Implementing enterprise authentication yourself takes time, carries security risks, and requires ongoing maintenance. SSO protocols, SCIM provisioning, MFA flows, and audit logs are complex, and for most projects they are not core business. WorkOS solves this problem as Authentication-as-a-Service: it provides enterprise SSO, SCIM, MFA, audit logs, and an Admin Portal as a complete, hosted infrastructure, eliminating the need to build auth logic within your own project.
The TYPO3 extension workos_auth brings this infrastructure directly into TYPO3 v14. It does not replace the standard TYPO3 login but complements it: frontend users and backend administrators can sign in through WorkOS AuthKit, with all the enterprise features WorkOS provides.
Table of Contents
Overview
Features in Detail
Installation
Conclusion
Overview
WorkOS is an Authentication-as-a-Service provider primarily developed for B2B SaaS products. Enterprise SSO (SAML, OIDC), SCIM provisioning, MFA, audit logs, and an Admin Portal are available as hosted services. If you use WorkOS, you no longer need to build your own auth logic, whether that is SSO protocol negotiation or user provisioning pipelines.
WorkOS AuthKit is the accompanying frontend library that provides ready-to-use UI components for the entire auth flow. The workos_auth extension uses AuthKit as its foundation and embeds it into TYPO3 v14, both for the frontend plugins and for the backend login.
User provisioning is automatic: fe_users and be_users records are created from each WorkOS identity and synchronised upon every login. The connection between the TYPO3 user and the WorkOS identity is maintained in the tx_workosauth_identity table.
This extension requires TYPO3 ^14.3 and PHP ^8.2 (CI tested: PHP 8.2–8.5). The dependency workos/workos-php ^5.0.3 is resolved via Composer. TYPO3 v14 LTS has been available since 21 April 2026. Support for TYPO3 v13 is not planned.
Features in Detail
The extension provides three frontend plugins:
| Plugin | Function |
|---|---|
| Login (AuthKit Card) | Ready-to-use WorkOS AuthKit component for login and registration; supports SSO, social sign-in, Magic Auth, and passkeys |
| Account Center | Profile management, password change, MFA setup, session overview, and organisation management for logged-in users |
| Team | Invitation management and Admin Portal for SSO/SCIM configuration as well as audit logs – for organisation administrators |
Backend Modules
Three backend modules complement the extension:
| Module | Task |
|---|---|
| Setup Assistant | Guided initial setup: enter WorkOS API keys, redirect URIs, and client IDs |
| User Management | Overview of all linked identities (tx_workosauth_identity), roles, and synchronisation status |
| MCP Server Configuration | Bearer token management for the /workos-auth/mcp endpoint |
Security Measures
The extension passes PHPStan Level Max. CSRF protection is active on all state-changing actions. Open redirect attacks are prevented through strict redirect URI validation. Localisation includes English and German (XLIFF 2.0 with ICU pluralisation).
Installation
composer config repositories.workos vcs https://github.com/dirnbauer/workos.git
composer require dirnbauer/workos:@devFrequently Asked Questions
Conclusion
workos_auth brings enterprise authentication to TYPO3 v14 – without the need to build your own auth logic. SSO, Magic Auth, social sign-in, MFA, audit logs, and a secured MCP endpoint are available immediately after installation and configuration. For teams running TYPO3 in enterprise environments or with AI agents, this provides a ready-to-use foundation.
Thanks to the WorkOS team for the documentation and AuthKit, as well as to the TYPO3 community for testing and feedback. The extension is released under the GPL.