +51,7 @@ module WorkOS
         refresh_token: refresh_token,
         authentication_method: authentication_method,
         sealed_session: sealed_session,
+        oauth_tokens: oauth_tokens&.to_json,
       }
     end
   end

data/lib/workos/oauth_tokens.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module WorkOS
+  # The OAuthTokens class represents the third party provider OAuth tokens returned in the authentication response.
+  # This class is not meant to be instantiated in user space, and is instantiated internally but exposed.
+  class OAuthTokens
+    include HashProvider
+
+    attr_accessor :access_token, :refresh_token, :scopes, :expires_at
+
+    def initialize(json)
+      hash = JSON.parse(json, symbolize_names: true)
+
+      @access_token = hash[:access_token]
+      @refresh_token = hash[:refresh_token]
+      @scopes = hash[:scopes]
+      @expires_at = hash[:expires_at]
+    end
+
+    def to_json(*)
+      {
+        access_token: access_token,
+        refresh_token: refresh_token,
+        scopes: scopes,
+        expires_at: expires_at,
+      }
+    end
+  end
+end

data/lib/workos/organizations.rb

@@ -185,7 +185,14 @@ module WorkOS
 
       # Retrieve a list of roles for the given organization.
       #
-      # @param [String] organizationId The ID of the organization to fetch roles for.
+      # @param [String] organization_id The ID of the organization to fetch roles for.
+      #
+      # @example
+      #   WorkOS::Organizations.list_organization_roles(organization_id: 'org_01EHZNVPK3SFK441A1RGBFSHRT')
+      #   => #<WorkOS::Types::ListStruct data=[#<WorkOS::Role id="role_123" name="Admin" slug="admin"
+      #                                         permissions=["admin:all"] ...>] ...>
+      #
+      # @return [WorkOS::Types::ListStruct] - Collection of Role objects, each including permissions array
       def list_organization_roles(organization_id:)
         response = execute_request(
           request: get_request(

data/lib/workos/role.rb

@@ -7,7 +7,7 @@ module WorkOS
   class Role
     include HashProvider
 
-    attr_accessor :id, :name, :slug, :description, :type, :created_at, :updated_at
+    attr_accessor :id, :name, :slug, :description, :permissions, :type, :created_at, :updated_at
 
     def initialize(json)
       hash = JSON.parse(json, symbolize_names: true)
@@ -16,6 +16,7 @@ module WorkOS
       @name = hash[:name]
       @slug = hash[:slug]
       @description = hash[:description]
+      @permissions = hash[:permissions] || []
       @type = hash[:type]
       @created_at = hash[:created_at]
       @updated_at = hash[:updated_at]
@@ -27,6 +28,7 @@ module WorkOS
         name: name,
         slug: slug,
         description: description,
+        permissions: permissions,
         type: type,
         created_at: created_at,
         updated_at: updated_at,

data/lib/workos/user.rb

@@ -8,7 +8,7 @@ module WorkOS
     include HashProvider
 
     attr_accessor :id, :email, :first_name, :last_name, :email_verified,
-                  :profile_picture_url, :last_sign_in_at, :created_at, :updated_at
+                  :profile_picture_url, :external_id, :last_sign_in_at, :created_at, :updated_at
 
     def initialize(json)
       hash = JSON.parse(json, symbolize_names: true)
@@ -19,6 +19,7 @@ module WorkOS
       @last_name = hash[:last_name]
       @email_verified = hash[:email_verified]
       @profile_picture_url = hash[:profile_picture_url]
+      @external_id = hash[:external_id]
       @last_sign_in_at = hash[:last_sign_in_at]
       @created_at = hash[:created_at]
       @updated_at = hash[:updated_at]
@@ -32,6 +33,7 @@ module WorkOS
         last_name: last_name,
         email_verified: email_verified,
         profile_picture_url: profile_picture_url,
+        external_id: external_id,
         last_sign_in_at: last_sign_in_at,
         created_at: created_at,
         updated_at: updated_at,

data/lib/workos/user_management.rb

@@ -71,6 +71,7 @@ module WorkOS
       # field of the IdP sign-in page for the user, if you know their username ahead of time.
       # @param [String] domain_hint Can be used to pre-fill the domain field when
       # initiating authentication with Microsoft OAuth, or with a GoogleSAML connection type.
+      # @param [Array<String>] provider_scopes An array of additional OAuth scopes to request from the provider.
       # @example
       #   WorkOS::UserManagement.authorization_url(
       #     connection_id: 'conn_123',
@@ -96,7 +97,8 @@ module WorkOS
         provider: nil,
         connection_id: nil,
         organization_id: nil,
-        state: ''
+        state: '',
+        provider_scopes: nil
       )
 
         validate_authorization_url_arguments(
@@ -115,6 +117,7 @@ module WorkOS
           provider: provider,
           connection_id: connection_id,
           organization_id: organization_id,
+          provider_scopes: provider_scopes,
         }.compact)
 
         "https://#{WorkOS.config.api_hostname}/user_management/authorize?#{query}"
@@ -219,6 +222,7 @@ module WorkOS
       # @param [String] first_name The user's first name.
       # @param [String] last_name The user's last name.
       # @param [Boolean] email_verified Whether the user's email address was previously verified.
+      # @param [String] external_id The users's external ID
       # @param [String] password The user's password.
       # @param [String] password_hash The user's hashed password.
       # @option [String] password_hash_type The algorithm originally used to hash the password.
@@ -231,6 +235,7 @@ module WorkOS
         first_name: nil,
         last_name: nil,
         email_verified: nil,
+        external_id: nil,
         password: nil,
         password_hash: nil,
         password_hash_type: nil
@@ -242,6 +247,7 @@ module WorkOS
             first_name: first_name,
             last_name: last_name,
             email_verified: email_verified,
+            external_id: external_id,
             password: password,
             password_hash: password_hash,
             password_hash_type: password_hash_type,

data/lib/workos/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WorkOS
-  VERSION = '5.19.0'
+  VERSION = '5.21.0'
 end

data/lib/workos.rb

@@ -63,6 +63,7 @@ module WorkOS
   autoload :Invitation, 'workos/invitation'
   autoload :MagicAuth, 'workos/magic_auth'
   autoload :MFA, 'workos/mfa'
+  autoload :OAuthTokens, 'workos/oauth_tokens'
   autoload :Organization, 'workos/organization'
   autoload :Organizations, 'workos/organizations'
   autoload :OrganizationMembership, 'workos/organization_membership'

data/spec/lib/workos/organizations_spec.rb

@@ -354,6 +354,48 @@ describe WorkOS::Organizations do
           expect(roles.list_metadata).to eq(expected_metadata)
         end
       end
+
+      it 'returns properly initialized Role objects with all attributes' do
+        VCR.use_cassette 'organization/list_organization_roles' do
+          roles = described_class.list_organization_roles(organization_id: 'org_01JEXP6Z3X7HE4CB6WQSH9ZAFE')
+
+          first_role = roles.data.first
+          expect(first_role).to be_a(WorkOS::Role)
+          expect(first_role.id).to eq('role_01HS1C7GRJE08PBR3M6Y0ZYGDZ')
+          expect(first_role.name).to eq('Admin')
+          expect(first_role.slug).to eq('admin')
+          expect(first_role.description).to eq('Write access to every resource available')
+          expect(first_role.permissions).to eq(['admin:all', 'read:users', 'write:users', 'manage:roles'])
+          expect(first_role.type).to eq('EnvironmentRole')
+          expect(first_role.created_at).to eq('2024-03-15T15:38:29.521Z')
+          expect(first_role.updated_at).to eq('2024-11-14T17:08:00.556Z')
+        end
+      end
+
+      it 'handles roles with empty permissions arrays' do
+        VCR.use_cassette 'organization/list_organization_roles' do
+          roles = described_class.list_organization_roles(organization_id: 'org_01JEXP6Z3X7HE4CB6WQSH9ZAFE')
+
+          platform_manager_role = roles.data.find { |role| role.slug == 'org-platform-manager' }
+          expect(platform_manager_role).to be_a(WorkOS::Role)
+          expect(platform_manager_role.permissions).to eq([])
+        end
+      end
+
+      it 'properly serializes Role objects including permissions' do
+        VCR.use_cassette 'organization/list_organization_roles' do
+          roles = described_class.list_organization_roles(organization_id: 'org_01JEXP6Z3X7HE4CB6WQSH9ZAFE')
+
+          billing_role = roles.data.find { |role| role.slug == 'billing' }
+          serialized = billing_role.to_json
+
+          expect(serialized[:id]).to eq('role_01JA8GJZRDSZEB9289DQXJ3N9Z')
+          expect(serialized[:name]).to eq('Billing Manager')
+          expect(serialized[:slug]).to eq('billing')
+          expect(serialized[:permissions]).to eq(['read:billing', 'write:billing'])
+          expect(serialized[:type]).to eq('EnvironmentRole')
+        end
+      end
     end
   end
 end

data/spec/lib/workos/role_spec.rb

@@ -0,0 +1,142 @@
+# frozen_string_literal: true
+
+describe WorkOS::Role do
+  describe '.initialize' do
+    context 'with full role data including permissions' do
+      it 'initializes all attributes correctly' do
+        role_json = {
+          id: 'role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY',
+          name: 'Admin',
+          slug: 'admin',
+          description: 'Administrator role with full access',
+          permissions: ['read:users', 'write:users', 'admin:all'],
+          type: 'system',
+          created_at: '2022-05-13T17:45:31.732Z',
+          updated_at: '2022-07-13T17:45:42.618Z',
+        }.to_json
+
+        role = described_class.new(role_json)
+
+        expect(role.id).to eq('role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY')
+        expect(role.name).to eq('Admin')
+        expect(role.slug).to eq('admin')
+        expect(role.description).to eq('Administrator role with full access')
+        expect(role.permissions).to eq(['read:users', 'write:users', 'admin:all'])
+        expect(role.type).to eq('system')
+        expect(role.created_at).to eq('2022-05-13T17:45:31.732Z')
+        expect(role.updated_at).to eq('2022-07-13T17:45:42.618Z')
+      end
+    end
+
+    context 'with role data without permissions' do
+      it 'initializes permissions as empty array' do
+        role_json = {
+          id: 'role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY',
+          name: 'User',
+          slug: 'user',
+          description: 'Basic user role',
+          type: 'custom',
+          created_at: '2022-05-13T17:45:31.732Z',
+          updated_at: '2022-07-13T17:45:42.618Z',
+        }.to_json
+
+        role = described_class.new(role_json)
+
+        expect(role.id).to eq('role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY')
+        expect(role.name).to eq('User')
+        expect(role.slug).to eq('user')
+        expect(role.description).to eq('Basic user role')
+        expect(role.permissions).to eq([])
+        expect(role.type).to eq('custom')
+        expect(role.created_at).to eq('2022-05-13T17:45:31.732Z')
+        expect(role.updated_at).to eq('2022-07-13T17:45:42.618Z')
+      end
+    end
+
+    context 'with role data with null permissions' do
+      it 'initializes permissions as empty array' do
+        role_json = {
+          id: 'role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY',
+          name: 'User',
+          slug: 'user',
+          description: 'Basic user role',
+          permissions: nil,
+          type: 'custom',
+          created_at: '2022-05-13T17:45:31.732Z',
+          updated_at: '2022-07-13T17:45:42.618Z',
+        }.to_json
+
+        role = described_class.new(role_json)
+
+        expect(role.permissions).to eq([])
+      end
+    end
+
+    context 'with role data with empty permissions array' do
+      it 'preserves empty permissions array' do
+        role_json = {
+          id: 'role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY',
+          name: 'User',
+          slug: 'user',
+          description: 'Basic user role',
+          permissions: [],
+          type: 'custom',
+          created_at: '2022-05-13T17:45:31.732Z',
+          updated_at: '2022-07-13T17:45:42.618Z',
+        }.to_json
+
+        role = described_class.new(role_json)
+
+        expect(role.permissions).to eq([])
+      end
+    end
+  end
+
+  describe '.to_json' do
+    context 'with role that has permissions' do
+      it 'includes permissions in serialized output' do
+        role_json = {
+          id: 'role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY',
+          name: 'Admin',
+          slug: 'admin',
+          description: 'Administrator role',
+          permissions: ['read:all', 'write:all'],
+          type: 'system',
+          created_at: '2022-05-13T17:45:31.732Z',
+          updated_at: '2022-07-13T17:45:42.618Z',
+        }.to_json
+
+        role = described_class.new(role_json)
+        serialized = role.to_json
+
+        expect(serialized[:id]).to eq('role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY')
+        expect(serialized[:name]).to eq('Admin')
+        expect(serialized[:slug]).to eq('admin')
+        expect(serialized[:description]).to eq('Administrator role')
+        expect(serialized[:permissions]).to eq(['read:all', 'write:all'])
+        expect(serialized[:type]).to eq('system')
+        expect(serialized[:created_at]).to eq('2022-05-13T17:45:31.732Z')
+        expect(serialized[:updated_at]).to eq('2022-07-13T17:45:42.618Z')
+      end
+    end
+
+    context 'with role that has no permissions' do
+      it 'includes empty permissions array in serialized output' do
+        role_json = {
+          id: 'role_01FAEAJCJ3P1Z6WP5Y9VQPN2XY',
+          name: 'User',
+          slug: 'user',
+          description: 'Basic user role',
+          type: 'custom',
+          created_at: '2022-05-13T17:45:31.732Z',
+          updated_at: '2022-07-13T17:45:42.618Z',
+        }.to_json
+
+        role = described_class.new(role_json)
+        serialized = role.to_json
+
+        expect(serialized[:permissions]).to eq([])
+      end
+    end
+  end
+end

data/spec/lib/workos/user_management_spec.rb

@@ -36,6 +36,32 @@ describe WorkOS::UserManagement do
           'edit%22%7D&provider=authkit',
         )
       end
+
+      context 'with provider_scopes' do
+        it 'returns a valid authorization URL that includes provider_scopes' do
+          url = WorkOS::UserManagement.authorization_url(
+            provider: 'GoogleOAuth',
+            provider_scopes: %w[custom-scope-1 custom-scope-2],
+            client_id: 'workos-proj-123',
+            redirect_uri: 'foo.com/auth/callback',
+            state: {
+              next_page: '/dashboard/edit',
+            }.to_s,
+          )
+
+          expect(url).to eq(
+            'https://api.workos.com/user_management/authorize?' \
+            'client_id=workos-proj-123' \
+            '&redirect_uri=foo.com%2Fauth%2Fcallback' \
+            '&response_type=code' \
+            '&state=%7B%3Anext_page%3D%3E%22%2Fdashboard%2F' \
+            'edit%22%7D' \
+            '&provider=GoogleOAuth' \
+            '&provider_scopes=custom-scope-1' \
+            '&provider_scopes=custom-scope-2',
+          )
+        end
+      end
     end
 
     context 'with a connection selector' do
@@ -336,10 +362,12 @@ describe WorkOS::UserManagement do
             first_name: 'Jane',
             last_name: 'Doe',
             email_verified: false,
+            external_id: '123',
           )
           expect(user.first_name).to eq('Jane')
           expect(user.last_name).to eq('Doe')
           expect(user.email_verified).to eq(false)
+          expect(user.external_id).to eq('123')
         end
       end
 
@@ -453,6 +481,40 @@ describe WorkOS::UserManagement do
         end
       end
 
+      context 'when oauth_tokens is present in the api response' do
+        it 'returns an oauth_tokens object' do
+          VCR.use_cassette('user_management/authenticate_with_code/valid_with_oauth_tokens') do
+            authentication_response = WorkOS::UserManagement.authenticate_with_code(
+              code: '01H93ZZHA0JBHFJH9RR11S83YN',
+              client_id: 'client_123',
+              ip_address: '200.240.210.16',
+              user_agent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/108.0.0.0 Safari/537.36',
+            )
+
+            expect(authentication_response.oauth_tokens).to be_a(WorkOS::OAuthTokens)
+            expect(authentication_response.oauth_tokens.access_token).to eq('oauth_access_token')
+            expect(authentication_response.oauth_tokens.refresh_token).to eq('oauth_refresh_token')
+            expect(authentication_response.oauth_tokens.scopes).to eq(%w[read write])
+            expect(authentication_response.oauth_tokens.expires_at).to eq(1_234_567_890)
+          end
+        end
+      end
+
+      context 'when oauth_tokens is not present in the api response' do
+        it 'returns nil oauth_tokens' do
+          VCR.use_cassette('user_management/authenticate_with_code/valid') do
+            authentication_response = WorkOS::UserManagement.authenticate_with_code(
+              code: '01H93ZZHA0JBHFJH9RR11S83YN',
+              client_id: 'client_123',
+              ip_address: '200.240.210.16',
+              user_agent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/108.0.0.0 Safari/537.36',
+            )
+
+            expect(authentication_response.oauth_tokens).to be_nil
+          end
+        end
+      end
+
       context 'when the user is being impersonated' do
         it 'contains the impersonator metadata' do
           VCR.use_cassette('user_management/authenticate_with_code/valid_with_impersonator') do

data/spec/support/fixtures/vcr_cassettes/organization/list_organization_roles.yml

@@ -70,13 +70,13 @@ http_interactions:
         encoding: ASCII-8BIT
         string:
           '{"object":"list","data":[{"object":"role","id":"role_01HS1C7GRJE08PBR3M6Y0ZYGDZ","description":"Write
-          access to every resource available","name":"Admin","slug":"admin","type":"EnvironmentRole","created_at":"2024-03-15T15:38:29.521Z","updated_at":"2024-11-14T17:08:00.556Z"},{"object":"role","id":"role_01JA8GJZRDSZEB9289DQXJ3N9Z","description":"","name":"Billing
-          Manager","slug":"billing","type":"EnvironmentRole","created_at":"2024-10-15T16:36:11.653Z","updated_at":"2024-12-19T21:27:01.286Z"},{"object":"role","id":"role_01HSBH4R6RX0V86S3R590NNZW2","description":"Developer
-          role","name":"Developer","slug":"developer","type":"EnvironmentRole","created_at":"2024-03-19T14:16:46.038Z","updated_at":"2024-03-19T14:16:46.038Z"},{"object":"role","id":"role_01HS4GDWJ8T6NQPTX2D0R5KBHN","description":"Edit
-          and view access to non-critical resources","name":"Editor","slug":"editor","type":"EnvironmentRole","created_at":"2024-03-16T20:49:35.815Z","updated_at":"2024-03-16T20:52:19.410Z"},{"object":"role","id":"role_01HRFZE22WS2MGX6EWAG2JX6NW","description":"The
-          default user role","name":"Member","slug":"member","type":"EnvironmentRole","created_at":"2024-03-08T21:27:47.034Z","updated_at":"2024-08-14T00:27:46.265Z"},{"object":"role","id":"role_01JEYJ2Z5MYG0TZYTDF02MW11N","description":"Manage
-          billing for organization.","name":"Billing manager","slug":"org-billing-manager","type":"OrganizationRole","created_at":"2024-12-12T23:08:28.712Z","updated_at":"2024-12-12T23:08:28.712Z"},{"object":"role","id":"role_01JF0B7MQ9X414WQRAQMQYE1GS","description":"","name":"Platform
-          Manager","slug":"org-platform-manager","type":"OrganizationRole","created_at":"2024-12-13T15:47:10.692Z","updated_at":"2024-12-13T15:47:10.692Z"}]}'
+          access to every resource available","name":"Admin","slug":"admin","permissions":["admin:all","read:users","write:users","manage:roles"],"type":"EnvironmentRole","created_at":"2024-03-15T15:38:29.521Z","updated_at":"2024-11-14T17:08:00.556Z"},{"object":"role","id":"role_01JA8GJZRDSZEB9289DQXJ3N9Z","description":"","name":"Billing
+          Manager","slug":"billing","permissions":["read:billing","write:billing"],"type":"EnvironmentRole","created_at":"2024-10-15T16:36:11.653Z","updated_at":"2024-12-19T21:27:01.286Z"},{"object":"role","id":"role_01HSBH4R6RX0V86S3R590NNZW2","description":"Developer
+          role","name":"Developer","slug":"developer","permissions":["read:code","write:code","deploy:apps"],"type":"EnvironmentRole","created_at":"2024-03-19T14:16:46.038Z","updated_at":"2024-03-19T14:16:46.038Z"},{"object":"role","id":"role_01HS4GDWJ8T6NQPTX2D0R5KBHN","description":"Edit
+          and view access to non-critical resources","name":"Editor","slug":"editor","permissions":["read:content","write:content","publish:content"],"type":"EnvironmentRole","created_at":"2024-03-16T20:49:35.815Z","updated_at":"2024-03-16T20:52:19.410Z"},{"object":"role","id":"role_01HRFZE22WS2MGX6EWAG2JX6NW","description":"The
+          default user role","name":"Member","slug":"member","permissions":["read:basic"],"type":"EnvironmentRole","created_at":"2024-03-08T21:27:47.034Z","updated_at":"2024-08-14T00:27:46.265Z"},{"object":"role","id":"role_01JEYJ2Z5MYG0TZYTDF02MW11N","description":"Manage
+          billing for organization.","name":"Billing manager","slug":"org-billing-manager","permissions":["read:org:billing","write:org:billing"],"type":"OrganizationRole","created_at":"2024-12-12T23:08:28.712Z","updated_at":"2024-12-12T23:08:28.712Z"},{"object":"role","id":"role_01JF0B7MQ9X414WQRAQMQYE1GS","description":"","name":"Platform
+          Manager","slug":"org-platform-manager","permissions":[],"type":"OrganizationRole","created_at":"2024-12-13T15:47:10.692Z","updated_at":"2024-12-13T15:47:10.692Z"}]}'
       http_version:
     recorded_at: Mon, 23 Dec 2024 20:23:07 GMT
 recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_code/valid_with_oauth_tokens.yml

@@ -0,0 +1,82 @@
+---
+http_interactions:
+  - request:
+      method: post
+      uri: https://api.workos.com/user_management/authenticate
+      body:
+        encoding: UTF-8
+        string:
+          '{"code":"01H93ZZHA0JBHFJH9RR11S83YN","client_id":"client_123","client_secret":"<API_KEY>","ip_address":"200.240.210.16","user_agent":"Mozilla/5.0
+          (Macintosh; Intel Mac OS X 10_15_7) Chrome/108.0.0.0 Safari/537.36","grant_type":"authorization_code"}'
+      headers:
+        Content-Type:
+          - application/json
+        Accept-Encoding:
+          - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+        Accept:
+          - "*/*"
+        User-Agent:
+          - WorkOS; ruby/3.0.2; arm64-darwin21; v2.16.0
+    response:
+      status:
+        code: 200
+        message: OK
+      headers:
+        Date:
+          - Wed, 30 Aug 2023 19:51:51 GMT
+        Content-Type:
+          - application/json; charset=utf-8
+        Transfer-Encoding:
+          - chunked
+        Connection:
+          - keep-alive
+        Cf-Ray:
+          - 7fef921deeca091f-SEA
+        Cf-Cache-Status:
+          - DYNAMIC
+        Etag:
+          - W/"13b-pHataL1lHEvsW5EO4vq5QgAdcWw"
+        Strict-Transport-Security:
+          - max-age=15552000; includeSubDomains
+        Vary:
+          - Origin, Accept-Encoding
+        Via:
+          - 1.1 spaces-router (devel)
+        Access-Control-Allow-Credentials:
+          - "true"
+        Content-Security-Policy:
+          - "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self'
+            https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src
+            'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"
+        Expect-Ct:
+          - max-age=0
+        Referrer-Policy:
+          - no-referrer
+        X-Content-Type-Options:
+          - nosniff
+        X-Dns-Prefetch-Control:
+          - "off"
+        X-Download-Options:
+          - noopen
+        X-Frame-Options:
+          - SAMEORIGIN
+        X-Permitted-Cross-Domain-Policies:
+          - none
+        X-Request-Id:
+          - 630bec5a-5a13-4311-a0b7-958889a3bbb2
+        X-Xss-Protection:
+          - "0"
+        Set-Cookie:
+          - __cf_bm=o5KBdIAUFZp0azSQnnd1GlQcIlcPCz95uFg6hFNnKM8-1693425111-0-ARSauqdojZdKD6Z7vp12JBrxCp6wE1s0JzEhaN0XE2DqME76OnJiDJugj2TsbNGXtqWaH3By7XHUXVZDf+AdFxU=;
+            path=/; expires=Wed, 30-Aug-23 20:21:51 GMT; domain=.workos.com; HttpOnly;
+            Secure; SameSite=None
+          - __cfruid=3e9a5d359ba92753e7626245fef8b2f1ee096477-1693425111; path=/; domain=.workos.com;
+            HttpOnly; Secure; SameSite=None
+        Server:
+          - cloudflare
+      body:
+        encoding: ASCII-8BIT
+        string: '{"user":{"object":"user","id":"user_01H93ZY4F80YZRRS6N59Z2HFVS","email":"test@workos.app","email_verified":false,"first_name":"Lucille","last_name":"Bluth","created_at":"2023-08-30T19:50:13.214Z","updated_at":"2023-08-30T19:50:13.214Z","user_type":"managed","sso_profile_id":"prof_01H93ZTVWYPAT4RKDSPFPPXH0J"},"access_token":"<ACCESS_TOKEN>","refresh_token":"<REFRESH_TOKEN>","oauth_tokens":{"access_token":"oauth_access_token","refresh_token":"oauth_refresh_token","scopes":["read","write"],"expires_at":1234567890}}'
+      http_version:
+    recorded_at: Wed, 30 Aug 2023 19:51:51 GMT
+recorded_with: VCR 5.0.0

data/spec/support/fixtures/vcr_cassettes/user_management/update_user/valid.yml

@@ -5,7 +5,7 @@ http_interactions:
     uri: https://api.workos.com/user_management/users/user_01H7TVSKS45SDHN5V9XPSM6H44
     body:
       encoding: UTF-8
-      string: '{"first_name":"Jane","last_name":"Doe","email_verified":false}'
+      string: '{"first_name":"Jane","last_name":"Doe","email_verified":false,"external_id":"123"}'
     headers:
       Content-Type:
       - application/json
@@ -76,7 +76,7 @@ http_interactions:
       - cloudflare
     body:
       encoding: ASCII-8BIT
-      string: '{"object":"user","id":"user_01H7TVSKS45SDHN5V9XPSM6H44","email":"willman@blips.app","email_verified":false,"first_name":"Jane","last_name":"Doe","created_at":"2023-08-14T20:28:58.929Z","updated_at":"2023-08-25T22:57:44.262Z","user_type":"unmanaged","email_verified_at":null,"google_oauth_profile_id":null,"microsoft_oauth_profile_id":null}'
+      string: '{"object":"user","id":"user_01H7TVSKS45SDHN5V9XPSM6H44","email":"willman@blips.app","email_verified":false,"first_name":"Jane","last_name":"Doe","external_id":"123","created_at":"2023-08-14T20:28:58.929Z","updated_at":"2023-08-25T22:57:44.262Z","user_type":"unmanaged","email_verified_at":null,"google_oauth_profile_id":null,"microsoft_oauth_profile_id":null}'
     http_version:
   recorded_at: Fri, 25 Aug 2023 23:37:04 GMT
 recorded_with: VCR 5.0.0

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: workos
 version: !ruby/object:Gem::Version
-  version: 5.19.0
+  version: 5.21.0
 platform: ruby
 authors:
 - WorkOS
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-05-29 00:00:00.000000000 Z
+date: 2025-07-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: encryptor
@@ -158,6 +158,7 @@ files:
 - lib/workos/invitation.rb
 - lib/workos/magic_auth.rb
 - lib/workos/mfa.rb
+- lib/workos/oauth_tokens.rb
 - lib/workos/organization.rb
 - lib/workos/organization_membership.rb
 - lib/workos/organizations.rb
@@ -196,6 +197,7 @@ files:
 - spec/lib/workos/organizations_spec.rb
 - spec/lib/workos/passwordless_spec.rb
 - spec/lib/workos/portal_spec.rb
+- spec/lib/workos/role_spec.rb
 - spec/lib/workos/session_spec.rb
 - spec/lib/workos/sso_spec.rb
 - spec/lib/workos/user_management_spec.rb
@@ -300,6 +302,7 @@ files:
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_code/invalid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_code/valid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_code/valid_with_impersonator.yml
+- spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_code/valid_with_oauth_tokens.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_email_verification/invalid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_email_verification/valid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_magic_auth/invalid.yml
@@ -419,6 +422,7 @@ test_files:
 - spec/lib/workos/organizations_spec.rb
 - spec/lib/workos/passwordless_spec.rb
 - spec/lib/workos/portal_spec.rb
+- spec/lib/workos/role_spec.rb
 - spec/lib/workos/session_spec.rb
 - spec/lib/workos/sso_spec.rb
 - spec/lib/workos/user_management_spec.rb
@@ -523,6 +527,7 @@ test_files:
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_code/invalid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_code/valid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_code/valid_with_impersonator.yml
+- spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_code/valid_with_oauth_tokens.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_email_verification/invalid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_email_verification/valid.yml
 - spec/support/fixtures/vcr_cassettes/user_management/authenticate_with_magic_auth/invalid.yml