3rd Party Applications

Descope provides a streamlined way for your existing user base to sign in to third-party applications using OAuth and OpenID Connect. This setup empowers your users to decide what personal information is shared with each application, how much access those applications have, and which actions they can perform on the user’s behalf.

By centralizing consent and permissions under Descope, you can simplify integration with external services while giving your users clear control over their data and privacy.

Creating a 3rd Party App

To configure a 3rd party application within Descope, navigate to the 3rd Party Applications page and select + Add 3rd Party App. When creating the 3rd Party App, you can set the name and description, which you can edit later.

Creating a 3rd party app in Descope

Once you have created your third-party application, you can configure it. The configuration is split into several sections: 3rd Party App Details, Scopes, Connection Information, and Consents.

3rd Party App Details

Within this section, you can find and configure the information regarding your application below.

  • Logo (Optional): You can upload a logo for the third-party application by clicking the edit button on the logo. The consent flow for your application will utilize the uploaded logo.
  • 3rd Party App Name (Required): This is the configurable name of the application.
  • Description (Optional): This is the chosen description of your application, and it is editable.
  • 3rd Party App ID: This system-generated unique identifier for the created application cannot be configured or altered.

Configuring a 3rd party app's details in Descope

Scopes

Within this section, you will define the applicable scopes for your application. Descope's 3rd Party Application scopes include Permission Scopes and User Information scopes.

Configuring a 3rd party app's scopes in Descope

Permission Scopes

Here, you will configure the permission-based scopes that allow your 3rd party application to act on the user or tenant's behalf. The applicable roles are required to define these scopes if you are utilizing Descope's RBAC authorization for these permissions.

  • Name (Required): This is the name of the permission scope that will be included in the tokens and utilized to ensure the token has the correct scopes to act on behalf of the user or tenant.
  • Description (Required): This is the description of what the scope allows the application to do on the user or tenant's behalf.
  • Roles (Optional): The applicable roles are required to define these scopes if you are utilizing Descope's RBAC authorization for these permissions.

User Information Scopes

Here, you will configure the user information scopes that allow your 3rd party application to gather information about the authorizing user. These scopes support both out-of-the-box Descope user attributes and custom user attributes.

  • Name (Required): This is the name of the user information scope that will be included in the tokens shared with the application.
  • Description (Required): This describes the user information to which the scope allows the application access.
  • User Attribute (Required): The applicable user attribute to map to the scope.

Connection Information

Within the connection information section of the configuration, you can set the hosting URL, approve callback URLs, and copy system-generated configuration information to integrate with your application.

Note

If you have a custom domain configured, the system-generated URLs within this section will include your custom CNAME rather than api.descope.com.

  • Flow Hosting URL (Required): This tells the application where your consent flow is hosted. The fow can be hosted on can be on api.descope.com, your custom CNAME, or you can host the flow yourself.
  • Approved 3rd Party Callback URLs (Optional): These are specific web addresses that Descope will allow to redirect users back to the application after authenticating.
  • Client ID (System Generated): Identifier for the client or service provider.
  • Client Secret (System Generated): A secret shared between the app and the authorization server. Discovery URL (System Generated): This URL returns a JSON listing of the OpenID/OAuth endpoints, supported scopes, claims, public keys used to sign the tokens and other details. Clients can use this information to construct a request to the OpenID server. Issuer (System Generated): A verifiable identifier for an issuer containing all of the information in the discovery URL. An issuer identifier is a case-sensitive URL that uses the HTTPS scheme and contains scheme, host, and optionally port number and path components but no query or fragment components.
  • Authorization URL (System Generated): Endpoint for application authorization requests. This is the Descope API URL to the Authorization endpoint: https://api.descope.com/oauth2/v1/apps/authorize. Access Token URL (System Generated): The endpoint to get the access token. This is the Descope API URL to the Access Token endpoint: https://api.descope.com/oauth2/v1/apps/token.

Configuring a 3rd party app's connection information in Descope

Consents

The consent section of the console shows details of the users who have granted consent to the third-party application.

  • Consent ID: System-generated ID paring that user's consent to the application.
  • Scopes: The consented scopes correlate to the user's consent to the application.
  • Associated User: The user ID of the user who's associated with the consent.
  • Associated Tenant: The tenant ID of the tenant associated with the consent.
  • Granting User: The user ID of the user who granted the consent.
  • Creation Time: The user ID of the user who granted the consent.

Viewing applicable a 3rd party app consents in Descope

Was this helpful?

Previous

WordPress

Next

Consent Flows

On this page

3rd Party ApplicationsCreating a 3rd Party App3rd Party App DetailsScopesPermission ScopesUser Information ScopesConnection InformationConsents