Skip to main content
Version: 2026.04.0

Troubleshooting

401 Unauthorized on every endpoint

Cause: RequireAuthenticatedUser defaults to true, and you have not configured auth correctly.

What to check:

  • app.UseAuthentication() runs before app.UseAuthorization().
  • app.MapPrimusMembershipEndpoints() is mapped after auth middleware.
  • Your authenticated principal includes NameIdentifier.

InvalidOperationException about missing NameIdentifier

Cause: the current implementation requires ClaimTypes.NameIdentifier on authenticated principals.

What to check:

  • Your auth handler or identity provider maps a stable user ID into NameIdentifier.
  • You are not relying only on sub or email without mapping NameIdentifier.

404 Not Found on membership, invitation, or active-tenant routes

Cause: the record is genuinely missing in the current implementation.

Examples:

  • Active tenant was never selected.
  • Invitation ID does not exist.
  • Membership was already deleted or never created.

Invitation acceptance fails

Common causes:

  • Email mismatch while RequireMatchingEmailOnAcceptance is true.
  • Token payload does not match the invitation route.
  • The invitation is revoked, expired, or already consumed.
  • Protection errors fail closed while FailClosedOnProtectionErrors is true.

Bootstrap admin fails unexpectedly

Common causes:

  • The tenant already has an active membership for that user.
  • Host-level policy configuration blocks the admin route.
  • You expected bootstrap to create RBAC assignments automatically without the RBAC bridge.

Current run evidence

  • sdk/dotnet/tests/PrimusSaaS.Memberships.Tests/Integration/MembershipEndpointEdgeCaseTests.cs Current run covers auth defaults, missing-NameIdentifier, missing records, and policy metadata.
  • sdk/dotnet/tests/PrimusSaaS.Memberships.Tests/Unit/InvitationServiceTests.cs Current run covers wrong-email acceptance and revoked invitation rejection.
  • sdk/dotnet/tests/PrimusSaaS.Memberships.Tests/Unit/MembershipsRiskReductionTests.cs Current run covers token-route mismatch, expired or consumed invitation behavior, fail-closed protection errors, and bootstrap duplicate protection.