Got it — here’s the revised version of the support request with that clarification added:
Subject: 401 on ABP API Using External OpenID Access Token (Works from Browser and Swagger)
Hi Support,
We’re building an ABP-based application (MVC + Razor Pages) that uses Keycloak as an external OpenID Connect authentication provider. Everything works as expected when:
-
Accessing the application via browser (frontend UI)
-
Calling secured APIs via Swagger (with implicit login)
-
Hitting API endpoints directly from the browser (authenticated session)
However, when trying to call the same secured APIs via Postman or an other External applications like Excel using a valid access token (Keycloack is authenticating us OK) issued by Keycloak (Authorization Code flow), we get a 401 Unauthorized.
We’ve verified the following:
-
The
aud
in the token matches our OpenIddict client in ABP -
Token includes all expected claims (
sub
,email
, etc.) -
The token is valid and decodable
-
The same endpoint works fine from the browser
This leads us to believe the ABP middleware may be rejecting the token due to some internal validation or configuration. We would appreciate help understanding:
-
Where to place breakpoints or log to trace the token validation pipeline in ABP?
-
Whether additional configuration is required in ABP to allow API calls using access tokens from external OpenID providers like Keycloak?
-
Any settings or approaches to debug silent failures in authorization?
Our goal is to allow external applications (like Excel or Postman) to call these APIs using a valid token, with the user’s email used for filtering data.
Thanks in advance
6 Answer(s)
-
0
Confirmed a JWT token being sent in the Authorization header, but the user is still not authenticated. The following steps were taken to debug and resolve the issue:
-
Ensured app.UseAuthentication() is called before app.UseAuthorization() and any custom middleware.
-
Verified the Authority and Audience match the token's iss and aud claims.
-
Decoded the Token: Inspected the token using jwt.io to confirm its claims are valid.
-
Logged Authorization Header: Confirmed the token is being sent in the Authorization header.
Despite these efforts, the logs consistently show [Auth Debug] User is not authenticated, indicating the token is not being validated correctly.
-
-
0
hi
You can enable and share the debug logs of api and openiddict?
https://abp.io/support/questions/8622/How-to-enable-Debug-logs-for-troubleshoot-problems
-
0
Thanks for the info — here’s the log (I’ve masked the token). It keeps reporting “invalid issuers,” but the iss value is valid and matches the authority, so I’m not sure if there’s some misconfiguration in the wiring. Hoping the attached log helps you point me in the right direction or gives us some leads to investigate.
-
0
hi
The error is
The issuer associated to the specified token is not valid.
The
issuer
in your access token ishttps://authuatdoestars.sd.gov/realms/blender
You should use the access token issuer by ABP(OpenIddict)
-
0
That make sense, let me try that and I’ll let you know
-
0
ok