401 While using IdentityServer and the protected WebApi in the same app

[marzoukali]

Here's my startup.cs:

  public partial class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            // Configure IdSrv before any AutoFac DI registrtion
            app.ConfigureIdentityServer();

            // Congiure WebApi, MVC, With AutoFac
            var httpConfig = new HttpConfiguration();
            FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
            WebApiConfig.Register(httpConfig);
            SwaggerConfig.Register(httpConfig);



            // Configure WebApi to be a scope of the IdSrv that protected by it.
            app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
            {
                Authority = ConfigMngr.GetAppSettingsValue<string>("IdSrv:PublicOrigin"),
                RequiredScopes = new[] { "BS.APIs" },
                // We use the below line because the WebApis and IdentityServer are hosted in the same web app.
                DelayLoadMetadata = true,
                // Below 2 lines used for JWT
                //IssuerName = "https://bsidentity.local/identity/",
                //SigningCertificate = LoadWebApiCertificate(),
                ClientId = "42fae5e007ad",
                ClientSecret = "a7c4c3c14003",
                EnableValidationResultCache = false,
                ValidationMode = ValidationMode.ValidationEndpoint,
            });

            app.UseWebApi(httpConfig);


            ConfigureIOC(app, httpConfig);
            app.UseAutofacMvc();
            app.UseAutofacWebApi(httpConfig);

            

        }

        /// <summary>
        /// Load the certificate that sign the Id or Jw token
        /// </summary>
        /// <returns></returns>
        private static X509Certificate2 LoadWebApiCertificate()
        {
            //TODO: We need to create our own self-signed certificate.
            string baseDirectory = AppDomain.CurrentDomain.BaseDirectory;
            return new X509Certificate2(
            Path.Combine(AppDomain.CurrentDomain.BaseDirectory, ConfigMngr.GetAppSettingsValue<string>("IdSrv:SigningCertificatePath")), ConfigMngr.GetAppSettingsValue<string>("IdSrv:SigningCertificatePassword"));
        }
    }

I tried a lot of solutions like:

• re order all the middlewares by putting app.UseIdentityServerBearerTokenAuthentication before and after app.UseWebApi(httpConfig); as i tried a lot of orders.
• Re check scope and client configurations and add some explicit configs like ClientId and ClientSecret
• I tried to separate WebApi and MVC and Identity everyone in separate pipeline using app.Map but the same issue exists.

I want a way to let me know the exact reason behind the 401 Unauthorized? I think AccessTokenValidation didn't trigger at all? Is it an issue with AutoFac or with incompatible Nuget library (for example IdentityModel and AccessTokenValidation ) version between projects, but i checked most of the questions, configurations and documentations and the issue still exists.

Is it any suggestions please ??