Google Auth Proxy

Fix for Microsoft Entra External ID + Google Sign-In — by John Matthew Young

Error 400: invalid_request — Parameter not allowed for this message type: username If you hit this error when using Google sign-in with Microsoft Entra External ID (formerly Azure AD B2C), you're in the right place.

The Problem

When Google is configured as a federated identity provider in Microsoft Entra External ID, sign-in fails with Error 400: invalid_request when a user selects a previously signed-in account from the account picker. The error includes flowName=GeneralOAuthFlow in the request details.

The root cause: Entra automatically appends a username parameter to the OAuth2 authorization request it sends to Google. Google's OAuth2 implementation rejects this parameter outright. Direct "Sign in with Google" flows work fine — the issue is specific to Entra-orchestrated flows.

The Fix

A lightweight proxy sits between Entra and Google. It intercepts the authorization request, strips the username parameter, and forwards the cleaned request to Google. The only Entra configuration change is pointing the Well-known endpoint at the proxy instead of Google directly.

Entra ID GET /.well-known/openid-configuration Proxy (modified OIDC doc)
Entra ID GET /api/auth?…&username=… Proxy strips username 302 to Google

Options

Option 1 — Use the Hosted Proxy Development / Less Secure

A hosted instance is running at google-auth-proxy.jmatthewyoung.com. It does not log, store, or inspect any data — it only strips the username parameter and redirects. For production, self-hosting (Option 2) is recommended.

Steps

  1. In the Azure Portal, go to Entra External ID → External Identities → All identity providers.
  2. Select the Custom tab — do not use the built-in Google provider. The built-in one does not allow overriding the well-known endpoint.
  3. Click Add new → OpenID Connect.
  4. Fill in the settings below. Setting Display name to Google will label the sign-in button correctly.
FieldValue
Display nameGoogle
Well-known endpointhttps://google-auth-proxy.jmatthewyoung.com/api/well-known/openid-configuration
Issuer URIhttps://accounts.google.com
Client IDYour Client ID from Google Cloud Console
Client Authentication MethodClient secret
Client SecretYour Client Secret from Google Cloud Console
Scopeopenid profile email
Response Typecode
  • Save the configuration and test your sign-in flow.

    • Option 2 — Self-Hosted on Azure Functions Production / Recommended

    Deploy your own instance for full control over the infrastructure.

    Prerequisites

    Run Locally

    git clone https://github.com/jmatthewyoung/google-auth-proxy.git
cd google-auth-proxy
dotnet run --project GoogleAuthProxy/GoogleAuthProxy.csproj

    Verify it's working: http://localhost:7136/api/well-known/openid-configuration

    Deploy to Azure

    1. Create a Function App (Runtime: .NET 8, OS: Windows or Linux).
    2. Deploy: 
      func azure functionapp publish <YOUR_FUNCTION_APP_NAME>
      Or publish from Visual Studio via Right-click project → Publish.
    3. Important: use a custom domain. Do not use the default *.azurewebsites.net URL — Chrome will show a "Dangerous site" warning for that domain during the OAuth redirect. Set up a custom domain (e.g. auth-proxy.yourdomain.com) and use that as your proxy URL.

    Configure Entra

    Follow the same steps as Option 1, replacing the well-known endpoint with your custom domain:

    FieldValue
    Well-known endpointhttps://auth-proxy.yourdomain.com/api/well-known/openid-configuration
    (all other fields are identical to Option 1)

    Proxy Endpoints

    EndpointWhat it does
    GET /api/well-known/openid-configuration Returns Google's OIDC discovery doc with authorization_endpoint rewritten to point to the proxy
    GET /api/auth Receives the auth request from Entra, strips the username parameter, and 302-redirects to Google

    Trade-offs vs. Built-in Google Identity Provider

    Pro

    Users can select a previously signed-in Google account from the account picker without hitting the error.

    Cons

    • The Google sign-in button shows a generic blue circle icon instead of the Google logo.
    • Existing users who signed in via the built-in Google IDP must have their account deleted or redemption status reset before they can use the proxy-backed provider. One-time migration cost per affected user.

    Note to Microsoft

    This bug does not appear when clicking Sign In With Google fresh — that works fine. It appears when a user returns and selects their email from the account picker, goes through "Taking you to your organization's sign-in page", and then hits the error. Going back and choosing "Use another account → Sign in with Google" with the exact same account works. The cause is Entra appending a username parameter that Google rejects. Please fix this and make this proxy unnecessary.