A login_hint_token is a JWT that provides a way for the client to identify and authenticate the end-user without needing to encode the entire authentication request in a signed JWT. The following information describes the OIDC parameters and the steps for generating and signing the token.

Prerequisites

  1. Install a JWT token generator such as jwtgen globally using npm install -g jwtgen. This action requires npm.

  2. Retrieve the environment id property value associated with your worker application and user.

  3. Retrieve the clientId and clientSecret property values for the worker application.

  4. Retrieve the user ID id or username property value for whom this token will be associated.

Generate a signed token

The command to generate the login_hint_token JWT takes the following parameters:

Parameter Description
-a Specifies the JWT signing algorithm. Options are HS256.
-s Specifies the signing key, which is the application’s clientSecret property value.
-e Specifies the expiration date, expressed as the number of seconds from the time of creation. The typical value is 3600 seconds.
--claims Specifies the claims required by the token:
  • iss: A string that specifies the application ID of the issuer creating the token
  • sub: A string that specifies the identifier for the authenticated user (for example, the id or username property value).
  • iat: An integer that specifies the timestamp, measured in the number of seconds since January 1, 1970, UTC, indicating when this token was originally issued.
  • exp: An integer that specifies the timestamp, measured in the number of seconds since January 1, 1970, UTC, indicating when this token will expire.
  • aud: A string that specifies the intended audience for this token.
  1. Run the jwtgen command.
jwtgen -a "HS256" -s "YOUR_CLIENT_SECRET" -e 3600 --claims '{
"iss":"YOUR_CLIENT_ID",
"sub":"YOUR_USER_ID_OR_USERNAME",
"iat":1300819380,
"exp":1300819391,
"aud":"https://auth.pingone.com/YOUR_ENVIRONMENT_ID/as"
}'
  1. Record the token returned successfully by the command to use as the value of the login_hint_token property in the authorize request.