Improved security for handling user email domains
When creating an Organization in WorkOS, you will now be prompted with an option checkbox which says “Allow authentication for users that do not match Organization email domains.” When left unselected (default), WorkOS will check that a user’s email domain matches one of the listed domains on the Organization object. If the domain is not included, user authentication will fail.
In the rare case that you are unable to maintain a list of domains that are valid for that organization, you may check this box to disable the additional security check.
This enhanced security feature is backwards compatible with existing connections, and we’ve migrated the majority of connections already. This change does not affect Google or Microsoft OAuth authentication, as these integrations have no domain restriction.
If you have questions about this new functionality and the implications for your app, feel free to check the documentation or reach out to WorkOS Support.