Fix is working for me too, thanks. I'm just copy/pasting here the full AddAbpSwaggerGenWithOidc code just in case.
Without workaround:
context.Services.AddAbpSwaggerGenWithOidc(
configuration["AuthServer:Authority"]!,
["AbpTest221b"],
[AbpSwaggerOidcFlows.AuthorizationCode],
configuration["AuthServer:MetaAddress"],
options =>
{
options.SwaggerDoc("v1", new OpenApiInfo { Title = "AbpTest221b API", Version = "v1" });
options.DocInclusionPredicate((docName, description) => true);
options.CustomSchemaIds(type => type.FullName);
});
With workaround:
context.Services.AddAbpSwaggerGenWithOidc(
configuration["AuthServer:Authority"]!,
["AbpTest221b"],
[AbpSwaggerOidcFlows.AuthorizationCode],
configuration["AuthServer:MetaAddress"],
options =>
{
options.SwaggerDoc("v1", new OpenApiInfo { Title = "AbpTest221b API", Version = "v1" });
options.DocInclusionPredicate((docName, description) => true);
options.CustomSchemaIds(type => type.FullName);
options.SwaggerGeneratorOptions.SecurityRequirements.Clear();
options.AddSecurityRequirement(document => new OpenApiSecurityRequirement()
{
[new OpenApiSecuritySchemeReference("oidc", document)] = []
});
});
UserLookup service was bad example, it gives 403 even when authenticated, /api/account-admin/settings is better example. But basically problem is about missing authentication headers and should therefore affect any endpoint requiring authentication.
I tried to create new solutions with abp cli version 2.1.9 and 2.2.1. 2.1.9 creates solution for abp version 10.0.2 and 2.2.1 for abp version 10.1.0. In version 10.0.2 swagger does send Authentication header and api calls are able to authenticate. In version 10.1.0 swagger doesn't send Authentication header and therefore any api call requiring authentication can't work.
Here are steps to create solution with version 10.0.2 where swagger works:
dotnet tool uninstall -g Volo.Abp.Studio.Cli
dotnet tool install -g Volo.Abp.Studio.Cli --version 2.1.9
abp new AbpTest219 --tiered
Open solution in ABP Studio
{ "isSelfRegistrationEnabled": true, "enableLocalLogin": true, "preventEmailEnumeration": false }
And here are steps to create solution with version 10.1.0 where swagger doesn't work:
dotnet tool uninstall -g Volo.Abp.Studio.Cli
dotnet tool install -g Volo.Abp.Studio.Cli --version 2.2.1
abp new AbpTest221 --tiered
Open solution in ABP Studio
I tried to update the project from ABP Studio to latest version (10.1.1), the same problem still exists. But if I upgrade the project to preview version 10.2.0-rc.2 (requires migration), swagger works again.
So there seems to be problem in both versions 10.1.0 and 10.1.1, that swagger doesn't send authentication header.
For me the workaround could be continuing temporarily with preview version, but this seems like a bug in version 10.1 and I don't like to see this problem reappearing in final version of 10.2.
Problem exists also in Edge. I tried also InPrivate window.
I recently upgraded my project from ABP 10.0.2 to 10.1.1. With that upgrade swagger authentication stopped working. MVC UI and my external UI using bearer token both works without problems, so problem is limited to swagger. I'm able to reproduce the problem with new application created with cli:
abp --version 2.2.1
abp new AbpTestApp --tiered
Error: response status is 401
Curl example in swagger (missing Authorization header):
curl -X 'GET'
'https://localhost:44307/api/identity/users/lookup/count'
-H 'accept: text/plain'
-H 'RequestVerificationToken: CfDJ8BYhVJtGAV5HrK9f45y0riMpUpsXcJ4DfPeR7pqUE6yne9Y2CxHdVTSKW_T3GNLRh853u24OP2gC6AO3fp2-9-rB5Osrmjr5YiCa7d1jmcaevFC1h-cWRnJoZY0QmnRRLmHRvDfOz2tNPJpXFvZpOkM'
-H 'X-Requested-With: XMLHttpRequest'
Logs:
10/03/2026 13.16.32 [Information] Request starting "HTTP/2" "GET" "https"://"localhost:44307""""/api/identity/users/lookup/count""" - null null 10/03/2026 13.16.32 [Debug] Starting resolving tenant... 10/03/2026 13.16.32 [Debug] Trying to resolve tenant through '"CurrentUser"'... 10/03/2026 13.16.32 [Debug] Trying to resolve tenant through '"QueryString"'... 10/03/2026 13.16.32 [Debug] Trying to resolve tenant through '"Route"'... 10/03/2026 13.16.32 [Debug] Trying to resolve tenant through '"Header"'... 10/03/2026 13.16.32 [Debug] Trying to resolve tenant through '"Cookie"'... 10/03/2026 13.16.32 [Debug] No tenant resolved. 10/03/2026 13.16.32 [Information] Executing endpoint '"Volo.Abp.Identity.IdentityUserLookupController.GetCountAsync (Volo.Abp.Identity.Pro.HttpApi)"' 10/03/2026 13.16.32 [Information] Route matched with "{controller = "UserLookup", area = "identity", action = "GetCount", page = ""}". Executing controller action with signature "System.Threading.Tasks.Task`1[System.Int64] GetCountAsync(Volo.Abp.Identity.UserLookupCountInputDto)" on controller "Volo.Abp.Identity.IdentityUserLookupController" ("Volo.Abp.Identity.Pro.HttpApi"). 10/03/2026 13.16.32 [Information] Authorization failed. "These requirements were not met: PermissionRequirement: AbpIdentity.UserLookup" 10/03/2026 13.16.32 [Warning] ---------- RemoteServiceErrorInfo ---------- { "code": "Volo.Authorization:010001", "message": "Authorization failed! Given policy has not granted.", "details": null, "data": null, "validationErrors": null }
10/03/2026 13.16.32 [Warning] Volo.Abp.Authorization.AbpAuthorizationException: Exception of type 'Volo.Abp.Authorization.AbpAuthorizationException' was thrown.
at Microsoft.AspNetCore.Authorization.AbpAuthorizationServiceExtensions.CheckAsync(IAuthorizationService authorizationService, AuthorizationPolicy policy)
at Volo.Abp.Authorization.MethodInvocationAuthorizationService.CheckAsync(MethodInvocationAuthorizationContext context)
at Volo.Abp.Authorization.AuthorizationInterceptor.AuthorizeAsync(IAbpMethodInvocation invocation)
at Volo.Abp.Authorization.AuthorizationInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func3 proceed)
at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo)
at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue1.ProceedAsync() at Volo.Abp.GlobalFeatures.GlobalFeatureInterceptor.InterceptAsync(IAbpMethodInvocation invocation) at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func3 proceed) at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo) at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue1.ProceedAsync()
at Volo.Abp.Auditing.AuditingInterceptor.ProceedByLoggingAsync(IAbpMethodInvocation invocation, AbpAuditingOptions options, IAuditingHelper auditingHelper, IAuditLogScope auditLogScope)
at Volo.Abp.Auditing.AuditingInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func3 proceed)
at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo)
at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue1.ProceedAsync() at Volo.Abp.Validation.ValidationInterceptor.InterceptAsync(IAbpMethodInvocation invocation) at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func3 proceed) at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo) at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue1.ProceedAsync()
at Volo.Abp.Uow.UnitOfWorkInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func3 proceed)
at lambda_method4497(Closure, Object)
at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableObjectResultExecutor.Execute(ActionContext actionContext, IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.
10/03/2026 13.16.32 [Warning] Code:Volo.Authorization:010001 10/03/2026 13.16.32 [Information] AuthenticationScheme: "Bearer" was challenged. 10/03/2026 13.16.32 [Information] Executed action "Volo.Abp.Identity.IdentityUserLookupController.GetCountAsync (Volo.Abp.Identity.Pro.HttpApi)" in 6.1416ms 10/03/2026 13.16.32 [Information] Executed endpoint '"Volo.Abp.Identity.IdentityUserLookupController.GetCountAsync (Volo.Abp.Identity.Pro.HttpApi)"' 10/03/2026 13.16.32 [Information] Request finished "HTTP/2" "GET" "https"://"localhost:44307""""/api/identity/users/lookup/count""" - 401 0 null 31.5577ms
