11 May 2024 03:14 PM - last edited on 07 Jun 2024 11:54 AM by Michal_Gebacki
Hi guys,
I have a problem using the rest api for oauth authentication.
As described in your documentation I used POST in the request to the following endpoint:
https://sso.dynatrace.com/sso/oauth2/token
I executed the instructions providing all the parameters in the request body, but when I execute the request I get an http error code 400 (Bad Request). How can I solve the problem? The python code follows:
import requests
oauth_client = "my_oauthClient"
oauth_secret = "my_oauthSecret"
oauth_scope = "storage:events:read " \
"storage:buckets:read " \
"account-idm-write " \
"account-idm-read " \
"account-env-read " \
"account-env-write " \
"account-uac-read " \
"account-uac-write " \
"iam-policies-management " \
"iam:policies:write " \
"iam:policies:read " \
"iam:bindings:write " \
"iam:bindings:read " \
"iam:effective-permissions:read"
oauth_resource = "my_urn:dtaccount:xxxxxxxxxxxxxx"
sso_url = "https://sso.dynatrace.com/sso/oauth2/token"
data = {
'grant_type': '"client_credentials"',
'client_id': oauth_client,
'client_secret': oauth_secret,
'scope': oauth_scope,
'resource': oauth_resource}
form_headers = {"Content-Type": "application/x-www-form-urlencoded"}
response = requests.post(sso_url,params={},headers=form_headers,data=data)
auth_status = response.status_code
assert auth_status == 200, f"OAuth authentication for DQL failed with status code {auth_status}"
token = response.json().get("access_token")
Solved! Go to Solution.
14 May 2024 05:59 AM
Hi @Hazard ,
I think the bearer is missing.
So I think the bearer must be captured as data
like you did here:
data = {
'grant_type': '"client_credentials"',
'client_id': oauth_client,
'client_secret': oauth_secret,
'scope': oauth_scope,
'resource': oauth_resource}
and pass it the value captured in the response variable:
form_headers = {"Content-Type": "application/x-www-form-urlencoded"}
response = requests.post(sso_url,params={},headers=form_headers,data=data)
Hope it helps.
Regards,
Elena.
14 May 2024 08:46 AM
Hi Elena,
Maybe I didn't explain myself well. My problem is that I can't get a Bearer Token. After creating the OAuth2 client, requesting the bearer token from the Dynatrace SSO system via an API call fails. This API Call fail:
https://sso.dynatrace.com/sso/oauth2/token (POST)
and it gives me an http code 400 (Bad Request).
the python code in the previous post explains it well
I hope I explained myself.
Thank you
14 May 2024 09:00 AM
Hi Hazard,
Could you try to add these scopes on "oauth_scope" variable?
settings:objects:read
settings:objects:write
settings:schemas:read
app-engine:apps:run
Regards,
Elena.
14 May 2024 09:12 AM
So do I have to recreate the Oauth client by adding these scopes, in addition to the ones already present? Should I try this?
14 May 2024 09:17 AM
Yes, I do. I would try it. With these scopes, it works for me.
14 May 2024 09:21 AM
Hi elena,
So, I'll recreate the Oauth Client by adding the following scopes and let you know ok?
settings:objects:read
settings:objects:write
settings:schemas:read
app-engine:apps:run
storage:buckets:read
account-idm-write
account-idm-read
account-env-read
account-env-write
account-uac-read
account-uac-write
iam-policies-management
iam:policies:write
iam:policies:read
iam:bindings:write
iam:bindings:read
iam:effective-permissions:read
14 May 2024 10:27 AM
Sorry Helena,
but it failed again....
Follow Postman Request.
This thing is driving me crazy!
14 May 2024 10:49 AM
Hi Hazard,
This is my configuration on Postman and returns the bearer:
The only difference that I see it's the "grant type" key. You could try to remove it and test if it works.
14 May 2024 11:00 AM
Hi Helena,
I removed the "grant_type" key but I still get the same result. It doesn't provide me with the bearer.....
14 May 2024 02:59 PM
Hi again Hazard,
Adding "grant_type" it also works:
In the answer of the POST you can see the used scopes.
Please, be sure that the value of "scope" key contains the same scopes you have defined for the client_id on Identity & Access Managment > OAuth clients. And also be sure the client_id is the desired client_id you want to use.
If it doesn´t work, I'm afraid I haven´t more ideas.
Regards,
Elena
13 Aug 2024 09:43 AM
I have the same issue:
curl --request POST 'https://sso.dynatrace.com/sso/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=xx' \
--data-urlencode 'client_secret=xx' \
--data-urlencode 'resource=urn:dtaccount:xx' \
--data-urlencode 'scope=app-engine:apps:install app-engine:apps:run'
{"errorCode":400,"message":"Bad Request","issueId":"WUQIHC74YTS7NMJO","error":"invalid_request","error_description":""}%
13 Aug 2024 09:56 AM
When I leave out the scope and resource field a bearer is returned:
curl --location --request POST 'https://sso.dynatrace.com/sso/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=yy' \
--data-urlencode 'client_secret=zz'
{"scope":"app-engine:apps:install","token_type":"Bearer","expires_in":300,"access_token":"ey....
13 Aug 2024 10:01 AM
What I am missing is all the scopes that are needed for my use case to install a custom build react app via the deployment pipeline.
app-engine:apps:install
app-engine:apps:run
app-engine:apps:delete
What could be the reason?