Share via

Entra External ID custom identity sign in with login_hint results in AADSTS165000 Token was not provided

Philip Hendry 110 Reputation points
2026-04-16T15:27:27.3933333+00:00

I have an Entra External ID external tenant (CIAM) with a custom identity provider configured using OIDC to an Auth0 identity provider on domain mydomain.uk.auth0.com. To isolate myself from any issues with my own code I'm using the sample code VanillaJSTestApp2.0 from the Microsoft Authentication Library for JS - the pop sample in particular.

With the custom IdP configured in the sign in/up user flow I can sign up and subsequently sign in using the "Sign in with Auth0" button that is available on the Microsoft sign in screen. This just works.

If I now make one small change to the configuration and add loginHint: "******@mydomain.uk.auth0.com" to the loginRequest then I'm correctly forwarded to Auth0 for authentication but on return to the CIAM tenant I'm presented an error:

AADSTS165000: Invalid Request: The request did not include the required tokens for the user context. One or more of the user context values (cookies; form fields; headers) were not supplied, every request must include these values and maintain them across a complete single user flow. The request did not return all of the form fields. Failure Reasons:[Token was not provided;]

The reason I want this to work is because I want to manage the UI and sign in experience myself so I want my own "Sign in with SSO" button which prompts the user for their email address and I'll look that up to see whether they're a configured federated domain in our own application before calling MSAL to sign in with the loginHint.

This may be a duplicate of Issue: AADSTS16500 when using domain_hint=Google and login_hint for direct Google login in Entra External ID and I would love to hear whether there's a bug fix in the pipeline. But I also have another issue which means the workaround for that bug does not work.

If I remove the login hint and instead replace it with a domain hint then when home realm discovery resolves the identity provider then I'm sent to okta.okta.com/app/office365 instead of mydomain.uk.auth0.com and I have no idea where okta.okta.com came from as it's not part of any configuration I've added! Coincidently the issuer from the .well-known endpoint from Auth0 is given as https://mydomain.uk.auth0.com/ with a trailing slash but if I use that verbatim as the issuer in the OIDC configuration in the Entra custom identity provider then that breaks the user flow and I'm redirected to okta.okta.com. Removing the trailing slash in the configuration seems to make it work.

So two problems:

  1. AADSTS16500 error when providing login hint
  2. Weird redirect to okta.okta.com when providing domain hint
Microsoft Security | Microsoft Entra | Microsoft Entra External ID

Answer accepted by question author

  1. VEMULA SRISAI 12,615 Reputation points Microsoft External Staff Moderator
    2026-04-28T18:24:55.7166667+00:00

    Philip Hendry Thank you for the clarification.

    Based on the current behavior of Microsoft Entra External ID, the login_hint scenario with custom OIDC identity providers is a known product limitation at present. There is no public tracking link or ETA that we can share through Q&A. For any confirmation on internal bug status or future roadmap, a support ticket would be required.

    Regarding domain_hint, this is also not a reliable or supported method today for forcing direct routing to a specific custom OIDC IdP in Entra External ID. Since it is handled through Home Realm Discovery, the routing may not consistently resolve to the intended provider, so this should not be considered a supported workaround.

    For your overall goal — one user flow dynamically selecting different custom OIDC providers based on the user’s email/domain — this is not currently supported in Entra External ID in the way you described. Today, the practical options are:

    • separate app/user flow combinations per federation, or
    • using an external broker/federation layer in front of Entra External ID.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-04-16T15:28:05.41+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Both behaviors are explained by how Microsoft Entra External ID handles hints and custom OIDC IdPs; they are current product limitations/behaviors rather than something that can be fixed purely in app code.

    1. AADSTS165000 when using login_hint

    For MSAL.js, login_hint is designed to hint a specific user account to Microsoft Entra ID so that:

    • the correct existing session can be found, and
    • the account picker can be bypassed.

    For browser apps, this is normally used as described in the MSAL.js SSO guidance:

    • Pass loginHint (email/UPN) to ssoSilent or interactive requests so Entra ID can preselect the right account and reuse the session cookie.
    • The hint is taken from the ID token (upn or username) and passed between apps to enable SSO.

    In External ID (CIAM) with a custom OIDC IdP, the sign-in flow is more complex because the user flow itself must maintain a set of form fields, cookies, and headers across the entire journey (including the redirect to the external IdP and back). The AADSTS165000 error:

    "The request did not include the required tokens for the user context... The request did not return all of the form fields. Failure Reasons:[Token was not provided;]"

    indicates that when login_hint is added, the CIAM user flow is not receiving all the expected context tokens back. This matches the known issue you referenced: using login_hint together with federated IdPs in External ID can break the user flow’s internal state and result in AADSTS165000.

    From the available guidance, the supported pattern for SSO with MSAL.js is:

    • Use login_hint, sid, or account as hints to Entra ID for account selection and silent SSO between apps.
    • For External ID with federated IdPs, the recommended hinting mechanism for routing to a specific IdP is domain_hint, not login_hint.

    Given that:

    • login_hint is not documented as a supported way to force a particular external IdP in External ID user flows, and
    • there is a known issue where login_hint + federated IdP can cause AADSTS165000,

    this scenario is currently a product limitation. The workaround is to:

    • Avoid using login_hint to drive IdP selection in External ID user flows.
    • Use domain_hint for IdP routing, and use login_hint only in standard MSAL.js SSO scenarios where the user is authenticated directly by Entra ID (not via a CIAM user flow with a custom IdP).
    1. Unexpected redirect to okta.okta.com when using domain_hint

    For External ID with federated IdPs, domain_hint is the supported way to send users directly to a specific IdP:

    • For social IdPs: domain_hint=facebook, google, apple.
    • For custom OIDC IdPs: domain_hint=<issuer URI domain>, e.g. "www.linkedin.com".
    • For custom OIDC backed by another Entra tenant: domain_hint=contoso.onmicrosoft.com.

    In your case, the correct pattern is:

    • Configure the custom OIDC IdP in External ID with the Auth0 Issuer URI.
    • Use the domain part of the Issuer URI as the domain_hint value.

    The behavior you observed:

    • Using the Issuer URI with a trailing slash in the IdP configuration causes the user flow to redirect to okta.okta.com/app/office365.
    • Removing the trailing slash in the Issuer configuration makes the user flow work correctly.

    This matches the documented requirement that for custom OIDC IdPs, the domain_hint must be the domain segment of the Issuer URI, and the configuration must be consistent. A trailing slash in the Issuer can cause incorrect parsing or matching of the issuer/domain, which in turn can route the request to an unexpected IdP (in your case, an Okta Office 365 app) if that issuer/domain pattern matches some internal federation configuration.

    So for stable behavior:

    • Ensure the custom OIDC IdP Issuer URI in External ID does not include an extra trailing slash if that breaks the user flow.
    • Use the domain portion of that Issuer URI (without protocol and without trailing slash) as the domain_hint value.
    1. Practical guidance for your scenario (custom “Sign in with SSO” button)

    Given the current behavior:

    • To implement a custom “Sign in with SSO” button that:
      • collects the user’s email,
      • determines whether the domain is federated,
      • and then routes to the correct IdP,
      use this pattern:
      1. Look up the user’s email domain in your own app logic.
      2. If it maps to your Auth0-based custom OIDC IdP, call MSAL with a request that includes the appropriate domain_hint (the domain part of the Auth0 Issuer URI), not login_hint, to drive home realm discovery.
      3. Let the External ID user flow handle the redirect to Auth0 and back.
    • Use login_hint only for standard MSAL.js SSO scenarios where the user is authenticated directly by Entra ID and you are not traversing an External ID user flow with a federated IdP.

    If the AADSTS165000 behavior with login_hint in External ID + custom OIDC is blocking a required scenario, the next step is to treat it as a product bug/limitation and open a support case, referencing the known issue and the error code, so it can be tracked and addressed by the product team.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.