Authentication with policy based is not working

I have a .net core app that uses OpenIdConnect as default authentication scheme using a custom Authorization server

services.AddAuthentication(authenticationOptions =>
            {
                authenticationOptions.DefaultAuthenticateScheme = OpenIdConnectDefaults.AuthenticationScheme;
            })
            .AddCookie()
            .AddOpenIdConnect(openIdOptions =>
            {
                openIdOptions.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                openIdOptions.Authority = issuer;
                openIdOptions.RequireHttpsMetadata = true;
                openIdOptions.ClientId = Configuration["Okta:ClientId"];
                openIdOptions.CallbackPath = OktaDefaults.CallbackPath;
                openIdOptions.ClientSecret = Configuration["Okta:ClientSecret"];
                openIdOptions.ResponseType = OpenIdConnectResponseType.Token;
                openIdOptions.GetClaimsFromUserInfoEndpoint = true;
                openIdOptions.Scope.Add("openid");
                openIdOptions.Scope.Add("profile");
                openIdOptions.Scope.Add("groups");
                openIdOptions.SaveTokens = true;
            });

I am also using policy based authentication
services.AddAuthorization(authOptions =>
{
authOptions.AddPolicy(“QSGAdminPolicy”,
policy => policy.RequireRole(Configuration.GetValue(“SecurityRoles:QSGAdminRole”)));

            authOptions.AddPolicy("QSGReadOnlyPolicy",
                policy => policy.RequireRole(Configuration.GetValue<string>("SecurityRoles:QSGReadOnlyRole")));

            authOptions.AddPolicy("QSGReviewerPolicy",
                policy => policy.RequireRole(Configuration.GetValue<string>("SecurityRoles:QSGReviewerRole"), Configuration.GetValue<string>("SecurityRoles:QSGTraderRole"), Configuration.GetValue<string>("SecurityRoles:.QSGAdminRole")));

            authOptions.AddPolicy("QSGTraderPolicy",
               policy => policy.RequireRole(Configuration.GetValue<string>("SecurityRoles:QSGTraderRole"), Configuration.GetValue<string>("SecurityRoles:QSGAdminRole")));
        });

in my controller I marking the API with authorize tag and the policy
[Route(“test/authentication”)]
[HttpGet]
[Authorize(Policy = “QSGReviewerPolicy”)]
public ActionResult GetTestAuth()
{
var claims = HttpContext.User.Claims;
return “user allowed”;

        }

but I am getting error:

fail: Microsoft.AspNetCore.Server.Kestrel[13]
      Connection id "0HLU51T84D7HA", Request id "0HLU51T84D7HA:00000001": An unhandled exception was thrown by the application.
System.ArgumentNullException: Value cannot be null.
Parameter name: value
   at System.Security.Claims.ClaimsIdentity.HasClaim(String type, String value)
   at System.Security.Claims.ClaimsPrincipal.IsInRole(String role)
   at Microsoft.AspNetCore.Authorization.Infrastructure.RolesAuthorizationRequirement.<>c__DisplayClass4_0.<HandleRequirementAsync>b__0(String r)
   at System.Linq.Enumerable.Any[TSource](IEnumerable`1 source, Func`2 predicate)
   at Microsoft.AspNetCore.Authorization.Infrastructure.RolesAuthorizationRequirement.HandleRequirementAsync(AuthorizationHandlerContext context, RolesAuthorizationRequirement requirement)
   at Microsoft.AspNetCore.Authorization.AuthorizationHandler`1.HandleAsync(AuthorizationHandlerContext context)
   at Microsoft.AspNetCore.Authorization.Infrastructure.PassThroughAuthorizationHandler.HandleAsync(AuthorizationHandlerContext context)
   at Microsoft.AspNetCore.Authorization.DefaultAuthorizationService.AuthorizeAsync(ClaimsPrincipal user, Object resource, IEnumerable`1 requirements)
   at Microsoft.AspNetCore.Authorization.Policy.PolicyEvaluator.AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, Object resource)
   at Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter.OnAuthorizationAsync(AuthorizationFilterContext context)
   at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeFilterPipelineAsync()
   at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAsync()
   at Microsoft.AspNetCore.Routing.EndpointMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)

It seems that it is not finding the values in the groups claim. if I remove the policy from the controller and use just [Authorize] it works and I receive back a token with the groups claim
how can I secure my API with policy at authentication?

Have you configured a groups claim for the custom Authorization Server? Are you seeing this claim populated for an ID token generated by that authorization server?

Yes I do see it. when I remove the policy from the controller using [Authorize] only
[Authorize]
public ActionResult GetTestAuth()

it authorizes and the token that I get back has the Groups.