Skip to main content

Common use cases

In this section, we will provide some examples to help you understand some scenarios where custom token claims can be useful, offering you some references. This way, when you encounter difficulties in access management, you can assess whether custom token claims can bring you convenience.

Make attribute-based access control (ABAC) possible​

Attribute-based access control (ABAC) is an access control model that uses attributes (such as user roles, resource properties, and environmental conditions) to make access control decisions. It is a flexible and dynamic way to manage access to protected resources.

Suppose you are building an app, and the app's release is divided into two phases: public beta and official launch. Even after the app officially launches, you want old users who participated in the public beta to continue using the paid features.

After the app officially launches, you use Logto's role-baed access control (RBAC) feature to implement access control for the use of paid features. To easily check whether a user was already using the app during the public beta phase, you can use the getCustomJwtClaims() method to add a claim createdAt in the token payload.

Then, when doing access control in your protected APIs, you need to allow access tokens that meet either of the following conditions:

  1. With the RBAC context, having the scope for accessing paid resources.
  2. The createdAt is earlier than the end time of the public beta phase.

If there is no custom token claims feature, when verifying permissions for protected API resources, it is necessary to call the Logto Management API to check whether the user with the current access token has the permissions corresponding to the role required by a certain API resource.

In a similar scenario, suppose your app displays birthday wishes on the login page if the user's birthday is approaching. You can use custom token claims to add a birthday field to the token payload, which can be used to determine whether to display a specific message.

Manually block token issuance​

Suppose Joe is running an online game and uses Logto as an identity and access management (IAM) system.

Assume this game requires top-ups to purchase game time. Joe records each user's balance in his game service and continuously deducts from the balance as game time accumulates. Joe wants to force players to log out when their account balance is depleted to encourage them to recharge.

At this point, Joe can also use the custom token claims feature provided by Logto to achieve this:

  1. In the script, an external API call fetch external data can be used to retrieve the current player's balance from Joe's game server.
  2. If the balance is less than or equal to 0, the api.denyAccess() method can be used to block token issuance.

At this time, since a new valid access token cannot be obtained, the player will be forcibly logged out of the game.