OIDC Federated Applications
Note
Configuring additional federated applications (beyond the default) is a Pro+ feature.
Configure a Federated Application to use Descope as an OpenID Connect (OIDC) Identity Provider. Your application redirects users to Descope for authentication, Descope runs your configured flow, and returns a validated identity token. Standard OIDC protocol throughout — no custom auth logic required.
For a full list of Descope's OIDC endpoints and supported grant types, see the OIDC Endpoints Guide.
Creating an OIDC Application
Navigate to Applications and click + Application. Choose a template from the Application Library or create a Generic OIDC Application.
Provide an Application Name and optionally an Application ID and Description.
Configuring the Application
Once created, configure your application in the Descope Console:
Application details
| Setting | Details |
|---|---|
| Application Name | The display name for the application (can be updated). |
| Application ID | Unique identifier (cannot be changed). Available in flows as the ssoAppID variable for rendering app-specific logic. |
| Application Description | Optional description of the application's purpose. |
Identity provider settings
| Setting | Details |
|---|---|
| Flow Hosting URL | Where users are redirected for authentication. Defaults to https://auth.descope.io/<Project ID>?flow=sign-up-or-in. Configure using the gear icon — see Auth Hosting. |
| Issuer URL | Descope's identifier as the IdP: https://api.descope.com/<Project ID>. Use this for most OIDC configurations. |
| Discovery URL | Returns the full OIDC configuration as JSON: https://api.descope.com/<Project ID>/.well-known/openid-configuration. |
| Supported Claims | Additional claims to include in the Well-Known Configuration. Default claims include sub, name, email, and others. |
| Force Authentication | Forces flow execution even if the user is already signed in, equivalent to prompt=login. |
Custom domain
If you're using a custom domain, replace api.descope.com with your custom domain in the Issuer and Discovery URLs.
Configuring your OIDC client
Configure your OIDC client (Service Provider) with the following:
Required parameters
- Client ID: Your Descope Project ID (find it here)
- Client Secret: A Descope Access Key (create one here)
- Issuer or Discovery URL: Use one of these from your application configuration:
- Issuer URL (recommended):
https://api.descope.com/<Project ID> - Discovery URL:
https://api.descope.com/<Project ID>/.well-known/openid-configuration
- Issuer URL (recommended):
You can also configure endpoints individually:
| Endpoint | URL |
|---|---|
| Authorization | https://api.descope.com/oauth2/v1/authorize |
| Token | https://api.descope.com/oauth2/v1/token |
| Logout | https://api.descope.com/oauth2/v1/logout |
Scopes
| Scope | What it returns |
|---|---|
openid | Required for OIDC authentication. |
profile | User's profile data (name, picture, etc.). |
email | User's email address. |
phone | User's phone number. |
descope.custom_claims | Custom claims you've configured. |
descope.claims | User's tenants, roles, and permissions. |
Force Authentication
By default, users already signed in to Descope are redirected back without re-authenticating (standard SSO behavior). To force re-authentication, either include prompt=login in your /authorize request or enable Force Authentication in the application settings.
Well-Known OIDC configuration
The Discovery URL returns a JSON document with all OIDC configuration details, allowing clients to configure themselves automatically:
{
"issuer": "https://api.descope.com/__ProjectID__",
"jwks_uri": "https://api.descope.com/__ProjectID__/.well-known/jwks.json",
"authorization_endpoint": "https://api.descope.com/oauth2/v1/authorize",
"token_endpoint": "https://api.descope.com/oauth2/v1/token",
"userinfo_endpoint": "https://api.descope.com/oauth2/v1/userinfo",
"end_session_endpoint": "https://api.descope.com/oauth2/v1/logout",
"revocation_endpoint": "https://api.descope.com/oauth2/v1/revoke",
"response_types_supported": ["code"],
"subject_types_supported": ["public"],
"id_token_signing_alg_values_supported": ["RS256"],
"scopes_supported": ["openid", "profile", "email", "phone"],
"claims_supported": [
"iss", "aud", "iat", "exp", "sub",
"name", "email", "email_verified",
"phone_number", "phone_number_verified", "picture"
],
"token_endpoint_auth_methods_supported": []
}Advanced configuration
Custom claims
Custom claims let you include application-specific user information in the ID token.
- Add the
descope.custom_claimsscope to your OIDC client configuration. - Define the claims using one of these methods:
- A Custom Claims action in your flow
- JWT Templates
- The Management SDK or API
Note
Custom claim names in your JWT must match exactly how they're referenced in your application.
Tenant, roles, and permissions
Add the descope.claims scope to include authorization information in the ID token. This returns the user's tenants, roles, and permissions in a tenants claim:
{
"sub": "U2XDs389PTVB8xtfRlixPb4luUD7",
"email": "user@example.com",
"tenants": {
"<tenant_id>": {
"permissions": ["SSO Admin", "User Admin"],
"roles": ["Tenant Admin"]
}
}
}See Role-based access control for configuring roles and permissions.
Adding Claims to the Well-Known Configuration
Some OIDC clients (like Docebo) require specific claims to be listed in claims_supported. Add them in the Supported Claims setting of your application. The defaults are:
["iss", "aud", "iat", "exp", "sub", "name", "email", "email_verified",
"phone_number", "phone_number_verified", "picture", "family_name", "given_name"]
Flow Hosting
Configure the authentication page users see during the OIDC redirect using the gear icon next to Flow Hosting URL in your application settings.
See Auth Hosting for all available options — custom domains, styling, background images, and self-hosted flows.