Token Generation Error - Unable to Process Integration Due to Session Cookies Being ReusedIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } A token generation error is occurring, preventing any integration from processing successfully. The issue is observed when attempting to retrieve an OAuth token from ServiceNow using a third party like Kafka, resulting in a 302 response code. However, when the same request is made using Postman, a successful 200 response is received. The problem is consistently reproducible in Kafka but not in Postman. Symptoms<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Sample working transaction:-adc101 adc_yottainfrast242[3156]: [adc_access] src=REDACTED_IP src_port=REDACTED_PORT instance=yottatest node=REDACTED_INTERNAL_IP:REDACTED_PORT http_host=yottatest.service-now.com method=POST uri=/oauth_token.do? reqtime=0.067 rtt32=2510 uct=0.001 uht=0.067 urt=0.067 us=200 rescode=200 ssl_cipher=ECDHE-RSA-AES128-GCM-SHA256 ssl_protocol=TLSv1.2 ua="unirest-java/3.1.00" ssib=0 s=REDACTED_SESSION_ID cl=261 txid=REDACTED_TXID h=h1baseuri=/oauth_token.do host=adc101.mum100.service-now.com source=/var/log/adcv2/nginx sourcetype=adc_access_log uri=/oauth_token.do? Sample non working transaction:-Aug 21 11:32:46 adc101 adc_yottainfrast242[3156]: [adc_access] src=REDACTED_IP src_port=REDACTED_PORT instance=yottatest node=REDACTED_INTERNAL_IP:REDACTED_PORT http_host=yottatest.service-now.com method=POST uri=/oauth_token.do? reqtime=0.021 rtt32=6893 uct=0.000 uht=0.021 urt=0.021 us=302 rescode=302 ssl_cipher=ECDHE-RSA-AES128-GCM-SHA256 ssl_protocol=TLSv1.2 ua="unirest-java/3.1.00" ssib=0 s=REDACTED_SESSION_ID cl=0 h=h1baseuri=/oauth_token.do host=adc101.mum100.service-now.com source=/var/log/adcv2/nginx sourcetype=adc_access_log uri=/oauth_token.do? Facts<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } - > This happens when Cookies are being sent as part of the request (JSESSIONID, glide_session_store, etc.); they should NOT be part of the Oauth token call. It is possible that Kafka’s client is trying to reuse a session or cookie store, so ServiceNow thinks this is a “user session” instead of an OAuth request.- > When /oauth_token.do issues a 302 to /external_logout_complete.do, it essentially means "The current session is invalid or has been terminated.” which is basically because the session details are mentioned as part of the request.- > OAuth token requests should be stateless, so, the user should NOT send JSESSIONID or glide cookies in the request. The user facing this issue shall disable cookie persistence in their HTTP client when calling /oauth_token.do. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } NA Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } In the case where a 302 response is seen, ServiceNow is redirecting the request to a logout page due to failure and eventually, the 302 response is experienced. This happens when the the Cookies are being sent as part of the request (JSESSIONID, glide_session_store, etc.); they should NOT be part of the Oauth token call. It is possible that the http client is trying to reuse a session or cookie store, so ServiceNow thinks this is a “user session” instead of an OAuth request. [listenerSNOW-0-C-1] [DEBUG] - org.apache.http.wire - http-outgoing-8 << "Location: /external_logout_complete.do[\r][\n]" Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } 1. Configure the Kafka client or any third party client that is fetching the token from ServiceNow to not store cookies or resend them when calling the /oauth_token.do endpoint. This ensures that every token request remains stateless and compliant with the OAuth 2.0 specification. 2. Disable cookie persistence in the HTTP client used by the third party when making requests to the /oauth_token.do endpoint. 3. Check and confirm that the request headers are correct. 4. Verify that the Content-Type is set to application/x-www-form-urlencoded in the request headers.