Federated Google Login - Microsoft Entra External ID

Question

Federated Google Login - Microsoft Entra External ID

Wistedt, Carl 0

Hi,

I have setup an "Entra External Id" and federated login to google. I works all fine from my SPA application. But after like a day or so when i open my app again and i think the tokens needs to refresh it goes:

My App -> Ciam Login -> Google

But it gets stuck showing "parameter not allowed for this message type: username"
I can just hit F5 and then it works. But i would like to know why this hapens and if this is something i need to fix on my end or if there are some config i forgot in Azure or maybe a bugg in Azure Entra Extenal Id.

Screenshot_20250528-080819_Chrome-EDIT

Wistedt, Carl 0 Reputation points

2025-06-02T18:21:24.9433333+00:00

For further investigation. Here is are some screenshots from devtoole when this issue occurs:

The three request in order:

Authorize

Auth (The invalid request to google with a username parameter)

Error

Hope this helps.
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-06-04T10:28:06.5133333+00:00

Hello Wistedt, Carl, The error happens because the silent token refresh request to Google includes a disallowed username parameter, causing Google to reject it. This is usually due to the SPA’s auth library sending extra parameters during silent renew.

To resolve it,make sure your SPA’s silent token renewal requests strictly follow Google’s OAuth specs and avoid sending unsupported parameters like username. Double-check your Microsoft Entra External ID and Google federation setup for any misconfigurations.

Let me know if further queries - feel free to reach out!
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-06-05T04:47:54.7733333+00:00

Hello Wistedt, Carl, Did you a get a chance to review the above comment? In case if you have any resolution, please do share that same with the community as it can be helpful to others Please let us know if any further queries so that we can try to help!

Wistedt, Carl 0

Hi Rukumi,
Been a little busy. I dont understand you anwers. My SPA is not directly communicating with googles api for getting a new access token. It sends the request to microsofts ciamlogin.com and then ciamlogin connects to google to verify my clinent on google (i guess). This is the request my SPA sends to ciamlogin. I dont undestand what my SPA could possibly do wrong, i dont see a username parameter from my SPA?:

SPA -> ciamlogin

https://my-entra-external-id-instance.ciamlogin.com/123e96c9-034e-4041-8d9c-9ee56495b7da/oauth2/v2.0/authorize?response_type=code&client_id=fb53a1ab-121b-40bb-44b9-12df65103275&state=OWlITjJIWHZJdE1ndVB0a05XYXhrU1lHSlRPV0xzfnNrdUs0amJteklrSy5D&redirect_uri=https%3A%2F%2Faca-rp.lemon-9f414d97.northeurope.azurecontainerapps.io%2Findex.html&scope=openid%20offline_access%20api%3A%2F%2Ffb54a9ab-734b-42bb-12b9-94df65103275%2F.default&code_challenge=vQqkayR9a2TIG9BLieRZa60rEll35aiR-C8GFzqFZRg&code_challenge_method=S256&nonce=OWlITjJIWHZJdE1ndVB0a05XYXhrU1lHSlRPV0xzfnNrdUs0amJteklrSy5D

Then ciamlogin sends this to google:

ciamlogin -> google


https://accounts.google.com/o/oauth2/v2/auth?scope=openid+email+profile+address&response_type=code&client_id=1234763625454-pausj22jjhbcub9pp9k1i3iv3fibooq.apps.googleusercontent.com&response_mode=form_post&access_type=offline&redirect_uri=https%3a%2f%2fmy-entra-extenal-id.ciamlogin.com%2f12396c9-113e-4041-2d9c-2e18395b7da%2ffederation%2foauth2&state=rQQIARAArZI9aBNhGMfz5vphU6yJjiJ06FS9y3uX-ww62MZwKdSkadNUB-W9e9_rXXtf3F1Ck0EKIigOFhdBOxShS7BQnaR-r5k6OEhFKYKgDrZjkQ6eu0NBl2f48_Dn-f_-zyjFMTA_YmgCjxSk0SzHajQPNY2WFU2hcxAbosDCHCcJwclU2t84XMOrefXBvUefX_zav9YBk2YU-WE-m0U6ogOfsYnjuSFBNDSgIGBFYlwviEzSCDyfMKjdCIjuuRGyXBIg3w8Zy8taLiZLjBk59nMAtgH4BsByEnSS58t1uzSzMFGqq1cn8CXWxbNjEEFh7sqcGdRYW522q5VZuNQ23MsBroUQORMRWbSD6ZZQ2EmeKF9sRCb3Z3iB1SYPqX8y7FCjyLfipEeB9YwaEQWJKKKu0DDHk3iNZ2kZKzqtEMLKOUXQJIy2qBEIBR2JWKE5EeVoViRS7KaLNORkQZFExCsK16VKMT3XwsOeYdgxuutI10kYDh_9oCyDiYEadvSBAts94EdPEh476AGPe-NW987d7W99HSy9HtfefXw6lOj2Zl2fnXemWvK4V0dmVXX4nG5VSCTCmVpQKDYFrojMdrOyOCV5F6Q8u9IH9vvA7f7E1sD_fYhO6my1vsiHNSJrolOtByW8UJajUiXi1YJbHKv5zWaVUyfLs4WGzG-mwM5gHGj91MbpYutM4eUq--TGzZXDL38T3x5PHAzt7d56tfzm-0_1fjo173nzNmF0z9lMJ3bTiW5mYOD9XFe9s_5J3c0kDjJryd81&username=1bad13a5-2121-441d-bc1c-31ac7e1121fc%40eds896.onmicrosoft.com

Google then responds with this redirect:

https://accounts.google.com/signin/oauth/error?authError=Cg9pbnZhbGlkX3JlcXVlc3QSNVBhcmFtZXRlciBub3QgYWxsb3dlZCBmb3IgdGhpcyBtZXNzYWdlIHR5cGU6IHVzZXJuYW1lGjdodHRwczovL2RldmVsb3BlcnMuZ29vZ2xlLmNvbS9pZGVudGl0eS9wcm90b2NvbHMvb2F1dGgyIJAD&client_id=1234563627864-pausj08rjjhbcub9pp9k1i3iv3fibooq.apps.googleusercontent.com&flowName=GeneralOAuthFlow

Mallikarjuna Vardham 450 Reputation points Microsoft External Staff Moderator

2025-06-09T12:43:09.6766667+00:00

Hello Wistedt, Carl, could you please confirm What is the exact prompt value sent in the failing /authorize request from Entra to Google?
PRATIK JADHAV 170 Reputation points Microsoft External Staff Moderator

2025-06-10T11:14:16.6166667+00:00

Hello @Wistedt, Carl

We haven’t heard from you on the last response of Mallikarjuna Vardham and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-06-11T05:53:39.06+00:00

Hello @Wistedt, Carl, The issue is from ciamlogin.com (Microsoft Entra External ID) adding a username parameter in the request to Google, which Google rejects. To fix this, go to Azure Portal > External Identities > Identity Providers > Google and disable any login_hint or username pass-through settings. This will stop ciamlogin from injecting unsupported parameters.
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-06-12T05:52:22.68+00:00

Hello @Wistedt, Carl, Did you get a chance to see my previous comment? In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
Wistedt, Carl 0 Reputation points

2025-06-12T18:46:47.84+00:00

Hi Rukumi,

Thanks for getting back to me. I tried finding the setting you mentioned but failed to find it anywhere. This is the picture i have in Entra External Id:
Wistedt, Carl 0 Reputation points

2025-06-12T19:48:25.09+00:00

Might this be a setting i need to do in https://developer.microsoft.com/en-us/graph/graph-explorer?
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-06-13T09:14:58.17+00:00
Hello Wistedt, Carl, Sorry for the above comment. there is no UI setting in Entra External ID to disable username or login_hint.

To resolve the issue as a workarounf, In your SPA, set prompt=select_account in the auth request to avoid silent login and suppress login_hint usage:

loginRequest: { scopes: [...], prompt: "select_account" }

Let me know if further queries - feel free to reach out!
Wistedt, Carl 0 Reputation points

2025-06-15T13:06:02.9366667+00:00

K. Let me test this and get back to you.
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-06-16T05:56:20.8666667+00:00

Hello Wistedt, Carl, Did you get a chance to test the same, Please let me know if any further queries - feel free to reach out!
Wistedt, Carl 0 Reputation points

2025-06-29T15:36:22.57+00:00

Hi Rukumi,

Sorry for late response. Yes it works. This perticular problem is now gone. But now i get a differen behaviour sometimes. After re-logining in i get redirected back to my app with this error_code:

AADSTS50133:+The+session+is+not+valid+due+to+password+expiration+or+recent+password+change.

Even though i have not changed my gmail password i use for the user i login as.

1 answer

Your answer

Wistedt, Carl 0 Reputation points

2025-06-02T18:21:24.9433333+00:00

For further investigation. Here is are some screenshots from devtoole when this issue occurs:

The three request in order:

Authorize

Auth (The invalid request to google with a username parameter)

Error

Hope this helps.
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-06-04T10:28:06.5133333+00:00

Hello Wistedt, Carl, The error happens because the silent token refresh request to Google includes a disallowed username parameter, causing Google to reject it. This is usually due to the SPA’s auth library sending extra parameters during silent renew.

To resolve it,make sure your SPA’s silent token renewal requests strictly follow Google’s OAuth specs and avoid sending unsupported parameters like username. Double-check your Microsoft Entra External ID and Google federation setup for any misconfigurations.

Let me know if further queries - feel free to reach out!
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-06-05T04:47:54.7733333+00:00

Hello Wistedt, Carl, Did you a get a chance to review the above comment? In case if you have any resolution, please do share that same with the community as it can be helpful to others Please let us know if any further queries so that we can try to help!
Mallikarjuna Vardham 450 Reputation points Microsoft External Staff Moderator

2025-06-09T12:43:09.6766667+00:00

Hello Wistedt, Carl, could you please confirm What is the exact prompt value sent in the failing /authorize request from Entra to Google?
PRATIK JADHAV 170 Reputation points Microsoft External Staff Moderator

2025-06-10T11:14:16.6166667+00:00

Hello @Wistedt, Carl

We haven’t heard from you on the last response of Mallikarjuna Vardham and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-06-11T05:53:39.06+00:00

Hello @Wistedt, Carl, The issue is from ciamlogin.com (Microsoft Entra External ID) adding a username parameter in the request to Google, which Google rejects. To fix this, go to Azure Portal > External Identities > Identity Providers > Google and disable any login_hint or username pass-through settings. This will stop ciamlogin from injecting unsupported parameters.
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-06-12T05:52:22.68+00:00

Hello @Wistedt, Carl, Did you get a chance to see my previous comment? In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
Wistedt, Carl 0 Reputation points

2025-06-12T18:46:47.84+00:00

Hi Rukumi,

Thanks for getting back to me. I tried finding the setting you mentioned but failed to find it anywhere. This is the picture i have in Entra External Id:
Wistedt, Carl 0 Reputation points

2025-06-12T19:48:25.09+00:00

Might this be a setting i need to do in https://developer.microsoft.com/en-us/graph/graph-explorer?
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-06-13T09:14:58.17+00:00

Hello Wistedt, Carl, Sorry for the above comment. there is no UI setting in Entra External ID to disable username or login_hint.

To resolve the issue as a workarounf, In your SPA, set prompt=select_account in the auth request to avoid silent login and suppress login_hint usage:

loginRequest: { scopes: [...], prompt: "select_account" }

Let me know if further queries - feel free to reach out!
Wistedt, Carl 0 Reputation points

2025-06-15T13:06:02.9366667+00:00

K. Let me test this and get back to you.
Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-06-16T05:56:20.8666667+00:00

Hello Wistedt, Carl, Did you get a chance to test the same, Please let me know if any further queries - feel free to reach out!
Wistedt, Carl 0 Reputation points

2025-06-29T15:36:22.57+00:00

Hi Rukumi,

Sorry for late response. Yes it works. This perticular problem is now gone. But now i get a differen behaviour sometimes. After re-logining in i get redirected back to my app with this error_code:

AADSTS50133:+The+session+is+not+valid+due+to+password+expiration+or+recent+password+change.

Even though i have not changed my gmail password i use for the user i login as.

Answer 1

Hello,

Just in case it helps others, I implemented the workaround advised above by Rukmini in my .Net Core 9 c# Razor Pages web app by adding an options.Events.OnRedirectToIdentityProvider handler to AddMicrosoftIdentityWebApp, and it works. However, of course the user experience is degraded as there is no silent login even when the token would still be valid. Any updates on getting a proper fix for this?

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(options =>
    {
        builder.Configuration.Bind("AzureAd", options);
        options.SaveTokens = true;
        options.Events.OnRedirectToIdentityProvider = (context =>
        {
            context.ProtocolMessage.Prompt = "select_account";
            return Task.CompletedTask;
        });
    });

Share via

Federated Google Login - Microsoft Entra External ID

1 answer

Your answer