Login_hint and id_token_hint

alin · September 23, 2018, 6:41am

Hi,

I want to use the login_hint and id_token_hint parameters as per OIDC standard but didnt understand how it works in real sceanrio.

Have any real use case?

Thanks
Alin

jmelberg · September 25, 2018, 12:05am

Hi @alin:

Both of the params you mentioned solve different use cases, but here is a simple example for why you’d want to use them:

I want to use the login_hint to pre-populate Okta’s login form with a user email address. This provides one less input step for the end-user, as they’ll only need to input their password.
If you want to terminate the user’s session in Okta, the /logout endpoint requires an id_token_hint (mapped to your identity token) parameter to locate the user. This is endpoint is commonly used after a token has expired and/or a user has requested to logout of an application.

Further, the OpenID Connect Core specification is incredibly helpful, and goes into significantly more detail.

Hope this helps!

alin · September 30, 2018, 11:01pm

Hi jmelberg,

thank you so much the reply and much appreciated. Now customer is asking to use login_hint=pairwise, so my question is how is pre populate this value into user login page when this value is encrypted?

Appreciate your help.

Thanks

Alin

jmelberg · October 1, 2018, 4:35pm

Hi @alin,

If you’re using a Custom Hosted Login Page, you can use the processCreds function to decrypt the username before passing it to Okta. Note that the username field will still contain the encrypted username value, which may confuse users.

const signIn = new OktaSignIn({
  ...
  processCreds: (creds) => {
    console.log(creds.username);
    // ENCRYPTED_USERNAME
    console.log(creds.password);
    // User's injected password
  }
});

system · January 12, 2024, 11:41pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.