Swagger AddSecurityRequirement Fails After Migrating from .NET 8 to .NET 10 — 401 Unauthorized on [Authorize] Endpoints

Question

Swagger AddSecurityRequirement Fails After Migrating from .NET 8 to .NET 10 — 401 Unauthorized on [Authorize] Endpoints

Tirth Shah 0

Hello Team,

Hope you are doing well.

I previously had a working Swagger configuration in a .NET 8 Web API project. After migrating the project to .NET 10, the existing SwaggerGen and security configuration no longer compile.

Below is the original .NET 8 code snippet:

private static IServiceCollection AddSwagger(this IServiceCollection services)
{
    services.AddSwaggerGen(c =>
    {
        c.SwaggerDoc("v1", new OpenApiInfo { Title = "CMS API", Version = "v1" });

        c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
        {
            Description = @"JWT Authorization header using the Bearer scheme.
                            Enter 'Bearer' [space] and then your token.
                            Example: 'Bearer 12345abcdef'",
            Name = "Authorization",
            In = ParameterLocation.Header,
            Type = SecuritySchemeType.ApiKey,
            Scheme = "Bearer"
        });

        c.AddSecurityRequirement(new OpenApiSecurityRequirement
        {
            {
                new OpenApiSecurityScheme
                {
                    Reference = new OpenApiReference
                    {
                        Type = ReferenceType.SecurityScheme,
                        Id = "Bearer"
                    },
                    Scheme = "oauth2",
                    Name = "Bearer",
                    In = ParameterLocation.Header
                },
                Array.Empty<string>()
            }
        });
    });

    return services;
}

After migrating to .NET 10, the project shows the following compile-time error:

'Func<OpenApiDocument, OpenApiSecurityRequirement>' does not contain a constructor that takes 0 arguments
Object and collection initializer expressions may not be applied to a delegate creation expression

To fix the compile error, I updated the code as follows:

c.AddSecurityRequirement(document =>
{
    OpenApiSecuritySchemeReference? schemeRef = new("Bearer");
    OpenApiSecurityRequirement? requirement = new()
    {
        [schemeRef] = []
    };
    return requirement;
});

However, after applying this change, all [Authorize] endpoints return 401 Unauthorized even when I log in using a valid Bearer token.

Question: What is the correct way to configure AddSecurityRequirement in .NET 10 so Swagger works as expected and [Authorize] endpoints no longer return 401? Any updated examples or guidance for .NET 10 would be greatly appreciated.

Thank you,

Tirth Shah

4 answers

Your answer

Answer 1

Hi @Tirth Shah ,

Thanks for sharing the details!

I see two things happening after your migration from .NET 8 to .NET 10:

The Swagger configuration fails to compile because AddSecurityRequirement now expects a delegate (Func<OpenApiDocument, OpenApiSecurityRequirement>).
Even after updating, [Authorize] endpoints return 401 Unauthorized, which usually points to middleware order or JWT settings rather than Swagger itself.

I recommend you check these out first:

1. Update Swagger configuration for .NET 10 and Swashbuckle v10

Swashbuckle changed how security requirements are added. Define the HTTP Bearer scheme and use a delegate for the requirement:

using Microsoft.OpenApi.Models;
 
const string schemeId = "bearer";
services.AddSwaggerGen(options =>
{
    options.SwaggerDoc("v1", new OpenApiInfo { Title = "CMS API", Version = "v1" });
    options.AddSecurityDefinition(schemeId, new OpenApiSecurityScheme
    {
        Type = SecuritySchemeType.Http,
        Scheme = "bearer", // lowercase per RFC 7235
        BearerFormat = "JWT",
        Description = "JWT Authorization header using Bearer scheme"
    });
    options.AddSecurityRequirement(document =>
    {
        var requirement = new OpenApiSecurityRequirement
        {
            {
                new OpenApiSecurityScheme
                {
                    Reference = new OpenApiReference
                    {
                        Type = ReferenceType.SecurityScheme,
                        Id = schemeId
                    }
                },
                Array.Empty<string>() // no scopes for JWT
            }
        };
        return requirement;
    });
});

You can check Swashbuckle migration guide and OpenApiSecurityRequirement Class for better clarity.

2. Check middleware order and JWT settings

Make sure you call:

app.UseSwagger();
app.UseSwaggerUI();
app.UseAuthentication();   // BEFORE endpoints
app.UseAuthorization();
// Then map endpoints
app.MapControllers();      // or MapGroup/MapGet...

before mapping endpoints. Then confirm your AddJwtBearer options match the token’s Issuer, Audience, and SigningKey. Full guidance here: Configure JWT bearer authentication in ASP.NET Core

3. Use Swagger UI correctly

Click Authorize, paste only the raw JWT (do not include Bearer, Swagger adds it automatically). Verify in the “Request” panel that the header shows Authorization: Bearer <token>.

I also found this post that tackled similar issue, maybe you could check it out when you have the time:

https://stackoverflow.com/questions/79834574/authentication-not-working-in-swagger-with-net-10

Disclaimer: Some of these links are non-Microsoft website. The pages appear to be providing accurate, safe information. Watch out for ads on the site that may advertise products frequently classifies as a PUP (Potentially Unwanted Products). Thoroughly research any product advertised on the site before you decide to download and install it.

I hope this is helpful to you! If you have any more questions, please feel free to reach out. I'll be happy to help out!

Answer 2

To configure AddSecurityRequirement in .NET 10 correctly, you need to ensure that you are using the updated syntax for defining security requirements in Swagger. The error you encountered is likely due to the changes in the way security requirements are defined in .NET 10. Here’s how you can adjust your code:

Updated Code Snippet for .NET 10

private static IServiceCollection AddSwagger(this IServiceCollection services)
{
    services.AddSwaggerGen(c =>
    {
        c.SwaggerDoc("v1", new OpenApiInfo { Title = "CMS API", Version = "v1" });

        c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
        {
            Description = @"JWT Authorization header using the Bearer scheme.\nEnter 'Bearer' [space] and then your token.\nExample: 'Bearer 12345abcdef'",
            Name = "Authorization",
            In = ParameterLocation.Header,
            Type = SecuritySchemeType.ApiKey,
            Scheme = "Bearer"
        });

        c.AddSecurityRequirement(new OpenApiSecurityRequirement
        {
            {
                new OpenApiSecurityScheme
                {
                    Reference = new OpenApiReference
                    {
                        Type = ReferenceType.SecurityScheme,
                        Id = "Bearer"
                    }
                },
                new string[] {}
            }
        });
    });

    return services;
}

Key Changes Explained:

Security Requirement Definition: Ensure that the AddSecurityRequirement method is called with the correct parameters. In the updated example, we create an OpenApiSecurityRequirement directly, which includes the OpenApiSecurityScheme reference and an empty string array for scopes.
Authorization Handling: If you are still receiving 401 Unauthorized responses, double-check that your Bearer token is valid and that the token is being sent correctly in the Authorization header of your requests. You may also want to enable detailed logging to capture any issues with token validation.

Additional Steps for Debugging 401 Errors:

Ensure that the token is not expired and is intended for the resource you are accessing.
Use JwtBearerEvents to log detailed error information, which can help identify why the authorization is failing.

By following these guidelines, you should be able to configure Swagger correctly in .NET 10 and resolve the 401 Unauthorized issues on your [Authorize] endpoints.

References:

Tirth Shah 0 Reputation points

2025-12-04T18:27:54.8966667+00:00

Hello,

After applying your above code, I am getting another compile-time error that i'm sharing here

Error :

'OpenApiSecurityScheme' does not contain a definition for 'Reference'

The type or namespace name 'OpenApiReference' could not be found (are you missing a using directive or an assembly reference?)

Let me know what the correct solutions.

Please give me a code snippet.

Thanks

Tirth Shah

Answer 3

Tirth Shah 0

Hello @Tom Tran (WICLOUD CORPORATION)

Thank you for assisting me with the Bearer token issue. I appreciate your support and guidance.

Now, I have another project where I am not using the Bearer Token concept, but I am using the OAuth2 Concept, and in that, I am encountering the same issues. So, I must have made a mistake. Let me know. I am sharing that here. In the code below, I am getting the same 401 error, so let me know if I have made a mistake.

services.AddSwaggerGen(c =>
{
    c.SupportNonNullableReferenceTypes();
    c.SwaggerDoc(_apiVersion.VersionName,
        new()
        {
            Title = _apiVersion.Title,
            Version = _apiVersion.VersionNumber
        });

    // OAuth2 definition
    c.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
    {
        Type = SecuritySchemeType.OAuth2,
        Flows = new()
        {
            AuthorizationCode = new()
            {
                AuthorizationUrl = new($"https://login.microsoftonline.com/{_azureAd.TenantId}/oauth2/v2.0/authorize"),
                TokenUrl = new($"https://login.microsoftonline.com/{_azureAd.TenantId}/oauth2/v2.0/token"),
                Scopes = new Dictionary<string, string>
                {
                    { _azureAd.ApplicationUri, _azureAd.Scopes }
                }
            }
        }
    });

    c.AddSecurityRequirement(document =>
    {
        OpenApiSecuritySchemeReference? schemeRef = new("oauth2");
        OpenApiSecurityRequirement? requirement = new()
        {
            [schemeRef] = []
        };
        return requirement;
    });
});

Tom Tran (WICLOUD CORPORATION) 3,115 Microsoft External Staff Moderator

Hi @Tirth Shah ,

Thanks for the details!

After reviewing your snippet, the main issue is similar to the previous one: Swashbuckle v10 requires a delegate for AddSecurityRequirement, and for OAuth2 you also need to include the scopes that your API expects. If those scopes or the token audience don’t match what the API validates, you’ll see 401 errors.

You should try this out to see if it works:

Update your Swagger configuration for OAuth2 using the new delegate pattern and include the scopes:

using Microsoft.OpenApi.Models;
 
const string oauthSchemeId = "oauth2";
services.AddSwaggerGen(c =>
{
    c.SwaggerDoc("v1", new OpenApiInfo { Title = "My API", Version = "v1" });
    c.AddSecurityDefinition(oauthSchemeId, new OpenApiSecurityScheme
    {
        Type = SecuritySchemeType.OAuth2,
        Flows = new OpenApiOAuthFlows
        {
            AuthorizationCode = new OpenApiOAuthFlow
            {
                AuthorizationUrl = new Uri($"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize"),
                TokenUrl = new Uri($"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token"),
                Scopes = new Dictionary<string, string>
                {
                    { $"{azureAd.ApplicationUri}/.default", "Access API" }
                }
            }
        }
    });
    c.AddSecurityRequirement(document =>
    {
        var requirement = new OpenApiSecurityRequirement
        {
            [new OpenApiSecurityScheme
            {
                Reference = new OpenApiReference
                {
                    Type = ReferenceType.SecurityScheme,
                    Id = oauthSchemeId
                }
            }] = new[] { $"{azureAd.ApplicationUri}/.default" }
        };
        return requirement;
    });
});

Make sure authentication and authorization are registered before mapping endpoints:

var app = builder.Build();
 
// Swagger first
app.UseSwagger();
app.UseSwaggerUI(c =>
{
    c.SwaggerEndpoint("/swagger/v1/swagger.json", "My API v1");
    c.OAuthClientId("your-swagger-client    c.OAuthClientId("your-swagger-client-id");
    c.OAuthUsePkce(); // Recommended for SPA clients
    c.OAuthScopes("api://<your-api-app-id>/.default"); // Match exposed API scopes
});
// Critical order for auth
app.UseAuthentication();
app.UseAuthorization();
app.MapControllers();

Ensure app.UseAuthentication() and app.UseAuthorization() come before MapControllers().
Configure AddJwtBearer with the correct Authority and ValidAudience (App ID URI of your API).

Configure AddJwtBearer so the API validates tokens issued by Azure AD:

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
    {
        options.Authority = $"https://login.microsoftonline.com/<tenant-id>/v2.0";
        options.TokenValidationParameters = new TokenValidationParameters
               {
            ValidAudience = "api://<your-api-app-id>", // App ID URI of your API
            ValidateIssuer = true,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true
        };
    });

Add c.OAuthClientId("<your-swagger-client-id>");
Add c.OAuthUsePkce(); for PKCE support.
Make sure the redirect URI https://<your-host>/swagger/oauth2-redirect.html is registered in Azure AD.

In short:

UseAuthentication() and UseAuthorization() must come before MapControllers().
Swagger UI needs OAuthClientId, OAuthUsePkce(), and correct scopes to request tokens.
API must validate tokens against the correct Authority and Audience.

I hope this helps! I also recommend you check out the documents I sent above for better understand of these concepts.

Tirth Shah 0 Reputation points

2025-12-05T10:49:23.1033333+00:00

Hello @Tom Tran (WICLOUD CORPORATION)

I have read your answer. But using Microsoft.OpenApi.Models; namespace does not exist .Net 10 Framework, so I can't access new OpenApiReference, it's throwing a compile-time error.

Here I am sharing my error with the code. Let me correct the solutions.

Thanks.

Tirth Shah
Tirth Shah 0 Reputation points

2025-12-05T11:03:12.4133333+00:00

Hi @Tom Tran (WICLOUD CORPORATION)

Also, I have configured **OAuthClientId, OAuthUsePkce, **Authority, and Audience.

Additionally, I have implemented authentication according to the needs of my project audience. Let me know if any configurations need from my end.Thanks.

Tirth Shah

Tom Tran (WICLOUD CORPORATION) 3,115 Microsoft External Staff Moderator

Hi @Tirth Shah ,

The compile errors you saw match a .NET Framework/Web API project, where Microsoft.OpenApi.* doesn’t exist. Once the project targets ASP.NET Core (net10.0) and uses Swashbuckle.AspNetCore v10, the types compile and the OAuth2 flow works.

I would recommend you try these steps out:

Project & packages

In your .csproj:

  <TargetFramework>net10.0</TargetFramework>

NuGet: Swashbuckle.AspNetCore (v10.x). No separate Microsoft.OpenApi package needed.

Swagger + OAuth2 (Authorization Code + PKCE)

Use a delegated scope you exposed on your API (e.g., api://<api-app-id>/<scope-name>), not /.default (that’s for app permissions).

using Microsoft.OpenApi.Models;
 
const string oauthSchemeId = "oauth2";
var tenantId = "<tenant-id>";
var apiScope = "api://<api-app-id>/access_as_user"; // example delegated scope
services.AddSwaggerGen(c =>
{
    c.SwaggerDoc("v1", new OpenApiInfo { Title = "My API", Version = "v1" });
    c.AddSecurityDefinition(oauthSchemeId, new OpenApiSecurityScheme
    {
        Type = SecuritySchemeType.OAuth2,
        Flows = new OpenApiOAuthFlows
        {
            AuthorizationCode = new OpenApiOAuthFlow
            {
                AuthorizationUrl = new Uri($"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize"),
                TokenUrl        = new Uri($"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token"),
                Scopes = new Dictionary<string, string>
                {
                    { apiScope, "Access API (delegated)" }
                }
            }
        }
    });
    c.AddSecurityRequirement(new OpenApiSecurityRequirement
    {
        [ new OpenApiSecurityScheme { Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = oauthSchemeId } } ]
        = new[] { apiScope }
    });

JWT validation on the API

Set Authority and ValidAudience to your API’s Application ID URI (api://<api-app-id>).

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
    {
        options.Authority = $"https://login.microsoftonline.com/{tenantId}/v2.0";
        options.TokenValidationParameters = new()
        {
            ValidAudience = "api://<api-app-id>",
            ValidateIssuer = true,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true
        };
    });

Swagger UI (PKCE + redirect)

app.UseSwagger();
app.UseSwaggerUI(c =>
{
    c.SwaggerEndpoint("/swagger/v1/swagger.json", "My API v1");
    c.OAuthClientId("<swagger-client-id>");
    c.OAuthUsePkce();                 // PKCE, no client secret
    c.OAuthScopes(apiScope);          // delegated scope
});
app.UseAuthentication();
app.UseAuthorization();

Register the redirect URI on the Swagger UI client app: https://<host>/swagger/oauth2-redirect.html

Azure AD (Entra ID) setup to avoid 401s

API app: set Application ID URI; define a delegated scope (e.g., access_as_user). Docs: https://learn.microsoft.com/entra/identity-platform/quickstart-configure-app-expose-web-apis
Swagger UI client app: add the redirect URI above and grant delegated permission to the API scope. Docs: https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow

I hope this helps!

Tirth Shah 0 Reputation points

2025-12-05T11:29:14.5766667+00:00
Hello @Tom Tran (WICLOUD CORPORATION)

As I said Earlier new OpenApiReference it's thrown compile time error. I sharing here.

And using Microsoft.OpenApi.Models namespace is not exists in .Net 10.

c.AddSecurityRequirement(new OpenApiSecurityRequirement { [new OpenApiSecurityScheme { Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "oauth2" } }] = new[] { _azureAd.Scopes } });

So let me know correct OAuth2 Authentication solutions.

Or We can connect over call for the same issues.

Thanks.

Tirth Shah

Answer 4

Gert Kello 0

Struggled with similar upgrade issue, for me helped passing document in reference constructor:

     c.AddSecurityRequirement(document =>
     {
         OpenApiSecuritySchemeReference? schemeRef = new("oauth2", document);

Share via

Swagger AddSecurityRequirement Fails After Migrating from .NET 8 to .NET 10 — 401 Unauthorized on [Authorize] Endpoints

4 answers

Updated Code Snippet for .NET 10

Key Changes Explained:

Additional Steps for Debugging 401 Errors:

Your answer