cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OAuth authentication failed with status code 400

Hazard
Participant

Hi guys,

I have a problem using the rest api for oauth authentication.

As described in your documentation I used POST in the request to the following endpoint:

https://sso.dynatrace.com/sso/oauth2/token

I executed the instructions providing all the parameters in the request body, but when I execute the request I get an http error code 400 (Bad Request). How can I solve the problem? The python code follows:

import requests

oauth_client = "my_oauthClient"
oauth_secret = "my_oauthSecret"
oauth_scope = "storage:events:read " \
"storage:buckets:read " \
"account-idm-write " \
"account-idm-read " \
"account-env-read " \
"account-env-write " \
"account-uac-read " \
"account-uac-write " \
"iam-policies-management " \
"iam:policies:write " \
"iam:policies:read " \
"iam:bindings:write " \
"iam:bindings:read " \
"iam:effective-permissions:read"

oauth_resource = "my_urn:dtaccount:xxxxxxxxxxxxxx"

sso_url = "https://sso.dynatrace.com/sso/oauth2/token"

data = {
'grant_type': '"client_credentials"',
'client_id': oauth_client,
'client_secret': oauth_secret,
'scope': oauth_scope,
'resource': oauth_resource}

form_headers = {"Content-Type": "application/x-www-form-urlencoded"}
response = requests.post(sso_url,params={},headers=form_headers,data=data)

auth_status = response.status_code

assert auth_status == 200, f"OAuth authentication for DQL failed with status code {auth_status}"

token = response.json().get("access_token")

 

14 REPLIES 14

Hi @Hazard ,

I think the bearer is missing.

So I think the bearer must be captured as data

erh_inetum_0-1715662125872.png

like you did here:

data = {
'grant_type': '"client_credentials"',
'client_id': oauth_client,
'client_secret': oauth_secret,
'scope': oauth_scope,
'resource': oauth_resource}

and pass it the value captured in the response variable: 

form_headers = {"Content-Type": "application/x-www-form-urlencoded"}
response = requests.post(sso_url,params={},headers=form_headers,data=data)

 

Hope it helps.

Regards,

Elena.

Hi Elena,

Maybe I didn't explain myself well. My problem is that I can't get a Bearer Token. After creating the OAuth2 client, requesting the bearer token from the Dynatrace SSO system via an API call fails. This API Call fail:

https://sso.dynatrace.com/sso/oauth2/token (POST)

and it gives me an http code 400 (Bad Request).

the python code in the previous post explains it well

I hope I explained myself.

Thank you

 

 

 

 

Hi Hazard,

Could you try to add these scopes on "oauth_scope" variable?

settings:objects:read
settings:objects:write
settings:schemas:read
app-engine:apps:run

 

Regards,

Elena.

 

 

So do I have to recreate the Oauth client by adding these scopes, in addition to the ones already present? Should I try this?

Yes, I do. I would try it. With these scopes, it works for me.

Hi elena,

So, I'll recreate the Oauth Client by adding the following scopes and let you know ok?

settings:objects:read
settings:objects:write
settings:schemas:read
app-engine:apps:run

storage:buckets:read 
account-idm-write 
account-idm-read 
account-env-read 
account-env-write 
account-uac-read 
account-uac-write 
iam-policies-management 
iam:policies:write 
iam:policies:read 
iam:bindings:write 
iam:bindings:read 

iam:effective-permissions:read

Sure.

Sorry Helena,

but it failed again.... 

Hazard_0-1715678791944.png

 

Follow Postman Request.

This thing is driving me crazy!

 

Hazard_1-1715678826410.png

 

Hi Hazard,

This is my configuration on Postman and returns the bearer:

erh_inetum_0-1715679942712.png

erh_inetum_1-1715679998108.png

 

The only difference that I see it's the "grant type" key. You could try to remove it and test if it works.

 

Hi Helena,

I removed the "grant_type" key but I still get the same result. It doesn't provide me with the bearer.....

Hazard_0-1715680789115.png

 

 

Hi again Hazard,

Adding "grant_type" it also works:

erh_inetum_0-1715694368023.png

In the answer of the POST you can see the used scopes.

Please, be sure that the value of "scope" key contains the same scopes you have defined for the client_id on Identity & Access Managment > OAuth clients. And also be sure the client_id is the desired client_id you want to use.

If it doesn´t work, I'm afraid I haven´t more ideas.

 

Regards,

Elena

DaveOps
Contributor

I have the same issue:

curl --request POST 'https://sso.dynatrace.com/sso/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=xx' \
--data-urlencode 'client_secret=xx' \
--data-urlencode 'resource=urn:dtaccount:xx' \
--data-urlencode 'scope=app-engine:apps:install app-engine:apps:run'

{"errorCode":400,"message":"Bad Request","issueId":"WUQIHC74YTS7NMJO","error":"invalid_request","error_description":""}%

DaveOps
Contributor

When I leave out the scope and resource field a bearer is returned:

curl --location --request POST 'https://sso.dynatrace.com/sso/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=yy' \
--data-urlencode 'client_secret=zz'

{"scope":"app-engine:apps:install","token_type":"Bearer","expires_in":300,"access_token":"ey....

 

DaveOps
Contributor

What I am missing is all the scopes that are needed for my use case to install a custom build react app via the deployment pipeline.

app-engine:apps:install
app-engine:apps:run
app-engine:apps:delete

What could be the reason?

Featured Posts