JWT Token Validation Failed when sending request t...

SB_11795061 · ‎Dec 01, 2025

We are currently using Pingfederate as CAS and Microsoft Azure Entra ID as IDP . We want to switch and only use Azure Entra ID as both CAS and IDP. We are able to authenticate users using Entra ID in thingworx but now we want to do API communication between Thingworx and SAP.

We did a API configuration in entra ID and able to generate token. Now token requests to Thingworx REST endpoints using OAuth 2.0 access tokens (JWTs) from Azure are returning 401 Unauthorized errors. Token validation appears to fail, and Thingworx logs show errors related to authentication failure and SSO component issues.

JWT Token & resource setting file:

Unable to figure out why its getting failed. in logs i dont find much information .2025-12-01 12:53:58.921+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: ???] [S: ] [P: ] [T: https-openssl-nio-443-exec-4] Could not handle request
2025-12-01 12:53:58.922+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ???] [S: ] [P: ] [T: https-openssl-nio-443-exec-4] errorMessage: [Unauthorized], statusCode: [401]
2025-12-01 12:53:58.922+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ???] [S: ] [P: ] [T: https-openssl-nio-443-exec-4] [ null ]
2025-12-01 13:01:04.267+0000 [L: ERROR] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: ???] [S: ] [P: ] [T: https-openssl-nio-443-exec-4] [ Failed to utilize the SSO component for authentication ][ null ]

tmisner · ‎Dec 02, 2025

I see you have now opened a case and are working with my colleague Aayushi.

We will be following up with next steps shortly.

-Tyler

SB_11795061 · ‎Dec 04, 2025

Hi @tmisner ,

I received a response from PTC saying below, but we are just doing an API call with token.

We created two APP registrations with scopes and roles, everything. we are successfully able to generate the token. we should be able to connect from Thingworx to external sources . Main issue is ThingWorx is not working as a resource provider.

OAuth tokens are used to authorize access to external systems—such as SAP—from ThingWorx. To enable this, you must first set up the appropriate application scope for SAP and then configure the SAP connector within ThingWorx.

Currently, your ThingWorx instance is configured to use SAML for authentication. If you intend to authenticate to ThingWorx using OAuth tokens, you will need to reconfigure ThingWorx to use OIDC and OAuth-based authentication instead of SAML.

If your goal is to use OAuth tokens for accessing SAP from ThingWorx, you will need to define the required OAuth scopes for SAP, configure the SAP connector in ThingWorx, and validate the connection. Please note that attempting to access ThingWorx itself using OAuth tokens will fail under your current security configuration, as ThingWorx is still using SAML rather than OAuth for authentication.

tmisner · ‎Dec 04, 2025

Hello again,

Lets collaborate further through the internal case. I am now working on this one with Aayushi.

We can update this thread further once we have worked out a resolution.

-Tyler

JWT Token Validation Failed when sending request to Thingworx

JWT Token Validation Failed when sending request to Thingworx