Cannot login to the devportal after enabling token hashing

[chashikajw]

Description:

When we try to login to devportal after enabling token hashing, devbportal is not loading and the following error can be seen in the server logs.

[2022-03-25 01:34:58,415] ERROR - login_callback:jag Could not retrieve access token. Response: {"error_description":"Client credentials are invalid.","error":"invalid_client"

Scenario 2:

If you newly login to the dev portal you can see the following error in the browser

In the console, you can see the following error

[2022-03-25 01:53:19,000] ERROR - WebAppManager org.mozilla.javascript.WrappedException: Wrapped java.lang.IllegalArgumentException: An invalid character [34] was present in the Cookie value (/devportal/services/login/login_callback.jag#128) org.jaggeryjs.scriptengine.exceptions.ScriptException: org.mozilla.javascript.WrappedException: Wrapped java.lang.IllegalArgumentException: An invalid character [34] was present in the Cookie value (/devportal/services/login/login_callback.jag#128) at org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:587) ~[org.jaggeryjs.scriptengine_0.14.13.jar:?] at org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:289) ~[org.jaggeryjs.scriptengine_0.14.13.jar:?] at org.jaggeryjs.jaggery.core.manager.WebAppManager.exec(WebAppManager.java:589) ~[org.jaggeryjs.jaggery.core_0.14.13.jar:?] at org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:508) ~[org.jaggeryjs.jaggery.core_0.14.13.jar:?] at org.jaggeryjs.jaggery.core.JaggeryServlet.doGet(JaggeryServlet.java:24) ~[org.jaggeryjs.jaggery.core_0.14.13.jar:?] at javax.servlet.http.HttpServlet.service(HttpServlet.java:655) ~[tomcat-servlet-api_9.0.58.wso2v1.jar:?] at javax.servlet.http.HttpServlet.service(HttpServlet.java:764) ~[tomcat-servlet-api_9.0.58.wso2v1.jar:?] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:711) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:459) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:353) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:313) ~[tomcat_9.0.58.wso2v1.jar:?] at org.jaggeryjs.jaggery.core.JaggeryFilter.doFilter(JaggeryFilter.java:76) ~[org.jaggeryjs.jaggery.core_0.14.13.jar:?] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat_9.0.58.wso2v1.jar:?] at org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53) ~[org.wso2.carbon.ui_4.6.3.jar:?] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:540) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat_9.0.58.wso2v1.jar:?] at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:107) ~[org.wso2.carbon.identity.context.rewrite.valve_1.4.52.jar:?] at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:110) ~[org.wso2.carbon.identity.authz.valve_1.4.52.jar:?] at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:102) ~[org.wso2.carbon.identity.auth.valve_1.4.52.jar:?] at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:101) ~[org.wso2.carbon.tomcat.ext_4.6.3.jar:?] at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49) ~[org.wso2.carbon.tomcat.ext_4.6.3.jar:?] at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62) ~[org.wso2.carbon.tomcat.ext_4.6.3.jar:?] at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:146) ~[org.wso2.carbon.tomcat.ext_4.6.3.jar:?] at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) ~[tomcat_9.0.58.wso2v1.jar:?] at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:58) ~[org.wso2.carbon.tomcat.ext_4.6.3.jar:?] at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:126) ~[org.wso2.carbon.tomcat.ext_4.6.3.jar:?] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:359) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:889) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1735) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat_9.0.58.wso2v1.jar:?] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_251] Caused by: org.mozilla.javascript.WrappedException: Wrapped java.lang.IllegalArgumentException: An invalid character [34] was present in the Cookie value (/devportal/services/login/login_callback.jag#128) at org.mozilla.javascript.Context.throwAsScriptRuntimeEx(Context.java:1754) ~[js_1.7.0.R4wso2v1.jar:?] at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:148) ~[js_1.7.0.R4wso2v1.jar:?] at org.mozilla.javascript.FunctionObject.call(FunctionObject.java:386) ~[js_1.7.0.R4wso2v1.jar:?] at org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:32) ~[js_1.7.0.R4wso2v1.jar:?] at org.jaggeryjs.rhino.devportal.services.login.c1._c_anonymous_1(/devportal/services/login/login_callback.jag:128) ~[?:?] at org.jaggeryjs.rhino.devportal.services.login.c1.call(/devportal/services/login/login_callback.jag) ~[?:?] at org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23) ~[js_1.7.0.R4wso2v1.jar:?] at org.jaggeryjs.rhino.devportal.services.login.c1._c_script_0(/devportal/services/login/login_callback.jag:20) ~[?:?] at org.jaggeryjs.rhino.devportal.services.login.c1.call(/devportal/services/login/login_callback.jag) ~[?:?] at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394) ~[js_1.7.0.R4wso2v1.jar:?] at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091) ~[js_1.7.0.R4wso2v1.jar:?] at org.jaggeryjs.rhino.devportal.services.login.c1.call(/devportal/services/login/login_callback.jag) ~[?:?] at org.jaggeryjs.rhino.devportal.services.login.c1.exec(/devportal/services/login/login_callback.jag) ~[?:?] at org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:583) ~[org.jaggeryjs.scriptengine_0.14.13.jar:?] ... 50 more Caused by: java.lang.IllegalArgumentException: An invalid character [34] was present in the Cookie value at org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateCookieValue(Rfc6265CookieProcessor.java:197) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:123) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.catalina.connector.Response.generateCookieString(Response.java:1001) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.catalina.connector.Response.addCookie(Response.java:953) ~[tomcat_9.0.58.wso2v1.jar:?] at org.apache.catalina.connector.ResponseFacade.addCookie(ResponseFacade.java:385) ~[tomcat_9.0.58.wso2v1.jar:?] at javax.servlet.http.HttpServletResponseWrapper.addCookie(HttpServletResponseWrapper.java:60) ~[tomcat-servlet-api_9.0.58.wso2v1.jar:?] at org.jaggeryjs.hostobjects.web.ResponseHostObject.jsFunction_addCookie(ResponseHostObject.java:188) ~[org.jaggeryjs.hostobjects.web_0.14.13.jar:?] at sun.reflect.GeneratedMethodAccessor324.invoke(Unknown Source) ~[?:?] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_251] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_251] at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) ~[js_1.7.0.R4wso2v1.jar:?] at org.mozilla.javascript.FunctionObject.call(FunctionObject.java:386) ~[js_1.7.0.R4wso2v1.jar:?] at org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:32) ~[js_1.7.0.R4wso2v1.jar:?] at org.jaggeryjs.rhino.devportal.services.login.c1._c_anonymous_1(/devportal/services/login/login_callback.jag:128) ~[?:?] at org.jaggeryjs.rhino.devportal.services.login.c1.call(/devportal/services/login/login_callback.jag) ~[?:?] at org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23) ~[js_1.7.0.R4wso2v1.jar:?] at org.jaggeryjs.rhino.devportal.services.login.c1._c_script_0(/devportal/services/login/login_callback.jag:20) ~[?:?] at org.jaggeryjs.rhino.devportal.services.login.c1.call(/devportal/services/login/login_callback.jag) ~[?:?] at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394) ~[js_1.7.0.R4wso2v1.jar:?] at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091) ~[js_1.7.0.R4wso2v1.jar:?] at org.jaggeryjs.rhino.devportal.services.login.c1.call(/devportal/services/login/login_callback.jag) ~[?:?] at org.jaggeryjs.rhino.devportal.services.login.c1.exec(/devportal/services/login/login_callback.jag) ~[?:?] at org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:583) ~[org.jaggeryjs.scriptengine_0.14.13.jar:?] ... 50 more

Steps to reproduce:

1. Add the following config to the deployment.toml

[apim.oauth_config] enable_token_hashing = true

2. Restart the server and try to login devportal

Affected Product Version:

APIM 4.1.0-rc1

Environment details (with versions):

• OS:
• Client:
• Env (Docker/K8s):

[chashikajw]

This is coming if you are unable to execute ALTER TABLE IDN_OAUTH2_ACCESS_TOKEN DROP CONSTRAINT IF EXISTS CON_APP_KEY DB query before logging to the dev portal. Since this happens only for H2 DB and we have mentioned this clearly in the docs closing the issue.