IdentityServer call API with token delivered to MVC client wit hybrid flow

So I have a solution with the following projects: - MVC for my Authorization Server (Identity Server with Identity) - MVC client - MVC API

What I try to achieve is to have a user connecting in the MVC client with the help of the authorization server and then using the access token delivered to call my API.

So I have the following configuration:

Authorization server :

In the Startup.cs :

            // Add Identity Server 4
        services.AddIdentityServer()
            .AddSigningCredential(cert)
            .AddInMemoryPersistedGrants()
            .AddClientStore<ClientStore>()
            .AddResourceStore<ResourceStore>()
            .AddAspNetIdentity<User>();

        services.AddAuthentication().AddMicrosoftAccount(microsoftOptions =>
        {
            microsoftOptions.ClientId = Configuration["Authentication:Microsoft:ApplicationId"];
            microsoftOptions.ClientSecret = Configuration["Authentication:Microsoft:Password"];
        });

Configuration of the client :

new Client
            {
                ClientId = "EchinoManagerMVC",
                ClientName = "MVC for Echino Manager",
                AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

                ClientSecrets =
                {
                    new Secret("EchinoManagerMVCSecret".Sha256())
                },

                // where to redirect to after login
                RedirectUris = { "https://localhost:44380/signin-oidc" },

                // where to redirect to after logout
                PostLogoutRedirectUris = { "https://localhost:44380/signout-callback-oidc" },

                AllowedScopes = new List<string>
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    "echinomanagerapi"
                },
                AllowOfflineAccess = true,
                AlwaysIncludeUserClaimsInIdToken = true,
                AlwaysSendClientClaims = true,
                RequireConsent = false
            }

My APIResource :

                new ApiResource
            {
                Name = "EchinoManagerAPI",
                ApiSecrets =
                {
                    new Secret("EchinoManagerAPISecret".Sha256())
                },

                UserClaims =
                {
                    JwtClaimTypes.Email
                },

                Scopes =
                {
                    new Scope()
                    {
                        Name = "echinomanagerapi",
                        DisplayName = "Access to the API of Echino Manager"
                    }
                }
            }

In my MVC client:

Startup.cs :

public void ConfigureServices(IServiceCollection services)
    {
        services.Configure<CookiePolicyOptions>(options =>
        {
            // This lambda determines whether user consent for non-essential cookies is needed for a given request.
            options.CheckConsentNeeded = context => true;
            options.MinimumSameSitePolicy = SameSiteMode.None;
        });

        JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

        services.AddAuthentication(options =>
        {
            options.DefaultScheme = "Cookies";
            options.DefaultChallengeScheme = "oidc";
        })
        .AddCookie("Cookies")
        .AddOpenIdConnect("oidc", options =>
        {
            options.SignInScheme = "Cookies";

            options.Authority = Configuration["ApplicationOptions:AuthorizeServer"];

            options.ClientId = Configuration["ApplicationOptions:ClientId"];
            options.ClientSecret = Configuration["ApplicationOptions:ClientSecret"];
            options.ResponseType = "code id_token";
            options.SaveTokens = true;
            options.GetClaimsFromUserInfoEndpoint = true;

            options.Scope.Add("echinomanagerapi");
            options.Scope.Add("offline_access");
        });

        services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
    }

In my controller calling the API:

    [Authorize]
public class TenantController : Controller
{
    public async Task<IActionResult> Index()
    {
        var accessToken = await HttpContext.GetTokenAsync("access_token");

        var client = new HttpClient();

        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);

        //var content = await client.GetStringAsync("https://loginservices.echino2.p.azurewebsites.net/echinoapi/tenant");
        //var content = await client.GetStringAsync("https://localhost:44366/echinoapi/tenant");
        var content = await client.GetStringAsync("https://localhost:44300/api/values");

        ViewBag.Json = JArray.Parse(content).ToString();
        return View();
    }
}

In my MVC API:

        public void ConfigureServices(IServiceCollection services)
    {
        services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);

        services.AddAuthorization();

        services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
        .AddIdentityServerAuthentication(options =>
        {
            options.Authority = Configuration["ApplicationOptions:AuthorizeServer"];
            options.ApiName = Configuration["ApplicationOptions:ApiName"];
            options.ApiSecret = Configuration["ApplicationOptions:ApiSecret"];
        });
    }

The controller :

    [Route("api/[controller]")]
[ApiController]
[Authorize(AuthenticationSchemes = "Bearer")]
public class ValuesController : ControllerBase
{
    // GET api/values
    [HttpGet]
    public ActionResult<IEnumerable<string>> Get()
    {
        return new string[] { "value1", "value2" };
    }

    // GET api/values/5
    [HttpGet("{id}")]
    public ActionResult<string> Get(int id)
    {
        return "value";
    }
}

So when I launch my solution and i access the /tenant in my MVC client it's redirect me to the authorization server where I have to log in, and then I get back in the MVC client. This part is working fine.

But my call to my API return me a 401 unauthorized.

I've checked I if have an access token in my tenant controller and I got one, for example :

eyJhbGciOiJSUzI1NiIsImtpZCI6IjJFMzdFNzQ5N0RCODI4QzRFNzdFQUI4NTE4MDU3OUZGQ0IwMDgwMTAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJMamZuU1gyNEtNVG5mcXVGR0FWNV84c0FnQkEifQ.eyJuYmYiOjE1NDQ3MDQ1OTksImV4cCI6MTU0NDcwODE5OSwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzMzQiLCJhdWQiOlsiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzMzQvcmVzb3VyY2VzIiwiRWNoaW5vTWFuYWdlckFQSSJdLCJjbGllbnRfaWQiOiJFY2hpbm9NYW5hZ2VyTVZDIiwic3ViIjoiNWMxMjMyZTIzYWExODE3MGVjYTJmMjdlIiwiYXV0aF90aW1lIjoxNTQ0NzA0NTk5LCJpZHAiOiJsb2NhbCIsImVtYWlsIjoic3RlcGhhbmUubWFydGlnbmllcjFAd2l0Y2hsYWtlLmNoIiwic2NvcGUiOlsib3BlbmlkIiwicHJvZmlsZSIsImVjaGlub21hbmFnZXJhcGkiLCJvZmZsaW5lX2FjY2VzcyJdLCJhbXIiOlsicHdkIl19.g61xKFcROTDuw_rmFWLHKSoJIIhyzzil-hPK44PvCioKVeeKB3ZrKtmNvw0aa240e_6Y6X2r3QZ2CR0V3T-lZmAJeIm0oN8MznUNjKB-h5FxxVvwwnbBU3_HYS5fNIl6XhKeOZGsIU-ZNBYBZ3FrDwrLPm3uHXVYyCQ5X1ZAldjV1HJ_th6T-PEdQozHZn37EXcqakU4uY1RpiT_ZEMFnllXWZVFBYCEy3OsOmAv5NlD5jkUp2XeuCoQ5vsT1XhO2Qkj5HS398MmJp0wObs-V1dUz2iKVjbQzo3eHZo3lsEiqKfg5lpTxrQHm07sGuyB84utuPYrKFCI_4nkeHF9tM9SEF1Au0DbD2O2nWYUoxa7RjFlMLxOu1uH6FNLYzBlbhbPsB9rhLK0byySmZM5bAaVHC4e71iyI2ZHJJx_K7VuHkAmqoraJ5KtcJB-zAdkKserdUc7xcPI9scIQpGf28EdrWG_xKUc1OjjtvZApJmKiDc7REFGiAIRA6xm20PSaySEyrQjb2nQxDer9f04bBhignb02NRC_n8sLciw7cOM4yVBW5FKHj_7jCTzU6U1XY65-UX0z_pKkvrxtqJpRl8JexEU7c6XQ6FcCwXB6TKxhZ7NzjgS6vmSMRXrEBEgtnWqrZv5A_sA7yhVeLHbSfx94nPUc4ru6POWbSzFja8

(use JWT.io to see the content).

Apparently I have an issue with the validate audience, because in my log I can find :

"Audience validation failed. Audiences: 'https://localhost:44334/resources, EchinoManagerAPI'. Did not match: validationParameters.ValidAudience: 'EchinoManagerMVC' or validationParameters.ValidAudiences: 'null'."

So my question is : What I am missing in my configuration so I can use the access_token delivered by the authorization server to call my API?

Thanks in advance