Open Closed

401 on ABP API Using External OpenID Access Token (Works from Browser and Swagger) #9225


User avatar
0
sderzi created

Got it — here’s the revised version of the support request with that clarification added:


Subject: 401 on ABP API Using External OpenID Access Token (Works from Browser and Swagger)

Hi Support,

We’re building an ABP-based application (MVC + Razor Pages) that uses Keycloak as an external OpenID Connect authentication provider. Everything works as expected when:

  • Accessing the application via browser (frontend UI)

  • Calling secured APIs via Swagger (with implicit login)

  • Hitting API endpoints directly from the browser (authenticated session)

However, when trying to call the same secured APIs via Postman or an other External applications like Excel using a valid access token (Keycloack is authenticating us OK) issued by Keycloak (Authorization Code flow), we get a 401 Unauthorized.

We’ve verified the following:

  • The aud in the token matches our OpenIddict client in ABP

  • Token includes all expected claims (sub, email, etc.)

  • The token is valid and decodable

  • The same endpoint works fine from the browser

This leads us to believe the ABP middleware may be rejecting the token due to some internal validation or configuration. We would appreciate help understanding:

  1. Where to place breakpoints or log to trace the token validation pipeline in ABP?

  2. Whether additional configuration is required in ABP to allow API calls using access tokens from external OpenID providers like Keycloak?

  3. Any settings or approaches to debug silent failures in authorization?

Our goal is to allow external applications (like Excel or Postman) to call these APIs using a valid token, with the user’s email used for filtering data.

Thanks in advance


6 Answer(s)
  • User Avatar
    0
    sderzi created

    Confirmed a JWT token being sent in the Authorization header, but the user is still not authenticated. The following steps were taken to debug and resolve the issue:

    1. Ensured app.UseAuthentication() is called before app.UseAuthorization() and any custom middleware.

    2. Verified the Authority and Audience match the token's iss and aud claims.

    3. Decoded the Token: Inspected the token using jwt.io to confirm its claims are valid.

    4. Logged Authorization Header: Confirmed the token is being sent in the Authorization header.

    Despite these efforts, the logs consistently show [Auth Debug] User is not authenticated, indicating the token is not being validated correctly.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can enable and share the debug logs of api and openiddict?

    https://abp.io/support/questions/8622/How-to-enable-Debug-logs-for-troubleshoot-problems

  • User Avatar
    0
    sderzi created

    Thanks for the info — here’s the log (I’ve masked the token). It keeps reporting “invalid issuers,” but the iss value is valid and matches the authority, so I’m not sure if there’s some misconfiguration in the wiring. Hoping the attached log helps you point me in the right direction or gives us some leads to investigate.

    Log File

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    The error is The issuer associated to the specified token is not valid.

    The issuer in your access token is https://authuatdoestars.sd.gov/realms/blender

    You should use the access token issuer by ABP(OpenIddict)

  • User Avatar
    0
    sderzi created

    That make sense, let me try that and I’ll let you know

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    ok

Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v9.3.0-preview. Updated on May 28, 2025, 08:51