fix: include custom_attributes on SSO Profile struct

[kendocode]

Summary

WorkOS.SSO.Profile.cast/1 silently drops the custom_attributes field returned by POST /sso/token, so callers cannot read custom attributes configured on a connection in the WorkOS Dashboard.

This is the documented migration path away from raw_attributes (deprecated 2026-04-15), and custom_attributes is listed as a top-level field on the Profile object. Without this field on the struct, applications relying on IdP-issued claims (e.g. the sid claim used for front-channel single logout) cannot complete the migration and remain broken after the deprecation date.

Changes

• Add :custom_attributes to WorkOS.SSO.Profile's @type, defstruct, and cast/1, immediately after :raw_attributes.
• Field is optional (not in @enforce_keys, type | nil) since the API omits it for connections without custom attributes configured.
• Mirrors the existing handling in WorkOS.DirectorySync.Directory.User.

Tests

• Extended both get_profile_and_token and get_profile mock fixtures to include a custom_attributes payload.
• Added one round-trip test in each describe block asserting the field is cast onto the struct.
• mix test and mix format --check-formatted clean.

[greptile-apps]

Greptile Summary

This PR adds custom_attributes to WorkOS.SSO.Profile, restoring access to IdP-issued claims (e.g. sid for front-channel logout) that were previously silently dropped by cast/1. The fix follows the exact same pattern already used in WorkOS.DirectorySync.Directory.User.

• lib/workos/sso/profile.ex — adds :custom_attributes to @type, defstruct, and cast/1 as an optional field (| nil, not enforced), exactly mirroring the directory user struct.
• test/support/sso_client_mock.ex — updates both profile mock fixtures to include a custom_attributes payload in the correct structural position.
• test/workos/sso_test.exs — adds one assertion per endpoint verifying the field round-trips through the cast.

Confidence Score: 5/5

Safe to merge — the change is a small, additive field that cannot break existing callers.

The field is optional (not in @enforce_keys, defaults to nil), so existing code that constructs or pattern-matches on Profile structs is unaffected. The cast simply reads an additional key from the API map, which is a no-op when absent. Mock fixtures and tests are updated consistently and cover both endpoints.

No files require special attention.

Important Files Changed

Filename	Overview
lib/workos/sso/profile.ex	Adds custom_attributes field to type spec, defstruct, and cast/1; correctly marked optional (not in @enforce_keys, typed `
test/support/sso_client_mock.ex	Extends both get_profile_and_token and get_profile mock fixtures with a custom_attributes payload; placement is correct — inside the "profile" map for get_profile_and_token and at the top level for get_profile.
test/workos/sso_test.exs	Adds one round-trip test per describe block asserting the custom_attributes field is cast correctly onto the struct; tests are consistent with the existing test style.

Sequence Diagram

sequenceDiagram
    participant App
    participant WorkOS.SSO
    participant API as WorkOS API

    App->>WorkOS.SSO: get_profile_and_token(code)
    WorkOS.SSO->>API: POST /sso/token
    API-->>WorkOS.SSO: "{access_token, profile: {…, custom_attributes}}"
    WorkOS.SSO->>WorkOS.SSO: ProfileAndToken.cast(map)
    WorkOS.SSO->>WorkOS.SSO: Profile.cast(map["profile"])
    Note over WorkOS.SSO: Now maps map["custom_attributes"]
    WorkOS.SSO-->>App: "{:ok, %ProfileAndToken{profile: %Profile{custom_attributes: …}}}"

    App->>WorkOS.SSO: get_profile(access_token)
    WorkOS.SSO->>API: GET /sso/profile
    API-->>WorkOS.SSO: "{…, custom_attributes}"
    WorkOS.SSO->>WorkOS.SSO: Profile.cast(map)
    Note over WorkOS.SSO: Now maps map["custom_attributes"]
    WorkOS.SSO-->>App: "{:ok, %Profile{custom_attributes: …}}"

Loading

_{Reviews (1): Last reviewed commit: "fix: include custom_attributes on SSO Pr..." | Re-trigger Greptile}

[gjtorikian]

great, thanks!