Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Token refresh fails with error "os_authType was 'any' and an invalid cookie was sent."

Martin W
Martin W
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 10, 2025

Since upgrading to Confluence Data Center 9.2.8 from 9.2.7 we are failing to obtain an access token using the authentication flow outlined here.

We are able to pass the consent stage to obtain an initial token but all subsequent requests using the refresh token fail with a tomcat error stating "os_authType was 'any' and an invalid cookie was sent.".

We are failing to understand where a cookie comes into play during an OAuth flow.

Screenshot from 2025-11-10 17-12-04.png

Answer
Watch
Like Peter_DevSamurai likes this
2282 views

1 answer

1 accepted

1 vote
Answer accepted
Peter_DevSamurai
Peter_DevSamurai
Atlassian Partner
November 10, 2025

Hi @Martin W ,

That "os_authType was 'any' and an invalid cookie was sent" error is triggered when a request to a protected endpoint (like /rest/oauth2/latest/token) includes an invalid or unexpected session cookie, and the config prioritizes cookie auth before falling back to others like Basic. You can try sen refresh without cookies:

- Use a fresh HTTP client/tool without session state (e.g., curl, Postman with no cookie jar).

- Authenticate with Basic Auth: Base64-encode client_id:client_secret for the Authorization header.

- Use cURL (below is the example, you should adjust with ur parameters):

curl -X POST https://your-confluence.com/rest/oauth2/latest/token \
-H "Authorization: Basic $(echo -n 'client_id:client_secret' | base64)" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token&refresh_token=your_refresh_token&redirect_uri=your_redirect_uri"

-> this should succeed if the token is valid. (Similar article: OAuth 2.0 throws "os_authType was 'any' and an invalid cookie was sent" )

If this doesn't resolve (like server-side config issue), check seraph-config.xml for the token endpoint. You can consider setting os_authType=basic for /rest/oauth2/** (requires restart, test carefully). Or contact Atlassian Support with logs (enable debug for com.atlassian.seraph).

 

I hope everything works out for you!

Best,

Peter

 

View More Comments
Martin W
Martin W
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 12, 2025

Hi @Peter_DevSamurai ,

Thanks for the quick response.
I can confirm that disabling state management in the HTTP client fixes this issue for us.

For reference for anybody else who may encounter this the solution was to disable cookie management using this functionality of Apache HttpClientBuilder.

Thanks again for your assistance.

Like Peter_DevSamurai likes this
Peter_DevSamurai
Peter_DevSamurai
Atlassian Partner
November 12, 2025

I'm glad I was able to assist! Have a great week ahead

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
DEPLOYMENT TYPE
SERVER
VERSION
9.2.8
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security