OIDC: 401 Unauthorized exception when accessing the UserInfo endpoint

Question

I have faced a problem while implementing an OIDC authentication in my monolithic web app. I am using KeyCloak, and a user can access it via a public URL. The web app can only access it using the private URL. All the auth communication logic is handled by this particular monolith.

So my idea for authenticating users was to implement an OnRedirectToIdentityProvider event where I would redirect auth requests to a new authentication URL with the IssuerAddress changed to the KeyCloak public URL.

Here is my OIDC configuration:

private void ConfigureOptions(OpenIdConnectOptions options)
{
    options.Authority = _options.RealmUrl; // the URL is private
    options.ClientId = _options.ClientId;
    options.RequireHttpsMetadata = _options.SslRequired;
    options.ClientSecret = _options.Secret;
    options.GetClaimsFromUserInfoEndpoint = true;
    options.ResponseType = OpenIdConnectResponseType.Code;
    options.UsePkce = true;
    options.SaveTokens = true;
    options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.SignOutScheme = CookieAuthenticationDefaults.AuthenticationScheme;

    options.TokenValidationParameters = new TokenValidationParameters
    {
        ClockSkew = _options.TokenClockSkew,
        ValidateAudience = _options.ValidateAudience,
        ValidateIssuer = false,
        NameClaimType = ClaimHelper.Login,
        RoleClaimType = ClaimHelper.Role
    };

    options.Events.OnRedirectToIdentityProvider = OnRedirectToIdentityProvider;
}

and here is the OnRedirectToIdentityProvider handler:

private Task OnRedirectToIdentityProvider(RedirectContext ctx)
{
    return RedirectToIdentityProvider(ctx, ctx.HandleResponse);
}


 private Task RedirectToIdentityProvider<T>(RedirectContext ctx, Action handleResponseAction)
 {
     var msg = new OpenIdConnectMessage
     {
         ClientSecret = _options.Secret,
         ClientId = _options.ClientId,
         ResponseType = OpenIdConnectResponseType.Code,
         Scope = "openid email profile roles",
         ResponseMode = "form_post",
         IssuerAddress = _configuration.GetSection(PublicAuthorizationEndpointUrl).Value, // here I set the public KeyCloak URL
         RedirectUri = "https" + Uri.SchemeDelimiter + ctx.Request.Host + ctx.Request.PathBase + "/signin-oidc",
         Nonce = Guid.NewGuid().ToString("N"),
         RequestType = OpenIdConnectRequestType.Authentication
     };

     var properties = new AuthenticationProperties();
     properties.Items[OpenIdConnectDefaults.RedirectUriForCodePropertiesKey] = msg.RedirectUri;

     msg.State = ctx.Options.StateDataFormat.Protect(properties);
     var url = msg.CreateAuthenticationRequestUrl();

     ctx.Response.Redirect(url);

     handleResponseAction.Invoke();

     return Task.CompletedTask;
 }

Unfortunately, it does not work and fails while accessing the UserInfo endpoint: a 401 Unauthorized error is returned.

After the OpenIdConnectHandler sources investigation, I found that the exception was probably thrown by the OpenIdConnectHandler.OpenIdConnectHandler method: https://github.com/dotnet/aspnetcore/blob/main/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs#L1057.

I assume that it is due to an incorrectly generated access token, as it is explained here: https://www.ibm.com/docs/en/was-liberty/base?topic=liberty-invoking-userinfo-endpoint-openid-connect. But I have no ideas on how to fix that.

I will appreciate any help.