Add support for login_hint in authorization url generation (#4943)

odelcroi · mcalinghee · web-flow · commit 2b46579bd8e1 · 2025-08-18T15:06:59.000Z
* add login_hint to authorization url generation

Signed-off-by: olivier &lt;odelcroi@gmail.com&gt;

Signed-off-by: olivier &lt;odelcroi@gmail.com&gt;

fix lint

Signed-off-by: olivier &lt;odelcroi@gmail.com&gt;

* update doc

* fix linter

---------

Signed-off-by: olivier &lt;odelcroi@gmail.com&gt;
Co-authored-by: mcalinghee &lt;mcalinghee.dev@gmail.com&gt;
diff --git a/spec/unit/oidc/authorize.spec.ts b/spec/unit/oidc/authorize.spec.ts
@@ -164,6 +164,23 @@ describe("oidc authorization", () => {
 
             expect(authUrl.searchParams.get("prompt")).toEqual("create");
         });
+
+        it("should generate url with login_hint", async () => {
+            const nonce = "abc123";
+
+            const authUrl = new URL(
+                await generateOidcAuthorizationUrl({
+                    metadata: delegatedAuthConfig,
+                    homeserverUrl: baseUrl,
+                    clientId,
+                    redirectUri: baseUrl,
+                    nonce,
+                    loginHint: "login1234",
+                }),
+            );
+
+            expect(authUrl.searchParams.get("login_hint")).toEqual("login1234");
+        });
     });
 
     describe("completeAuthorizationCodeGrant", () => {
diff --git a/src/oidc/authorize.ts b/src/oidc/authorize.ts
@@ -125,6 +125,8 @@ export const generateAuthorizationUrl = async (
  * @param prompt - indicates to the OP which flow the user should see - eg login or registration
  *          See https://openid.net/specs/openid-connect-prompt-create-1_0.html#name-prompt-parameter
  * @param urlState - value to append to the opaque state identifier to uniquely identify the callback
+ * @param loginHint - value to send as the `login_hint` to the OP, giving a hint about the login identifier the user might use to log in.
+ *          See {@link https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest OIDC core 3.1.2.1}.
  * @returns a Promise with the url as a string
  */
 export const generateOidcAuthorizationUrl = async ({
@@ -136,6 +138,7 @@ export const generateOidcAuthorizationUrl = async ({
     nonce,
     prompt,
     urlState,
+    loginHint,
 }: {
     clientId: string;
     metadata: ValidatedAuthMetadata;
@@ -145,6 +148,7 @@ export const generateOidcAuthorizationUrl = async ({
     nonce: string;
     prompt?: string;
     urlState?: string;
+    loginHint?: string;
 }): Promise<string> => {
     const scope = generateScope();
     const oidcClient = new OidcClient({
@@ -163,6 +167,7 @@ export const generateOidcAuthorizationUrl = async ({
         nonce,
         prompt,
         url_state: urlState,
+        login_hint: loginHint,
     });
 
     return request.url;
