A login_hint_token is a JWT that provides a way for the client to identify and authenticate the end-user without needing to encode the entire authentication request in a signed JWT. The following information describes the OIDC parameters and the steps for generating and signing the token.

Prerequisites

  1. Install a JWT token generator.

  2. Retrieve the environment id property value associated with your worker application and user.

  3. Retrieve the clientId and clientSecret property values for the worker application.

  4. Retrieve the user ID id or username property value for whom this token will be associated.

Generate a signed token

The command to generate the login_hint_token JWT takes the following parameters:

Parameter Description
Signing algorithm The JWT signing algorithm. Options for the login_hint_token JWT are HS256.
Signing key The signing key for the login_hint_token JWT, which is the application’s clientSecret property value.
Expiration The expiration date, expressed as the number of seconds from the time of creation. The typical value is 3600 seconds.
--claims Specifies the claims required by the token:
  • iss: A string that specifies the application ID of the issuer creating the token
  • sub: A string that specifies the identifier for the authenticated user (for example, the id or username property value).
  • iat: An integer that specifies the timestamp, measured in the number of seconds since January 1, 1970, UTC, indicating when this token was originally issued.
  • exp: An integer that specifies the timestamp, measured in the number of seconds since January 1, 1970, UTC, indicating when this token will expire.
  • aud: A string that specifies the intended audience for this token.
  1. Run JWT token generator, providing the information above.
  1. Record the token returned successfully by the command to use as the value of the login_hint_token property in the authorize request.