AADSTS165000 "Token was not provided" when login_hint is sent to a CIAM user flow federating to a custom OpenID Connect IdP

Question

AADSTS165000 "Token was not provided" when login_hint is sent to a CIAM user flow federating to a custom OpenID Connect IdP

Alberto Molina Martínez 0

Environment

Microsoft Entra External ID (CIAM / external tenant).
A server-side web app signs users in via OIDC (Authorization Code + PKCE) against the external tenant.
One identity provider is a custom OpenID Connect IdP that federates to another Microsoft Entra (workforce) tenant: well-known endpoint https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration, response type code. It is added to the Sign up / Sign in user flow.

Problem

When the app starts the authorization request and includes login_hint=<user email>, the sign-in intermittently fails on the return leg of the federation with:

AADSTS165000: Invalid Request: The request did not include the required tokens for the user context. One or more of the user context values (cookies; form fields; headers) were not supplied... Failure Reasons:[Token was not provided;]

raised at https://<tenant>.ciamlogin.com/<tenant-id>/federation/oauth2.

The same flow works reliably without login_hint, and also works when the user already has an active session at the upstream IdP (the federation round-trip is then immediate). It reproduces on a cold sign-in (no upstream session) when login_hint is present.

Steps to reproduce

Clean browser session (no session at login.microsoftonline.com).
Start Authorization Code + PKCE to the external tenant /authorize for the app, including login_hint=<user@federated-domain>.
The user flow federates to the custom OIDC IdP; the user authenticates upstream.
On the POST back to .../federation/oauth2, it fails with AADSTS165000.

Removing login_hint (everything else identical) makes it succeed.

What I already tried

Removing login_hint -> works (current workaround).
domain_hint=<verified domain> -> appears to be ignored for the custom OIDC IdP (no acceleration; the user-flow selection page is shown).
idp=<identityProviderObjectId> -> ignored on a cold session (only acts when a session already exists).
Typing the email directly on the user-flow page -> Home Realm Discovery routes correctly to the org IdP (works).

Questions

Is the AADSTS165000 failure when login_hint is supplied to a user flow that federates to a custom OpenID Connect IdP a known limitation/bug? If so, current status and ETA for a fix?
What is the supported way to deep-link / accelerate sign-in directly to a specific custom OIDC IdP (route by the user's email domain to that organization's SSO, without showing the IdP selector), given that login_hint breaks and domain_hint/idp do not accelerate for custom OIDC? Is domain_hint support for custom OpenID Connect IdPs currently GA, in preview, or on the roadmap (with a target date)?
For a multi-tenant scenario (each customer organization = a separate custom OIDC federation): is there a supported way to associate a verified domain with a custom OIDC IdP so that Home Realm Discovery routes to it without exposing that IdP as a visible tile/button on the hosted user-flow page (to avoid revealing the customer list)?
If domain-based acceleration to a custom OIDC IdP is not currently supported, what is the recommended architecture to achieve "email -> route to the user's organization SSO" in Entra External ID (CIAM)?

Tenant ID and correlation IDs can be shared privately on request.

Shubham Sharma 17,425 Reputation points Microsoft External Staff Moderator

2026-06-08T02:23:39.89+00:00
Hey Alberto, thanks for all the detail. Here’s a summary of what’s happening and your options:

Known limitation • When you add login_hint to a CIAM user flow that federates to a custom OpenID Connect IdP, the federation endpoint can’t process the hint on a cold session and throws AADSTS165000. This is a current product limitation in External ID (CIAM). There’s no public ETA for a fix right now.

Deep-linking to a custom OIDC IdP • Built-in social and Azure AD/SAML IdPs in CIAM user flows honor domain_hint (and idp) on cold sessions; custom OIDC IdPs do not. The idp parameter only works if the user already has an active session upstream. • If you need to deep-link today in a user flow, your supported path is to switch that federation to SAML/WS-Fed direct federation (domainless or domain_hint), which does support direct routing.

Domain-to-IdP mapping without showing the tile • CIAM user flows don’t let you associate verified domains with a custom OIDC IdP or hide its button—there’s no Domains field for custom OIDC today. You’d need to adopt a custom policy instead of a user flow to build behind-the-scenes home-realm logic, or use SAML direct federation in domainless mode.

Recommended architecture for email → organization SSO Option A: Handle HRD in your app – Present a small “enter your email” screen, map the domain to an IdP, then redirect to – Note: idp only sticks if there’s an existing session, so you’ll still get the tile on a cold session. Option B: Use a custom policy in Entra B2C (CIAM) – Custom policies let you configure generic OIDC identity providers with domain_hint support and hide the selector entirely. Option C: Switch to SAML/WS-Fed direct federation – SAML direct federation in domainless mode lets you route by Issuer URI or domain_hint without showing a selector.

Hope that helps you decide your next steps!

References:

https://learn.microsoft.com/entra/external-id/direct-federation

https://learn.microsoft.com/azure/active-directory-b2c/identity-provider-generic-openid-connect

https://learn.microsoft.com/entra/identity-platform/v2-protocols-oidc
Shubham Sharma 17,425 Reputation points Microsoft External Staff Moderator

2026-06-09T04:25:48.79+00:00

Alberto Molina Martínez

Following up to check if the resolution provided was helpful. Let us know if you need any further assistance.

1 answer

Your answer

Shubham Sharma 17,425 Reputation points Microsoft External Staff Moderator

2026-06-09T04:25:48.79+00:00

Alberto Molina Martínez

Following up to check if the resolution provided was helpful. Let us know if you need any further assistance.

Answer 1

The behavior described (AADSTS165000 when using login_hint with a CIAM user flow that federates to a custom OpenID Connect IdP) is not documented in the provided material as a known limitation or bug, and there is no information about status or ETA for a fix.

From the available documentation, only the following points are supported:

login_hint and domain_hint behavior

login_hint is documented as an optional parameter that can be used to prefill the username/email field on the Microsoft identity platform sign-in page, typically for reauthentication scenarios, by reusing a previously obtained login_hint optional claim.
domain_hint is documented as an optional parameter that can be used to skip email-based discovery for federated directories and streamline sign-in, especially when tenants are federated through on-premises directories like AD FS.
The documentation does not state that login_hint or domain_hint are supported as a way to deep-link directly into a specific custom OpenID Connect IdP in Microsoft Entra External ID user flows, nor does it describe any special handling for custom OIDC IdPs in CIAM.

Supported way to add and use custom OpenID Connect IdPs in External ID

The documented and supported pattern for custom OpenID Connect federation in Microsoft Entra External ID is:

Configure the custom OIDC IdP in the external tenant:
- In the Entra admin center, go to Entra ID → External Identities → All identity providers.
- On the Custom tab, select Add new → Open ID Connect.
- Provide:
  - Display name (shown to users on sign-in/sign-up).
  - Well-known endpoint (OIDC discovery URI) that exposes issuer, authorization_endpoint, token_endpoint, token_endpoint_auth_methods_supported, response_types_supported, subject_types_supported, and jwks_uri.
  - OpenID Issuer URI` matching the external IdP’s issuer.
Add the custom OIDC IdP to a user flow:
- In the external tenant, go to Entra ID → External Identities → User flows.
- Open the target sign-up/sign-in user flow.
- Under Settings → Identity providers, select the OIDC identity provider under Other Identity Providers and save.
Once added, the IdP appears as a selectable option (tile/button) on the user-flow sign-in page. The documentation only describes this tile-based selection model for custom OIDC IdPs.

There is no documented mechanism in this material to:

Associate a verified domain with a specific custom OIDC IdP for automatic Home Realm Discovery routing in External ID user flows.
Hide a custom OIDC IdP from the user-flow page while still using it for domain-based routing.
Deep-link or accelerate directly to a specific custom OIDC IdP using login_hint, domain_hint, or idp parameters.

Error handling and common OIDC federation issues

For custom OIDC federation in External ID, the documented error guidance focuses on:

Ensuring the external IdP returns required claims such as email (for External ID federation scenarios, the email claim must be present in the token configuration of the upstream Entra app).
Validating that the issuer URI exactly matches the issuer value in the discovery document, and that authorization, token, and JWKS endpoints are correct and reachable.
Ensuring required attributes like sub and email are present, otherwise External ID may reject the response with error 40015.

The specific AADSTS165000 “Token was not provided” error on the federation callback is not covered in the provided documentation.

Architectural guidance from the available content

From the documentation provided, the supported and recommended patterns for External ID and OIDC are:

Use OpenID Connect with Authorization Code flow (with PKCE) for web apps and SPAs; implicit and ROPC flows are not supported for OIDC external IdPs in External ID.
Configure the external tenant and user flows, then add custom OIDC IdPs as selectable identity providers in those user flows.
For SPAs and web apps, use the standard Microsoft identity platform OIDC parameters (login_hint, domain_hint) as documented for general sign-in optimization, but there is no explicit statement that these parameters can be used to bypass the user-flow IdP selection or to implement domain-based routing to custom OIDC IdPs in External ID.

Given the constraints of the documentation provided:

There is no documented confirmation that the AADSTS165000 issue with login_hint and custom OIDC federation in External ID is a known limitation or bug, nor any ETA.
There is no documented, supported way in this material to:
- Deep-link directly to a specific custom OIDC IdP in a CIAM user flow using login_hint, domain_hint, or idp.
- Associate verified domains with custom OIDC IdPs for automatic Home Realm Discovery in External ID.
- Hide custom OIDC IdPs from the user-flow page while still using them for domain-based routing.
The only supported pattern explicitly documented is tile-based selection of custom OIDC IdPs within user flows.

For the multi-tenant “email → route to organization SSO” scenario, no additional architecture or pattern beyond the standard custom OIDC user-flow configuration is described in the provided context.

References:

Share via

AADSTS165000 "Token was not provided" when login_hint is sent to a CIAM user flow federating to a custom OpenID Connect IdP

1 answer

Your answer