I recently upgraded my project from ABP 10.0.2 to 10.1.1. With that upgrade swagger authentication stopped working. MVC UI and my external UI using bearer token both works without problems, so problem is limited to swagger. I'm able to reproduce the problem with new application created with cli:
abp --version 2.2.1
abp new AbpTestApp --tiered
- start the project in ABP Studio
- inside ABP Studio browse HttpApi.Host project
- Click authorize
- Select AbpTestApp scope
- Click Authorize and login with admin (both username and password are prefilled)
- Close authorization window
- Browse to UserLookup service
- GET /api/identity/users/lookup/count
- Try it out & Execute
Error: response status is 401
Curl example in swagger (missing Authorization header):
curl -X 'GET'
'https://localhost:44307/api/identity/users/lookup/count'
-H 'accept: text/plain'
-H 'RequestVerificationToken: CfDJ8BYhVJtGAV5HrK9f45y0riMpUpsXcJ4DfPeR7pqUE6yne9Y2CxHdVTSKW_T3GNLRh853u24OP2gC6AO3fp2-9-rB5Osrmjr5YiCa7d1jmcaevFC1h-cWRnJoZY0QmnRRLmHRvDfOz2tNPJpXFvZpOkM'
-H 'X-Requested-With: XMLHttpRequest'
Logs:
10/03/2026 13.16.32 [Information] Request starting "HTTP/2" "GET" "https"://"localhost:44307""""/api/identity/users/lookup/count""" - null null 10/03/2026 13.16.32 [Debug] Starting resolving tenant... 10/03/2026 13.16.32 [Debug] Trying to resolve tenant through '"CurrentUser"'... 10/03/2026 13.16.32 [Debug] Trying to resolve tenant through '"QueryString"'... 10/03/2026 13.16.32 [Debug] Trying to resolve tenant through '"Route"'... 10/03/2026 13.16.32 [Debug] Trying to resolve tenant through '"Header"'... 10/03/2026 13.16.32 [Debug] Trying to resolve tenant through '"Cookie"'... 10/03/2026 13.16.32 [Debug] No tenant resolved. 10/03/2026 13.16.32 [Information] Executing endpoint '"Volo.Abp.Identity.IdentityUserLookupController.GetCountAsync (Volo.Abp.Identity.Pro.HttpApi)"' 10/03/2026 13.16.32 [Information] Route matched with "{controller = "UserLookup", area = "identity", action = "GetCount", page = ""}". Executing controller action with signature "System.Threading.Tasks.Task`1[System.Int64] GetCountAsync(Volo.Abp.Identity.UserLookupCountInputDto)" on controller "Volo.Abp.Identity.IdentityUserLookupController" ("Volo.Abp.Identity.Pro.HttpApi"). 10/03/2026 13.16.32 [Information] Authorization failed. "These requirements were not met: PermissionRequirement: AbpIdentity.UserLookup" 10/03/2026 13.16.32 [Warning] ---------- RemoteServiceErrorInfo ---------- { "code": "Volo.Authorization:010001", "message": "Authorization failed! Given policy has not granted.", "details": null, "data": null, "validationErrors": null }
10/03/2026 13.16.32 [Warning] Volo.Abp.Authorization.AbpAuthorizationException: Exception of type 'Volo.Abp.Authorization.AbpAuthorizationException' was thrown.
at Microsoft.AspNetCore.Authorization.AbpAuthorizationServiceExtensions.CheckAsync(IAuthorizationService authorizationService, AuthorizationPolicy policy)
at Volo.Abp.Authorization.MethodInvocationAuthorizationService.CheckAsync(MethodInvocationAuthorizationContext context)
at Volo.Abp.Authorization.AuthorizationInterceptor.AuthorizeAsync(IAbpMethodInvocation invocation)
at Volo.Abp.Authorization.AuthorizationInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func3 proceed)
at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo)
at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue1.ProceedAsync() at Volo.Abp.GlobalFeatures.GlobalFeatureInterceptor.InterceptAsync(IAbpMethodInvocation invocation) at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func3 proceed) at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo) at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue1.ProceedAsync()
at Volo.Abp.Auditing.AuditingInterceptor.ProceedByLoggingAsync(IAbpMethodInvocation invocation, AbpAuditingOptions options, IAuditingHelper auditingHelper, IAuditLogScope auditLogScope)
at Volo.Abp.Auditing.AuditingInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func3 proceed)
at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo)
at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue1.ProceedAsync() at Volo.Abp.Validation.ValidationInterceptor.InterceptAsync(IAbpMethodInvocation invocation) at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func3 proceed) at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo) at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue1.ProceedAsync()
at Volo.Abp.Uow.UnitOfWorkInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func3 proceed)
at lambda_method4497(Closure, Object)
at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableObjectResultExecutor.Execute(ActionContext actionContext, IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.
10/03/2026 13.16.32 [Warning] Code:Volo.Authorization:010001 10/03/2026 13.16.32 [Information] AuthenticationScheme: "Bearer" was challenged. 10/03/2026 13.16.32 [Information] Executed action "Volo.Abp.Identity.IdentityUserLookupController.GetCountAsync (Volo.Abp.Identity.Pro.HttpApi)" in 6.1416ms 10/03/2026 13.16.32 [Information] Executed endpoint '"Volo.Abp.Identity.IdentityUserLookupController.GetCountAsync (Volo.Abp.Identity.Pro.HttpApi)"' 10/03/2026 13.16.32 [Information] Request finished "HTTP/2" "GET" "https"://"localhost:44307""""/api/identity/users/lookup/count""" - 401 0 null 31.5577ms
7 Answer(s)
-
0
This is not an API/auth configuration regression in your app. It’s a known limitation of ABP Studio’s built-in browser: the Swagger UI OAuth/OpenID Connect flow completes visually, but Swagger UI cannot persist/use the access token, so requests are sent without the
Authorization: Bearer ...header (exactly like your curl example). As a result, the API challenges the Bearer scheme and you get 401.Fix / Workaround
- Do not use ABP Studio’s internal browser for Swagger authentication.
- Open Swagger UI in a real browser (Chrome/Edge/Firefox):
- In ABP Studio Solution Runner, right-click your
HttpApi.Host(or gateway) app → Copy Url. - Paste the URL into your external browser and open
/swagger.
- In ABP Studio Solution Runner, right-click your
- Click Authorize, login, then retry the endpoint. You should now see Swagger sending
Authorization: Bearer <token>and the request will succeed.
No code changes are required in your solution for this specific issue.
Link (verified):
https://abp.io/docs/latest/solution-templates/microservice/api-gateways
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
Problem exists also in Edge. I tried also InPrivate window.
-
0
hi
Does your current user have the
AbpIdentity.UserLookuppermission?PermissionRequirement: AbpIdentity.UserLookup"Thanks.
-
0
UserLookup service was bad example, it gives 403 even when authenticated, /api/account-admin/settings is better example. But basically problem is about missing authentication headers and should therefore affect any endpoint requiring authentication.
I tried to create new solutions with abp cli version 2.1.9 and 2.2.1. 2.1.9 creates solution for abp version 10.0.2 and 2.2.1 for abp version 10.1.0. In version 10.0.2 swagger does send Authentication header and api calls are able to authenticate. In version 10.1.0 swagger doesn't send Authentication header and therefore any api call requiring authentication can't work.
Here are steps to create solution with version 10.0.2 where swagger works:
dotnet tool uninstall -g Volo.Abp.Studio.Cli
dotnet tool install -g Volo.Abp.Studio.Cli --version 2.1.9
abp new AbpTest219 --tiered
Open solution in ABP Studio
- start everything
- browse HttpApi.Host-project
- copy url and open it in chrome or edge
- login to swagger with admin (and correct scope)
- try any endpoint that requires authentication, for example /api/account-admin/settings
- swagger sends Authorization header
- swagger gives http 200 result:
{ "isSelfRegistrationEnabled": true, "enableLocalLogin": true, "preventEmailEnumeration": false }
And here are steps to create solution with version 10.1.0 where swagger doesn't work:
dotnet tool uninstall -g Volo.Abp.Studio.Cli
dotnet tool install -g Volo.Abp.Studio.Cli --version 2.2.1
abp new AbpTest221 --tiered
Open solution in ABP Studio
- start everything
- browse HttpApi.Host-project
- copy url and open it in chrome or edge
- login to swagger with admin (and correct scope)
- try any endpoint that requires authentication, for example /api/account-admin/settings
- swagger doesn't Authorization header
- swagger gives http 401 result
I tried to update the project from ABP Studio to latest version (10.1.1), the same problem still exists. But if I upgrade the project to preview version 10.2.0-rc.2 (requires migration), swagger works again.
So there seems to be problem in both versions 10.1.0 and 10.1.1, that swagger doesn't send authentication header.
For me the workaround could be continuing temporarily with preview version, but this seems like a bug in version 10.1 and I don't like to see this problem reappearing in final version of 10.2.
-
0
I m facing the same issue, I just created a new project, and I noticed swagger is not sending the authorization header with the request. did you find a solutions for this ?
-
0
hi
I will check it.
Thanks.
-
0
hi
This issue has been identified and fixed. It was caused by a scheme name mismatch introduced during the Swashbuckle v10.0 upgrade in ABP 10.1.
The
AddAbpSwaggerGenWithOidcmethod defines the security scheme as"oidc", but the security requirement incorrectly references"oauth2". This mismatch causes Swagger UI to fail to attach the Bearer token to API requests after authorization.Fix PR: https://github.com/abpframework/abp/pull/25071
Workaround until the patch is released:
Override the security requirement in your
AddAbpSwaggerGenWithOidcsetup action:context.Services.AddAbpSwaggerGenWithOidc( configuration["AuthServer:Authority"]!, scopes: new[] { "YourProjectName" }, setupAction: options => { options.SwaggerGeneratorOptions.SecurityRequirements.Clear(); options.AddSecurityRequirement(document => new OpenApiSecurityRequirement() { [new OpenApiSecuritySchemeReference("oidc", document)] = [] }); });Thanks.
