Issue Summary

Jira issue macro/Jira charts throws 'Failed to find org.hibernate.Session from the current thread' error when OAuth2 refresh token expires for a user in OAuth2.0 Applink setup

Steps to Reproduce

Unable to replicate locally. This bug behaviour would show up in OAuth2.0 Applink setup when a user's OAuth2 refresh token expires.

Expected Results

OAuth2 token should get automatically regenerated and user should be able to view Jira issue macro/Jira charts.

Actual Results

User sees 'Failed to find org.hibernate.Session from the current thread' error on Jira issue macro/Jira charts.

The below exception is thrown in the atlassian-confluence.log file:

2026-05-07 10:54:44,844 ERROR [xxxxxxxxx] [oauth.auth.threelo.ThreeLeggedOAuth2RequestFactoryImpl] refreshAccessToken Failed to refresh access token
 -- url: /rest/highlighting/1.0/panel-items | userName: xxxxxxxx | referer: xxxxxxxxx | traceId: xxxxxxx
com.atlassian.oauth2.client.api.storage.token.exception.UnrecoverableTokenException: Token already marked as invalid
	at com.atlassian.oauth2.client.storage.DefaultTokenHandler.refreshTokenIfNeeded(DefaultTokenHandler.java:184)
	at com.atlassian.oauth2.client.storage.DefaultTokenHandler.lambda$getRefreshedToken$4(DefaultTokenHandler.java:173)
	at com.atlassian.oauth2.common.concurrent.KeyedLocks.executeWithLock(KeyedLocks.java:37)
	at com.atlassian.oauth2.client.storage.DefaultTokenHandler.getRefreshedToken(DefaultTokenHandler.java:172) 

Workaround

• Revoke the existing OAuth2 authorisation in Jira:
  1. Impacted user logs into Jira directly
  2. Go to Profile → Personal Settings → Authorized Applications
  3. Locate the entry for the Confluence application link
  4. Click Revoke
• Check and Delete the corresponding row from AO_723324_CLIENT_TOKEN table on Confluence DB side
  1. Backup the Confluence database
  2. Locate the oAuth2 token in the Confluence database

     select * FROM "AO_723324_CLIENT_TOKEN" where "EXTERNAL_ID" = '<USERNAME>';
     

     Sample output

     ACCESS_TOKEN  ACCESS_TOKEN_EXPIRATION CONFIG_ID                            EXTERNAL_ID ID                                   LAST_REFRESHED LAST_STATUS_UPDATED REFRESH_COUNT REFRESH_TOKEN REFRESH_TOKEN_EXPIRATION STATUS  
     ------------- ----------------------- ------------------------------------ ----------- ------------------------------------ -------------- ------------------- ------------- ------------- ------------------------ ------- 
     {ATL_SECURED} 1778566075743           e66fa593-24b1-4d44-b77b-d0b90c1a7434 person2     8b6cb341-e80a-4ea0-953f-43075d1582aa (null)         1778562475764       0             {ATL_SECURED} 1781154475743            UNKNOWN 
     

  3. Delete the relevant row, e.g.

     delete from "AO_723324_CLIENT_TOKEN" where "EXTERNAL_ID" = '<USERNAME>';
     

     • This can be done whilst Confluence is running
  4. Navigate to Confluence Administration » General Configuration » Cache Management
     • Click Flush All
• Clear browser session — close all browser tabs for both Confluence and Jira, clear cookies/cache for both domains, or use a fresh incognito session
• Re-authenticate fresh:
  1. Impacted user opens a Confluence page containing a Jira Issues macro
  2. Click the Authenticate prompt on the macro
  3. Complete the full OAuth2 consent flow on Jira (clicks Allow)
  4. Confirm the macro renders after redirect back to Confluence