Jira endpoint error for oauth 2.0 3LO

Hello Atlassian Dev Community,
I was using simple atlassian token based authentication for getting data and it was working for both rest/api endpoint as well as rest/agile endpoint. I recently started to shift to OAuth 2.0 (3LO) to make it easy for me to make my application available for other users, but access token I received in the process is not working on many endpoints.

I followed the steps on https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/#enabling-oauth-2-0–3lo- to implement oauth 2.0 (3LO) using python. I first received the code on callback endpoint when the user accepted authorize app, using the code I got access token and then cloudid from https://api.atlassian.com/oauth/token/accessible-resources .
I am using python flask to send requests in following format (removing payload where it is not needed):

headers = {
    "Authorization": token,
    "Accept": "application/json"
}
payload = {
    "jql": jql_query,
    "maxResults": 100,
    "startAt": 0
}
response = requests.get(url=url, headers=headers, params=payload)

This acces code and cloud id is working for rest api endpoint: “https://api.atlassian.com/ex/jira/{cloudid}/rest/api/3/field”

but when I tried get request with “https://api.atlassian.com/ex/jira/{cloudid}/rest/agile/1.0/board/{boardId}/sprint” ,
I am getting : “401 Client Error: Unauthorized for url: https://api.atlassian.com/ex/jira/{cloudid}/rest/agile/1.0/board/1/sprint”
and when I tried get request with .“https://api.atlassian.com/ex/jira/{cloudid}/rest/api/3/search”
with response.text = {"message":"Client must be authenticated to access this resource.","status-code":401}

I am getting : “400 Client Error: Bad Request for url: https://api.atlassian.com/ex/jira/{cloudid}/rest/api/3/search?jql=issuetype!%3DEpic&maxResults=100&startAt=0”
with response.text = {"errorMessages":["Field 'issuetype' does not exist or this field cannot be viewed by anonymous users."],"warningMessages":[]}

could there be someting wrong with oauth scope or is there a problem with the code?
Scopes selected are Classic scopes: read:jira-work and read:jira-user

This is similar to

The thread was stagnant and didn’t contain whole details for the error. Hence a more detailed topic on this. Any hints/answers that can help us is greatly appreciated.
Thanks.

I also tried it with granular scopes => [‘read:project.feature:jira’, ‘read:status:jira’, ‘read:application-role:jira’, ‘read:screen:jira’, ‘read:comment:jira’, ‘read:project-category:jira’, ‘read:project:jira’, ‘read:field-configuration:jira’, ‘read:board-scope.admin:jira-software’, ‘read:avatar:jira’, ‘read:issue-meta:jira’, ‘read:issue.watcher:jira’, ‘read:sprint:jira-software’, ‘read:issue:jira’, ‘read:audit-log:jira’, ‘read:dashboard.property:jira’, ‘read:dashboard:jira’, ‘read:project.component:jira’, ‘read:board-scope:jira-software’, ‘read:group:jira’, ‘read:project.avatar:jira’, ‘read:issue:jira-software’, ‘read:project-role:jira’, ‘read:user.columns:jira’, ‘read:issue-status:jira’, ‘read:issue.property:jira’, ‘read:priority:jira’, ‘read:project-type:jira’, ‘read:issue-details:jira’, ‘read:issue-type-hierarchy:jira’, ‘read:jql:jira’, ‘read:user:jira’, ‘read:epic:jira-software’, ‘read:field:jira’, ‘read:issue-type:jira’, ‘read:role:jira’, ‘read:project.property:jira’, ‘read:issue-field-values:jira’, ‘read:comment.property:jira’, ‘read:issue-link:jira’, ‘read:project-version:jira’]
But it is giving same errors

@AshishVats,

Thanks for all the detail, it really helps to focus troubleshooting efforts.

The first thing I tried was to reproduce the scenario with REST API only actions, and with the minimal flow. What I was able to confirm is the Jira Software REST API works with OAuth 2.0 3LO. Indeed, I was able to get all sprints using GET /rest/agile/1.0/board/{boardId}/sprint with my access token. When I configured my OAuth client in the developer console, I added only 2 scopes: read:sprint:jira-software and read:me (I always use this one for diagnostic purposes). Using the bearer token and my cloudId from accessible-resources, I was able to get a list of sprints and a 200 HTTP status. At least that isolates the REST API and we know it does work.

Next, I tried to change the request to see if I could reproduce the 401 response. If I put in a wrong sprint id (like one that doesn’t exist), I get 401. If I use a bad clientId, I also get 401. The only way I could reproduce the 403 was to remove the Authentication header with the Bearer token. And, that seems to correspond to the error messages provided in your responses using other endpoints. Maybe you could check your Python code is actually sending the correct auth header?

@ibuchanan Thank you very much for your response. I was really stuck. I had been using token by itself without prefixing "Bearer " to it.
Just one more thing, I need to ask. Do we need granular scopes for Jira Software Cloud REST API, is there no possible way to use classic scope for getting data from agile endpoint?

Yes, you need granular scopes. There aren’t any “classic scopes” for Jira Software. Mind you, there is overlap between Jira Software and Jira Platform APIs. You can mix granular and classic scopes as you see fit. My overall recommendation is find the set that lets you use the least number of scopes.

Got it. Thank you very much for your response @ibuchanan . This was great help.