Add provider_query_params to getAuthorizationUrl method (#1347)

## Summary
- Add `provider_query_params` parameter to SSO `getAuthorizationUrl`
method
- Implement consistent query string serialization with UserManagement
module
- Add comprehensive tests for the new functionality

## Changes
- **Interface**: Added `providerQueryParams` to
`SSOAuthorizationURLOptions`
- **Implementation**: Updated SSO class to handle provider query params
using `qs.stringify`
- **Tests**: Added test coverage for both populated and empty provider
query params
- **Compatibility**: Fixed empty `providerScopes` array handling to
maintain backward compatibility

## Test plan
- [x] All existing SSO tests pass
- [x] New provider query params tests pass
- [x] TypeScript compilation succeeds
- [x] Linting passes
- [x] Implementation matches UserManagement pattern

Resolves ENT-3776

Author: jonatascastro12

src/sso/__snapshots__/sso.spec.ts.snap

@@ -12,6 +12,8 @@ exports[`SSO SSO getAuthorizationUrl with no custom api hostname generates an au
 
 exports[`SSO SSO getAuthorizationUrl with no domain or provider throws an error for incomplete arguments 1`] = `"Incomplete arguments. Need to specify either a 'connection', 'organization', 'domain', or 'provider'."`;
 
+exports[`SSO SSO getAuthorizationUrl with providerScopes generates an authorize url with the provided provider scopes 1`] = `"https://api.workos.com/sso/authorize?client_id=proj_123&provider=Google&provider_scopes=profile&provider_scopes=email&provider_scopes=calendar&redirect_uri=example.com%2Fsso%2Fworkos%2Fcallback&response_type=code"`;
+
 exports[`SSO SSO getAuthorizationUrl with state generates an authorize url with the provided state 1`] = `"https://api.workos.com/sso/authorize?client_id=proj_123&domain=lyft.com&redirect_uri=example.com%2Fsso%2Fworkos%2Fcallback&response_type=code&state=custom+state"`;
 
 exports[`SSO SSO getProfileAndToken with all information provided sends a request to the WorkOS api for a profile 1`] = `"client_id=proj_123&client_secret=sk_test_Sz3IQjepeSWaI4cMS4ms4sMuU&grant_type=authorization_code&code=authorization_code"`;

src/sso/interfaces/authorization-url-options.interface.ts

@@ -10,6 +10,7 @@ export interface SSOAuthorizationURLOptions {
   domainHint?: string;
   loginHint?: string;
   provider?: string;
+  providerQueryParams?: Record<string, string | boolean | number>;
   providerScopes?: string[];
   redirectUri: string;
   state?: string;

src/sso/sso.spec.ts

@@ -205,9 +205,7 @@ describe('SSO', () => {
             redirectUri: 'example.com/sso/workos/callback',
           });
 
-          expect(url).toMatchInlineSnapshot(
-            `"https://api.workos.com/sso/authorize?client_id=proj_123&provider=Google&provider_scopes=profile+email+calendar&redirect_uri=example.com%2Fsso%2Fworkos%2Fcallback&response_type=code"`,
-          );
+          expect(url).toMatchSnapshot();
         });
 
         it('handles empty provider scopes array', () => {
@@ -225,6 +223,42 @@ describe('SSO', () => {
           );
         });
       });
+
+      describe('with providerQueryParams', () => {
+        it('generates an authorize url with the provided provider query params', () => {
+          const workos = new WorkOS('sk_test_Sz3IQjepeSWaI4cMS4ms4sMuU');
+
+          const url = workos.sso.getAuthorizationUrl({
+            provider: 'Google',
+            providerQueryParams: {
+              custom_param: 'custom_value',
+              another_param: 123,
+              bool_param: true,
+            },
+            clientId: 'proj_123',
+            redirectUri: 'example.com/sso/workos/callback',
+          });
+
+          expect(url).toMatchInlineSnapshot(
+            `"https://api.workos.com/sso/authorize?client_id=proj_123&provider=Google&provider_query_params%5Banother_param%5D=123&provider_query_params%5Bbool_param%5D=true&provider_query_params%5Bcustom_param%5D=custom_value&redirect_uri=example.com%2Fsso%2Fworkos%2Fcallback&response_type=code"`,
+          );
+        });
+
+        it('handles empty provider query params', () => {
+          const workos = new WorkOS('sk_test_Sz3IQjepeSWaI4cMS4ms4sMuU');
+
+          const url = workos.sso.getAuthorizationUrl({
+            provider: 'Google',
+            providerQueryParams: {},
+            clientId: 'proj_123',
+            redirectUri: 'example.com/sso/workos/callback',
+          });
+
+          expect(url).toMatchInlineSnapshot(
+            `"https://api.workos.com/sso/authorize?client_id=proj_123&provider=Google&redirect_uri=example.com%2Fsso%2Fworkos%2Fcallback&response_type=code"`,
+          );
+        });
+      });
     });
 
     describe('getProfileAndToken', () => {

src/sso/sso.ts

@@ -1,3 +1,4 @@
+import qs from 'qs';
 import { UnknownRecord } from '../common/interfaces/unknown-record.interface';
 import { fetchAndDeserialize } from '../common/utils/fetch-and-deserialize';
 import { AutoPaginatable } from '../common/utils/pagination';
@@ -21,19 +22,19 @@ import {
   serializeListConnectionsOptions,
 } from './serializers';
 
-const toQueryString = (options: Record<string, string | undefined>): string => {
-  const searchParams = new URLSearchParams();
-  const keys = Object.keys(options).sort();
-
-  for (const key of keys) {
-    const value = options[key];
-
-    if (value) {
-      searchParams.append(key, value);
-    }
-  }
-
-  return searchParams.toString();
+const toQueryString = (
+  options: Record<
+    string,
+    string | string[] | Record<string, string | boolean | number> | undefined
+  >,
+): string => {
+  return qs.stringify(options, {
+    arrayFormat: 'repeat',
+    // sorts the keys alphabetically to maintain backwards compatibility
+    sort: (a, b) => a.localeCompare(b),
+    // encodes space as + instead of %20 to maintain backwards compatibility
+    format: 'RFC1738',
+  });
 };
 
 export class SSO {
@@ -71,6 +72,7 @@ export class SSO {
     loginHint,
     organization,
     provider,
+    providerQueryParams,
     providerScopes,
     redirectUri,
     state,
@@ -94,7 +96,8 @@ export class SSO {
       domain_hint: domainHint,
       login_hint: loginHint,
       provider,
-      provider_scopes: providerScopes?.join(' '),
+      provider_query_params: providerQueryParams,
+      provider_scopes: providerScopes,
       client_id: clientId,
       redirect_uri: redirectUri,
       response_type: 'code',