Able to log in but getting 401 unauthorized from backend on localhost

[aditya-tribe]

Hello all, I am able to get the application running locally but not able to get any data from the backend. Consistently get 401s from /assistants and /assistant-services and /events etc

When I get a curl from the inspector, the token being sent to the backend looks like an MSAL graph access token and not a JWT. Specifically the backend complains that the JWT doesn't have enough segments and that it can't be decoded.

Any guidance would be really helpful since I am very keen to demo an internal app for agents in production, optimistically using semantic backend as my dashboard. Would love to get it working.

I tried using the default credentials in the .env.example and then also went ahead and followed the custom app guidelines to see if that would help - same issue.

[szenatti]

@aditya-tribe I had the same issue, and the quick fix for me was to create my Own Client ID under Azure App Registration.

First, you need to register a new application in the Azure portal:
Navigate to the Azure portal > Entra Id

1. App registrations > Click on "New registration"
   Fill in the registration details:
   Name: "Semantic Workbench" (or any name you prefer)
   Supported account types: Choose "Accounts in any organizational directory and personal Microsoft accounts"
   Redirect URI:
   Platform: "Single-page application (SPA)"
   URL: https://127.0.0.1:4000 or https://localhost:4000 (for local development)
   Click "Register"

2. Get the Application (Client) ID
   After registration:
   In the Azure portal, go to the "Overview" page of your newly registered app
   Copy the "Application (client) ID" value - this is your new client ID

3. Update Configuration Files
   Now you need to update both the frontend and backend configurations:

For the frontend - workbench-app
Update the .env.local file in the workbench-app directory

For the backend - workbench-service
Create an .env file in the workbench-service directory, and add the following:

Workbench service configuration for custom client ID
WORKBENCH__AUTH__ALLOWED_APP_ID=

4. Restart Both Services

[domlee590]

I am having the same problem. The above solution does not work for me.

---

Location: semantic_workbench_service.middleware
Function: _user_principal_from_request
File: middleware.py:74
Environment: Python with python-jose in virtualenv
Status Code: 401 Unauthorized

Multiple requests are failing due to improperly formatted JWT tokens.
The error consistently occurs when attempting to decode the token header.

---

Click to expand full traceback

# jose/jws.py
File ".../site-packages/jose/jws.py", line 180, in _load
    signing_input, crypto_segment = jwt.rsplit(b".", 1)
ValueError: not enough values to unpack (expected 2, got 1)

# jose/jws.py
File ".../site-packages/jose/jws.py", line 184, in _load
    raise JWSError("Not enough segments")

# jose/jwt.py
File ".../site-packages/jose/jwt.py", line 195, in get_unverified_header
    headers = jws.get_unverified_headers(token)
File ".../site-packages/jose/jws.py", line 94, in get_unverified_header
    header, claims, signing_input, signature = _load(token)
JWTError: Error decoding token headers.

# middleware.py
File "middleware.py", line 74, in _user_principal_from_request
    algorithm: str = jwt.get_unverified_header(token).get("alg") or "RS256"

---

Error Summary

• ValueError: not enough values to unpack (expected 2, got 1)
• Raised as JWSError("Not enough segments")
• Root cause: malformed JWT token — likely missing required header.payload.signature structure.