Custom Claims in Flows
Descope supports custom claims to restrict data based on user privileges, or to provide easy access to information on the client side without having to query your backend.
An example of a custom claim is - Displaying different data within a school application based on different types of users such as: Administrators, Teachers, and Students.
If a custom claim is modified and the key is not currently in the JWT, Descope will add the custom claim to the JWT. If a custom claim is modified and the key already exists, it will override the value.
Descope Flows can add additional custom claims to the user's JWT during the execution of a Descope flow. This can be done during the initial authentication flow, or can be done via a step-up or similar flow.
When implementing custom claims, it's important to maintain proper security to avoid your claims being exposed. See our [guide]/security-best-practices/custom-claims() on how to accomplish that.
Add the Custom Claims Action
To add custom claims within your Descope flow, you can open the applicable flow to which you want to add the custom claims. Once you have opened the flow, click the add button on the bottom left, search for the action "Custom Claims," and add it to your flow.
Configure the Custom Claims Action
Within the custom claims simple configuration, you can add string, boolean, numerical, or dynamic values and assign to your desired keys. The dynamic values are populated from available data from Descope pertaining to the user.
You can also utilize the advanced configuration by clicking Advanced
within the custom claims
action. There you can work with the custom claims as a JSON object. For an example of using the
advanced configuration, look at our JWT Template Guide.
Save and Attach the action
Click done on the action and then add it after the user's been verified. In this example, we will add it just before the end of the flow.
Test the Descope Flow
We can then test it within the sample app on the getting started screen.
The advanced custom claims configured are now added to the user's session JWT.