Solved: Re: REST API -OAuth Authentication Failed with status code 400

Hazard · ‎11 May 2024

Hi guys,

I have a problem using the rest api for oauth authentication.

As described in your documentation I used POST in the request to the following endpoint:

https://sso.dynatrace.com/sso/oauth2/token

I executed the instructions providing all the parameters in the request body, but when I execute the request I get an http error code 400 (Bad Request). How can I solve the problem? The python code follows:

import requests

oauth_client = "my_oauthClient"
oauth_secret = "my_oauthSecret"
oauth_scope = "storage:events:read " \
"storage:buckets:read " \
"account-idm-write " \
"account-idm-read " \
"account-env-read " \
"account-env-write " \
"account-uac-read " \
"account-uac-write " \
"iam-policies-management " \
"iam:policies:write " \
"iam:policies:read " \
"iam:bindings:write " \
"iam:bindings:read " \
"iam:effective-permissions:read"

oauth_resource = "my_urn:dtaccount:xxxxxxxxxxxxxx"

sso_url = "https://sso.dynatrace.com/sso/oauth2/token"

data = {
'grant_type': '"client_credentials"',
'client_id': oauth_client,
'client_secret': oauth_secret,
'scope': oauth_scope,
'resource': oauth_resource}

form_headers = {"Content-Type": "application/x-www-form-urlencoded"}
response = requests.post(sso_url,params={},headers=form_headers,data=data)

auth_status = response.status_code

assert auth_status == 200, f"OAuth authentication for DQL failed with status code {auth_status}"

token = response.json().get("access_token")

erh_inetum · ‎14 May 2024

Hi @Hazard ,

I think the bearer is missing.

So I think the bearer must be captured as data

like you did here:

data = {
'grant_type': '"client_credentials"',
'client_id': oauth_client,
'client_secret': oauth_secret,
'scope': oauth_scope,
'resource': oauth_resource}

and pass it the value captured in the response variable:

form_headers = {"Content-Type": "application/x-www-form-urlencoded"}
response = requests.post(sso_url,params={},headers=form_headers,data=data)

Hope it helps.

Regards,

Elena.

Hazard · ‎14 May 2024

Hi Elena,

Maybe I didn't explain myself well. My problem is that I can't get a Bearer Token. After creating the OAuth2 client, requesting the bearer token from the Dynatrace SSO system via an API call fails. This API Call fail:

https://sso.dynatrace.com/sso/oauth2/token (POST)

and it gives me an http code 400 (Bad Request).

the python code in the previous post explains it well

I hope I explained myself.

Thank you

erh_inetum · ‎14 May 2024

Hi Hazard,

Could you try to add these scopes on "oauth_scope" variable?

settings:objects:read
settings:objects:write
settings:schemas:read
app-engine:apps:run

Regards,

Elena.

Hazard · ‎14 May 2024

So do I have to recreate the Oauth client by adding these scopes, in addition to the ones already present? Should I try this?

erh_inetum · ‎14 May 2024

Yes, I do. I would try it. With these scopes, it works for me.

Hazard · ‎14 May 2024

Hi elena,

So, I'll recreate the Oauth Client by adding the following scopes and let you know ok?

settings:objects:read
settings:objects:write
settings:schemas:read
app-engine:apps:run

storage:buckets:read
account-idm-write
account-idm-read
account-env-read
account-env-write
account-uac-read
account-uac-write
iam-policies-management
iam:policies:write
iam:policies:read
iam:bindings:write
iam:bindings:read

iam:effective-permissions:read

erh_inetum · ‎14 May 2024

Sure.

Hazard · ‎14 May 2024

Sorry Helena,

but it failed again....

Follow Postman Request.

This thing is driving me crazy!

erh_inetum · ‎14 May 2024

Hi Hazard,

This is my configuration on Postman and returns the bearer:

The only difference that I see it's the "grant type" key. You could try to remove it and test if it works.

Hazard · ‎14 May 2024

Hi Helena,

I removed the "grant_type" key but I still get the same result. It doesn't provide me with the bearer.....

erh_inetum · ‎14 May 2024

Hi again Hazard,

Adding "grant_type" it also works:

In the answer of the POST you can see the used scopes.

Please, be sure that the value of "scope" key contains the same scopes you have defined for the client_id on Identity & Access Managment > OAuth clients. And also be sure the client_id is the desired client_id you want to use.

If it doesn´t work, I'm afraid I haven´t more ideas.

Regards,

Elena

andre_vdveen · ‎12 Apr 2025

Hi @Hazard remove the quotes around client_credentials for the grant_type query parameter.

You had it like this:

But it should be without the "" around client_credentials, like this:

I confirmed it in Postman, with "" it breaks.

DaveOps · ‎13 Aug 2024

I have the same issue:

curl --request POST 'https://sso.dynatrace.com/sso/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=xx' \
--data-urlencode 'client_secret=xx' \
--data-urlencode 'resource=urn:dtaccount:xx' \
--data-urlencode 'scope=app-engine:apps:install app-engine:apps:run'

{"errorCode":400,"message":"Bad Request","issueId":"WUQIHC74YTS7NMJO","error":"invalid_request","error_description":""}%

DaveOps · ‎13 Aug 2024

When I leave out the scope and resource field a bearer is returned:

curl --location --request POST 'https://sso.dynatrace.com/sso/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=yy' \
--data-urlencode 'client_secret=zz'

{"scope":"app-engine:apps:install","token_type":"Bearer","expires_in":300,"access_token":"ey....

DaveOps · ‎13 Aug 2024

What I am missing is all the scopes that are needed for my use case to install a custom build react app via the deployment pipeline.

app-engine:apps:install
app-engine:apps:run
app-engine:apps:delete

What could be the reason?

MarwanC · ‎04 Jun 2025

Maybe you have already solved, but this is for the records

You need to specify exactly the list of scopes that you already exactly defined during the OAuth2 client creation not new ones, you list them by space separated. If you need all of them simply omit the scope parameters then you get them all.

Example on windows

curl -X POST "https://sso.dynatrace.com/sso/oauth2/token" ^
-H "Content-Type: application/x-www-form-urlencoded" ^
-d "grant_type=client_credentials" ^
-d "scope=environment-api:entities:read" ^
-d "client_id=YOUR_ID" ^
-d "client_secret=YOUR_CLIENT°SECRET" ^
-d "resource=YOUR_URN"

You should get this response

curl -X POST "https://sso.dynatrace.com/sso/oauth2/token" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id="YOUR_CLIENT_ID" -d "client_secret="YOUR_CLIENT°SECRET" -d "resource=YOUR_URN"

{"scope":"storage:entities:read environment-api:entities:read","token_type":"Bearer","expires_in":300,"access_token":"YOUR_BEARER_TOKEN","resource":"YOUR_URN"}

Hope this helps

OAuth authentication failed with status code 400