I have an Authentication Server application (AuthServer) using OpenIdDict. And a client application (ClientApp) which has a simple controller action:

Startup client configuration:

builder.Services
  .AddAuthentication(o => { o.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; })
  .AddCookie()
  .AddOAuth("OpenIddict.Server.AspNetCore", o => { 
    o.AuthorizationEndpoint = new Uri($"{AuthenticationServerUrl}connect/authorize").AbsoluteUri;
    o.TokenEndpoint = new Uri($"{AuthenticationServerUrl}connect/token").AbsoluteUri;
    o.ClientId = "testoauth";
    o.ClientSecret = "testsecret";
    o.CallbackPath = new PathString("/callback/login/local");
    o.UsePkce = true;
  });

The client controller action:

[HttpGet("oauth")]
[Authorize(AuthenticationSchemes = "OpenIddict.Server.AspNetCore")]
public IActionResult OAuth2() => Ok($"Successfully authorized with authorizationcode flow.");

I think it has something todo with the cookie: ".AspNetCore.Identity.Application". It is not created somehow using Postman. I see that the Cookie is created in the browser dev-tools. Postman generates the access_token successfully. But is not added to the cookies collection.

Fix: After creation of the access_token, Postman is not added this cookie to the request header. It can be found in the Console section of Postman, so add it manually. Do the request again and the action will be called.