topic Re: REST API -OAuth Authentication Failed with status code 400 in Dynatrace API

OAuth authentication failed with status code 400

Hazard — Fri, 07 Jun 2024 10:54:34 GMT

Hi guys,

I have a problem using the rest api for oauth authentication.

As described in your documentation I used POST in the request to the following endpoint:

https://sso.dynatrace.com/sso/oauth2/token

I executed the instructions providing all the parameters in the request body, but when I execute the request I get an http error code 400 (Bad Request). How can I solve the problem? The python code follows:

import requests

oauth_client = "my_oauthClient"
oauth_secret = "my_oauthSecret"
oauth_scope = "storage:events:read " \
"storage:buckets:read " \
"account-idm-write " \
"account-idm-read " \
"account-env-read " \
"account-env-write " \
"account-uac-read " \
"account-uac-write " \
"iam-policies-management " \
"iam:policies:write " \
"iam:policies:read " \
"iam:bindings:write " \
"iam:bindings:read " \
"iam:effective-permissions:read"

oauth_resource = "my_urn:dtaccount:xxxxxxxxxxxxxx"

sso_url = "https://sso.dynatrace.com/sso/oauth2/token"

data = {
'grant_type': '"client_credentials"',
'client_id': oauth_client,
'client_secret': oauth_secret,
'scope': oauth_scope,
'resource': oauth_resource}

form_headers = {"Content-Type": "application/x-www-form-urlencoded"}
response = requests.post(sso_url,params={},headers=form_headers,data=data)

auth_status = response.status_code

assert auth_status == 200, f"OAuth authentication for DQL failed with status code {auth_status}"

token = response.json().get("access_token")

Re: REST API -OAuth Authentication Failed with status code 400

erh_inetum — Tue, 14 May 2024 04:59:49 GMT

Hi @Hazard ,

I think the bearer is missing.

So I think the bearer must be captured as data

like you did here:

data = {
'grant_type': '"client_credentials"',
'client_id': oauth_client,
'client_secret': oauth_secret,
'scope': oauth_scope,
'resource': oauth_resource}

and pass it the value captured in the response variable:

form_headers = {"Content-Type": "application/x-www-form-urlencoded"}
response = requests.post(sso_url,params={},headers=form_headers,data=data)

Hope it helps.

Regards,

Elena.

Re: REST API -OAuth Authentication Failed with status code 400

Hazard — Tue, 14 May 2024 07:46:50 GMT

Hi Elena,

Maybe I didn't explain myself well. My problem is that I can't get a Bearer Token. After creating the OAuth2 client, requesting the bearer token from the Dynatrace SSO system via an API call fails. This API Call fail:

https://sso.dynatrace.com/sso/oauth2/token (POST)

and it gives me an http code 400 (Bad Request).

the python code in the previous post explains it well

I hope I explained myself.

Thank you

Re: REST API -OAuth Authentication Failed with status code 400

erh_inetum — Tue, 14 May 2024 08:00:37 GMT

Hi Hazard,

Could you try to add these scopes on "oauth_scope" variable?

settings:objects:read
settings:objects:write
settings:schemas:read
app-engine:apps:run

Regards,

Elena.

Re: REST API -OAuth Authentication Failed with status code 400

Hazard — Tue, 14 May 2024 08:12:08 GMT

So do I have to recreate the Oauth client by adding these scopes, in addition to the ones already present? Should I try this?

Re: REST API -OAuth Authentication Failed with status code 400

erh_inetum — Tue, 14 May 2024 08:17:17 GMT

Yes, I do. I would try it. With these scopes, it works for me.

Re: REST API -OAuth Authentication Failed with status code 400

Hazard — Tue, 14 May 2024 08:21:24 GMT

Hi elena,

So, I'll recreate the Oauth Client by adding the following scopes and let you know ok?

settings:objects:read
settings:objects:write
settings:schemas:read
app-engine:apps:run

storage:buckets:read
account-idm-write
account-idm-read
account-env-read
account-env-write
account-uac-read
account-uac-write
iam-policies-management
iam:policies:write
iam:policies:read
iam:bindings:write
iam:bindings:read

iam:effective-permissions:read

Re: REST API -OAuth Authentication Failed with status code 400

erh_inetum — Tue, 14 May 2024 08:24:06 GMT

Sure.

Re: REST API -OAuth Authentication Failed with status code 400

Hazard — Tue, 14 May 2024 09:27:18 GMT

Sorry Helena,

but it failed again....

Follow Postman Request.

This thing is driving me crazy!

Re: REST API -OAuth Authentication Failed with status code 400

erh_inetum — Tue, 14 May 2024 09:49:30 GMT

Hi Hazard,

This is my configuration on Postman and returns the bearer:

The only difference that I see it's the "grant type" key. You could try to remove it and test if it works.

Re: REST API -OAuth Authentication Failed with status code 400

Hazard — Tue, 14 May 2024 10:00:03 GMT

Hi Helena,

I removed the "grant_type" key but I still get the same result. It doesn't provide me with the bearer.....

Re: REST API -OAuth Authentication Failed with status code 400

erh_inetum — Tue, 14 May 2024 13:59:19 GMT

Hi again Hazard,

Adding "grant_type" it also works:

In the answer of the POST you can see the used scopes.

Please, be sure that the value of "scope" key contains the same scopes you have defined for the client_id on Identity & Access Managment > OAuth clients. And also be sure the client_id is the desired client_id you want to use.

If it doesn´t work, I'm afraid I haven´t more ideas.

Regards,

Elena

Re: OAuth authentication failed with status code 400

DaveOps — Tue, 13 Aug 2024 08:43:08 GMT

I have the same issue:

curl --request POST 'https://sso.dynatrace.com/sso/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=xx' \
--data-urlencode 'client_secret=xx' \
--data-urlencode 'resource=urn:dtaccount:xx' \
--data-urlencode 'scope=app-engine:apps:install app-engine:apps:run'

{"errorCode":400,"message":"Bad Request","issueId":"WUQIHC74YTS7NMJO","error":"invalid_request","error_description":""}%

Re: OAuth authentication failed with status code 400

DaveOps — Tue, 13 Aug 2024 08:56:07 GMT

When I leave out the scope and resource field a bearer is returned:

curl --location --request POST 'https://sso.dynatrace.com/sso/oauth2/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=client_credentials' \ --data-urlencode 'client_id=yy' \ --data-urlencode 'client_secret=zz' {"scope":"app-engine:apps:install","token_type":"Bearer","expires_in":300,"access_token":"ey....

Re: OAuth authentication failed with status code 400

DaveOps — Tue, 13 Aug 2024 09:01:51 GMT

What I am missing is all the scopes that are needed for my use case to install a custom build react app via the deployment pipeline.

app-engine:apps:install
app-engine:apps:run
app-engine:apps:delete

What could be the reason?

Re: REST API -OAuth Authentication Failed with status code 400

andre_vdveen — Sat, 12 Apr 2025 11:10:56 GMT

Hi @Hazard remove the quotes around client_credentials for the grant_type query parameter.

You had it like this:

But it should be without the "" around client_credentials, like this:

I confirmed it in Postman, with "" it breaks.

Re: OAuth authentication failed with status code 400

MarwanC — Wed, 04 Jun 2025 16:10:40 GMT

Maybe you have already solved, but this is for the records

You need to specify exactly the list of scopes that you already exactly defined during the OAuth2 client creation not new ones, you list them by space separated. If you need all of them simply omit the scope parameters then you get them all.

Example on windows

curl -X POST "https://sso.dynatrace.com/sso/oauth2/token" ^
-H "Content-Type: application/x-www-form-urlencoded" ^
-d "grant_type=client_credentials" ^
-d "scope=environment-api:entities:read" ^
-d "client_id=YOUR_ID" ^
-d "client_secret=YOUR_CLIENT°SECRET" ^
-d "resource=YOUR_URN"

You should get this response

curl -X POST "https://sso.dynatrace.com/sso/oauth2/token" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id="YOUR_CLIENT_ID" -d "client_secret="YOUR_CLIENT°SECRET" -d "resource=YOUR_URN"

{"scope":"storage:entities:read environment-api:entities:read","token_type":"Bearer","expires_in":300,"access_token":"YOUR_BEARER_TOKEN","resource":"YOUR_URN"}

Hope this helps

Re: OAuth authentication failed with status code 400

MarwanC — Mon, 16 Jun 2025 08:27:50 GMT

Leave the scope list out, yo will get all what you define before. This should work.