Oauth browser path not found 404

Stephan_Mestach · 2 April 2026 14:28

we had a working oauth authentification flow between one of our app and dhis2
but it seem that after the redirection to

https://dhis2.domain/uaa/oauth/authorize/?client_id=orbf2&response_type=code

we get the tomcat error

# HTTP Status 404 – Not Found

---

**Type** Status Report

**Message** No static resource uaa/oauth/authorize.

**Description** The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.

was there any changes in the oauth flow in 2.4x ? (here 2.42)
the documentation still mention that url : Introduction - DHIS2 Documentation

thank you

Gassim · 4 April 2026 10:24

Hi @Stephan_Mestach

Thank you for your post. I guess the docs need updating because it’s mentioned in the release notes starting from version 2.42 “remove OAuth2 from settings app v42”, and it’s mentioned in the ‘deprecated features’ notes that “The old and deprecated OAuth support will be removed” (see table ‘Removed features’ row 4).

If you face any issue to start using the new supported OAuth 2.0 then please feel free to reply here.

Thanks!

Stephan_Mestach · 14 April 2026 08:25

Can you point me to the OAuth 2.0 ? I still end up with the wrong path/flow
(I’m using the web flow)

netroms · 14 April 2026 15:15

Hi Stéphan,

I’m sorry to inform that the documentation for 2.42 is very outdated.
We did a big change to the OAuth2 backend in 2.42 and it’s now served by the Spring Authorization server project.
The quickest way to get up to date, is probably to have a look at this test:

github.com/dhis2/dhis2-core

dhis-2/dhis-test-e2e/src/test/java/org/hisp/dhis/oauth2/OAuth2Test.java

2.42

/*
 * Copyright (c) 2004-2025, University of Oslo
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * 1. Redistributions of source code must retain the above copyright notice, this
 * list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright notice,
 * this list of conditions and the following disclaimer in the documentation
 * and/or other materials provided with the distribution.
 *
 * 3. Neither the name of the copyright holder nor the names of its contributors 
 * may be used to endorse or promote products derived from this software without
 * specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

This file has been truncated. show original

This test does a full e2e authorization code flow test.
If you have any questions you can contact me directly also.
It’s on the agenda to get the documentation updated soon.

Timothy_Harding1 · 15 April 2026 12:53

Hello @netroms and @Gassim I am a little confused by the links:

says: remove OAuth2

github.com/dhis2/dhis2-releases

releases/deprecated-features.md

master

# DHIS2 Deprecated Features

When a feature, or product, is first listed as deprecated, support for using it with DHIS2 is scheduled to be removed in a future update.
This information is provided to help you plan for alternatives to using that feature or product.
When the first version of DHIS2 releases in which that support is removed, this article is updated to indicate that specific version.

Generally, a feature is removed after it has been deprecated in all three of the last maintained versions.

## Deprecated Features

The following features are deprecated. You can still use them now, but the DHIS2 core team plans to end support in the future.

|Feature|Deprecation first announced|Planned end of support<br>(version)|
|:---------|:---:|:---:|
|Refer to [v42](https://github.com/dhis2/dhis2-releases/tree/master/releases/2.42#tracker) for deprecations in tracker.|May 2025|2.43.0|
|The /user/userCredentials object is merged into the user object and will be removed | May 2023|2.42.0|
|The old and deprecated OAuth support will be removed| May 2023|2.42.0|
|The old tracker APIs are deprecated and replaced by `/api/tracker` endpoints |Sep 2022|2.41.0|
|The Data Entry app is deprecated, and replaced by the Aggregate Data Entry app|Dec 2022|2.41.0|
|The `/api/eventCharts` and `/api/eventReports` API endpoints are deprecated. Use the consolidated `/api/eventVisualizations` API instead.|April 2022|2.41.0|

This file has been truncated. show original

says: The old and deprecated OAuth support will be removed
and just up above: Oauth browser path not found 404 - #2 by Gassim
says: “the new supported OAuth 2.0”

So I wanted to ask, is DHIS 2 supporting OAuth 2.0 going forward or not?
And how does this affect OIDC with Azure/Google/Okta?