Azure Static Web Apps: pass dynamic parameters to ./auth/login?

Question

Azure Static Web Apps: pass dynamic parameters to ./auth/login?

Tony Lunt 0

I use a custom OpenID Connect authentication provider in an Azure Static Web App. My authentication provider supports a "login_hint" URL parameter to populate the user's email address or username. However, I can't figure how to get the SWA to pass this through.

Any ideas? It's a pretty major experience gap that we can't give users an easy login button from an email, so I'm hoping that there is an easy way to accomplish this.

Bruce (SqlWork.com) 82,061 Reputation points Volunteer Moderator

2025-06-24T16:17:30.99+00:00

the msal library supports the hint.

https://dori-uw-1.kuma-moon.com/en-us/entra/identity-platform/msal-js-sso

you could store the hint in local storage after login.
Tony Lunt 0 Reputation points

2025-06-24T17:25:05.34+00:00

Hello Bruce - thank you for taking the time to respond. Unless I am mistaken, I don't believe this library is part of the Azure Static Web App authentication stack with a Custom Identity Provider.
Shree Hima Bindu Maganti 6,200 Reputation points Microsoft External Staff Moderator

2025-06-24T18:44:30.5066667+00:00
Hi @Anonymous
Apology for your inconveniences.
To include dynamic parameters like "login_hint" in the authentication URL for Azure Static Web Apps, you can add the parameter directly to the login URL when generating the authentication link.

<a href="/.auth/login/<PROVIDER_NAME_IN_CONFIG>?login_hint=user@example.com">Login</a>

Be sure to substitute <PROVIDER_NAME_IN_CONFIG> with the correct provider name for your OpenID Connect provider. When users select this link, the "login_hint" parameter will be sent with the request, which allows your authentication provider to autofill the user's email or username.

Confirm that your authentication provider is set up to recognize and process the "login_hint" parameter as needed.
References:

Custom authentication in Azure Static Web Apps

Set up direct sign-in using Azure Active Directory B2C (b2c-user-flow)

Authenticate and authorize Static Web Apps
Let me know if you have any further assistances needed.
Tony Lunt 0 Reputation points

2025-06-24T19:00:25.8766667+00:00

Hello Shree - thank you so much for taking the time to respond. To be clear, the "login_hint" should be working with Custom Open ID Auth Providers? I only see it documented for the Azure B2C auth provider.
Shree Hima Bindu Maganti 6,200 Reputation points Microsoft External Staff Moderator

2025-06-24T19:14:48.7833333+00:00
Hi @Tony Lunt
Thanks for your Response.
Yes the "login_hint" parameter can also be used with custom OpenID Connect authentication providers, much like its use with Azure AD B2C. Although most documentation focuses on Azure AD B2C, passing a "login_hint" is generally supported by many OpenID Connect providers, provided they are set up to recognize and use this parameter.

Make sure your custom OpenID Connect provider is configured to handle the "login_hint" parameter so it can autofill the user's email or username during authentication.

References:

Set up direct sign-in using Azure Active Directory B2C (b2c-user-flow)

Custom authentication in Azure Static Web Apps
https://dori-uw-1.kuma-moon.com/en-us/entra/identity/enterprise-apps/home-realm-discovery-policy#domain-hints
Let me know if you have any further assistances needed.
Tony Lunt 0 Reputation points

2025-06-24T20:46:04.2633333+00:00

Hello @Shree Hima Bindu Maganti - I'm not seeing that behavior reflected client-side when I watch my network history.

Navigating to https://mywebsite.com/.auth/login/MY_AUTH_PROVIDER?login_hint=******@email.com returns a 302.

My client then navigates https://mywebsite.com/.auth/login/MY_AUTH_PROVIDER?post_login_redirect_uri=/.auth/complete&staticWebAppsAuthNonce=MY_NONCE which again returns a 302.

It then navigates to my auth provider's URL at the following endpoint: /oauth2/auth?response_type=code&client_id=MYCLIENT_ID&redirect_uri=MY_CALLBACK_URL&nonce=MY_NONCE&state=redir%3D%252F.auth%252Fcomplete&scope=openid+profile+email&post_login_redirect_uri=%2F.auth%2Fcomplete&staticWebAppsAuthNonce=MY_NONCE
*
I don't see any indicate that my original login_hint, either in the initial redirect to the login with post_login_redirect_uri, nor to the authentication provider is getting passed on.

In fact if I edit that final URL (for my auth provider) and add on a login_hint, it all works correctly.
Shree Hima Bindu Maganti 6,200 Reputation points Microsoft External Staff Moderator

2025-06-25T18:10:21.9866667+00:00

Hi @Tony Lunt
Thanks for your Response.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please free to reach out to me.
Shree Hima Bindu Maganti 6,200 Reputation points Microsoft External Staff Moderator

2025-06-26T00:46:18.25+00:00

Hi @Tony Lunt
Thanks for your Response.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please free to reach out to me.

3 answers

Your answer

Bruce (SqlWork.com) 82,061 Reputation points Volunteer Moderator

2025-06-24T16:17:30.99+00:00

the msal library supports the hint.

https://dori-uw-1.kuma-moon.com/en-us/entra/identity-platform/msal-js-sso

you could store the hint in local storage after login.
Tony Lunt 0 Reputation points

2025-06-24T17:25:05.34+00:00

Hello Bruce - thank you for taking the time to respond. Unless I am mistaken, I don't believe this library is part of the Azure Static Web App authentication stack with a Custom Identity Provider.
Shree Hima Bindu Maganti 6,200 Reputation points Microsoft External Staff Moderator

2025-06-24T18:44:30.5066667+00:00

Hi @Anonymous
Apology for your inconveniences.
To include dynamic parameters like "login_hint" in the authentication URL for Azure Static Web Apps, you can add the parameter directly to the login URL when generating the authentication link.

<a href="/.auth/login/<PROVIDER_NAME_IN_CONFIG>?login_hint=user@example.com">Login</a>

Be sure to substitute <PROVIDER_NAME_IN_CONFIG> with the correct provider name for your OpenID Connect provider. When users select this link, the "login_hint" parameter will be sent with the request, which allows your authentication provider to autofill the user's email or username.

Confirm that your authentication provider is set up to recognize and process the "login_hint" parameter as needed.
References:

Custom authentication in Azure Static Web Apps

Set up direct sign-in using Azure Active Directory B2C (b2c-user-flow)

Authenticate and authorize Static Web Apps
Let me know if you have any further assistances needed.
Tony Lunt 0 Reputation points

2025-06-24T19:00:25.8766667+00:00

Hello Shree - thank you so much for taking the time to respond. To be clear, the "login_hint" should be working with Custom Open ID Auth Providers? I only see it documented for the Azure B2C auth provider.
Shree Hima Bindu Maganti 6,200 Reputation points Microsoft External Staff Moderator

2025-06-24T19:14:48.7833333+00:00

Hi @Tony Lunt
Thanks for your Response.
Yes the "login_hint" parameter can also be used with custom OpenID Connect authentication providers, much like its use with Azure AD B2C. Although most documentation focuses on Azure AD B2C, passing a "login_hint" is generally supported by many OpenID Connect providers, provided they are set up to recognize and use this parameter.

Make sure your custom OpenID Connect provider is configured to handle the "login_hint" parameter so it can autofill the user's email or username during authentication.

References:

Set up direct sign-in using Azure Active Directory B2C (b2c-user-flow)

Custom authentication in Azure Static Web Apps
https://dori-uw-1.kuma-moon.com/en-us/entra/identity/enterprise-apps/home-realm-discovery-policy#domain-hints
Let me know if you have any further assistances needed.
Tony Lunt 0 Reputation points

2025-06-24T20:46:04.2633333+00:00

Hello @Shree Hima Bindu Maganti - I'm not seeing that behavior reflected client-side when I watch my network history.

Navigating to https://mywebsite.com/.auth/login/MY_AUTH_PROVIDER?login_hint=******@email.com returns a 302.

My client then navigates https://mywebsite.com/.auth/login/MY_AUTH_PROVIDER?post_login_redirect_uri=/.auth/complete&staticWebAppsAuthNonce=MY_NONCE which again returns a 302.

It then navigates to my auth provider's URL at the following endpoint: /oauth2/auth?response_type=code&client_id=MYCLIENT_ID&redirect_uri=MY_CALLBACK_URL&nonce=MY_NONCE&state=redir%3D%252F.auth%252Fcomplete&scope=openid+profile+email&post_login_redirect_uri=%2F.auth%2Fcomplete&staticWebAppsAuthNonce=MY_NONCE
*
I don't see any indicate that my original login_hint, either in the initial redirect to the login with post_login_redirect_uri, nor to the authentication provider is getting passed on.

In fact if I edit that final URL (for my auth provider) and add on a login_hint, it all works correctly.
Shree Hima Bindu Maganti 6,200 Reputation points Microsoft External Staff Moderator

2025-06-25T18:10:21.9866667+00:00

Hi @Tony Lunt
Thanks for your Response.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please free to reach out to me.
Shree Hima Bindu Maganti 6,200 Reputation points Microsoft External Staff Moderator

2025-06-26T00:46:18.25+00:00

Hi @Tony Lunt
Thanks for your Response.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please free to reach out to me.

Answer 1

Hi @Tony Lunt
Apology for your inconveniences.
When using Azure Static Web Apps, dynamic parameters like login_hint are expected to be passed to the authentication provider via the URL during authentication. If the login_hint parameter is not making it through the redirects, this may be related to how Azure Static Web Apps manages the authentication process.

If your configuration does not specifically support preserving login_hint, the initial redirect to the login endpoint might drop this parameter. It's important to verify that your authentication provider is set up to accept and process login_hint. If adding login_hint manually to the final URL works, it suggests that Azure Static Web Apps is not retaining it throughout the authentication steps.

To resolve this, check that your authentication provider allows login_hint, review your Azure Static Web Apps authentication settings for anything affecting parameter forwarding, and consult Azure documentation or support for further guidance on this issue.
References:

Custom authentication in Azure Static Web Apps
Microsoft identity platform and OAuth 2.0 implicit grant flow
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please free to reach out to me.

Answer 2

Tony Lunt 0

@Shree Hima Bindu Maganti thank you again for all of your responses here. Based off everything you shared and the fact that my authentication provider supports login_hint, it appears that the Static Web App is dropping this parameter before the request forwards on to the authentication provider. I will open a support case with Azure.

Answer 3

UPDATE

I've tested with multiple users and looks like this approach does not work

----------------------------------------------

For those struggling with passing a login_hint to Azure Static Web App (SWA):

If swa is provisioned with the free hosting plan, you can neither customize aad flow nor enable login_hint due to a lack of azure app registration linked to the SWA.

When swa is created, a generic enterprise application is created with name Azure Static Web Apps for this and all other swas which handle built-in aad authentication.

To use login_hint, upgrade to standard hosting plan is required. After this a new app registration shall be created with:

a new client secret name and value and passed in the auth key of staticwebapp.config.json as explained here dori-uw-1.kuma-moon.com/en-us/azure/static-web-apps/authentication-custom.
In Token configuration -> Add optional claim login_hint

Now you can silently authenticate your user as this: https://app-url.com/.auth/login/aad?login_hint=******@site.com

Share via

Azure Static Web Apps: pass dynamic parameters to ./auth/login?

3 answers

Your answer