Login_hint and id_token_hint


I want to use the login_hint and id_token_hint parameters as per OIDC standard but didnt understand how it works in real sceanrio.

Have any real use case?


Hi @alin:

Both of the params you mentioned solve different use cases, but here is a simple example for why you’d want to use them:

  1. I want to use the login_hint to pre-populate Okta’s login form with a user email address. This provides one less input step for the end-user, as they’ll only need to input their password.
  2. If you want to terminate the user’s session in Okta, the /logout endpoint requires an id_token_hint (mapped to your identity token) parameter to locate the user. This is endpoint is commonly used after a token has expired and/or a user has requested to logout of an application.

Further, the OpenID Connect Core specification is incredibly helpful, and goes into significantly more detail.

Hope this helps!

Hi jmelberg,

thank you so much the reply and much appreciated. Now customer is asking to use login_hint=pairwise, so my question is how is pre populate this value into user login page when this value is encrypted?

Appreciate your help.



Hi @alin,

If you’re using a Custom Hosted Login Page, you can use the processCreds function to decrypt the username before passing it to Okta. Note that the username field will still contain the encrypted username value, which may confuse users.

const signIn = new OktaSignIn({
  processCreds: (creds) => {
    // User's injected password