Closed waterfif closed 11 months ago
Thank you for filing this issue. We appreciate your feedback and will review the issue as soon as possible. Remember, however, that GitHub isn't a mechanism for receiving support under any agreement or SLA. If you require immediate assistance, contact Salesforce Customer Support.
I'm curious about this "Username" : "andymiller@00DAe000000JDnxMAG.com",
Are you dynamically modifying the scratchDef file for each orgID to maintain uniqueness?? Do you know about the --set-unique-username
on sf org create user
so that you can leave the username out of the def file and let the CLI take care of that for you?
ok, now back to your problem.
Standard User
profile automatically has access to it? If not, that's why the CLI can't connect as Andy (and the error message is correct). You could do it via a Profile or a PermissionSetHi Shane,
Yes we are generating the username so we could definitely make use of the --set-unique-username
in our setup.
To your first point - when we use the web authentication flow we can create our scratch org and test users without any issues. Unfortunately, as these commands are used on our CI/CD pipeline, JWT is our only alternative way of authenticating at the moment.
To your second point - unless I have made a mistake, we should be creating a user by connecting as the usrtst
alias rather than connecting as Andy. The connected app is setup with the SFDX CLI permission set.
Finally, this is a pre-existing setup i.e. it has been working well until the start of this week. We have a call in to Salesforce to clarify what has changed.
Just to clarify, we think that our LMO was moved to Hyperforce (GB) over the weekend. Would this have an effect on the above problem?
possibly. Did your problems not start until today?
Asking because there was an incident today with hyperforce orgs https://status.salesforce.com/generalmessages/1212?locale=en-US.
The issue started Monday.
WE are having exactly same issue in the CI/CD Pipeline. With slight difference to the opening post. It is happening for at least a couple months.
EDIT: details about our setup
We are also using sfdx, as we did not yet moved to the sf. Some of our devs, including me, are using sf already, and the script, when run locally, behaves in a same way. You can notice that not all commands are aligned, I am aware, it is work in progress.
Connect to DEVHUB
sfdx force:auth:jwt:grant --username %system.DEV_HUB_USERNAME% -f certs/server.key -i %system.CONNECTED_APP_CONSUMER_KEY% --set-default-dev-hub
Create scratch
sfdx org:create:scratch --set-default --definition-file config/project-scratch-def.json --alias $1 --duration-days $days --wait 15
Create User
sfdx org create user --set-alias sales --definition-file config/SalesUser.json --target-org $1
The Error when creating the user
Warning: The --target-dev-hub flag is deprecated and is no longer used by this command. The flag will be removed in API version 57.0 or later.
Error (1): Error authenticating with JWT.
Errors encountered:
user hasn't approved this consumer
user hasn't approved this consumer
user hasn't approved this consumer
user hasn't approved this consumer
user hasn't approved this consumer
sf version --verbose --json
{
"cliVersion": "@salesforce/cli/2.6.7",
"architecture": "darwin-arm64",
"nodeVersion": "node-v19.3.0",
"osVersion": "Darwin 22.6.0",
"shell": "zsh",
"rootPath": "/Users/svatopluk.sejkora/.nvm/versions/node/v19.3.0/lib/node_modules/@salesforce/cli",
"pluginVersions": [
"@oclif/plugin-autocomplete 2.3.6 (core)",
"@oclif/plugin-commands 2.2.23 (core)",
"@oclif/plugin-help 5.2.17 (core)",
"@oclif/plugin-not-found 2.3.37 (core)",
"@oclif/plugin-plugins 3.2.7 (core)",
"@oclif/plugin-search 0.0.22 (core)",
"@oclif/plugin-update 3.1.32 (core)",
"@oclif/plugin-version 1.3.8 (core)",
"@oclif/plugin-warn-if-update-available 2.0.48 (core)",
"@oclif/plugin-which 2.2.31 (core)",
"@salesforce/cli 2.6.7 (core)",
"apex 2.3.11 (core)",
"auth 2.8.13 (core)",
"community 2.3.10 (user)",
"data 2.5.7 (core)",
"deploy-retrieve 1.17.5 (core)",
"info 2.6.39 (core)",
"limits 2.3.31 (core)",
"login 1.2.28 (core)",
"org 2.10.3 (core)",
"packaging 1.16.5 (user)",
"schema 2.3.23 (core)",
"settings 1.4.26 (core)",
"sobject 0.2.6 (core)",
"source 2.10.32 (core)",
"telemetry 2.3.1 (core)",
"templates 55.5.10 (core)",
"trust 2.6.3 (core)",
"user 2.3.29 (core)",
"ci-sfdx-plugin 0.5.2 (user)",
"sfdmu 4.30.0 (user)",
"sfdx-git-delta 5.24.2 (user)"
]
}
****
I think this is related. We cannot create scratch orgs on 2.9.8 if we first authenticate to our devhub using jwt flow.
Trying authentication to our devhub via auth-url seemed to work ( at least more consistently )
This issue has not received a response in 7 days. It will auto-close in 7 days unless a response is posted.
We are currently pursuing this with Salesforce support, however, we are currently using a workaround that entails:
sf org login web --set-default-dev-hub --alias <MyHubName>
sfdxAuthUrl
value from the command: sf org display -o <MyHubName> --verbose --json
. The value starts with force://PlatformCLI::.<refreshtoken>@<hub instance url>
sfdxAuthUrl
value in a secure property inside your CI platformforce://...
value to a text file e.g. echo "${sfdx_auth_url_val}" > ./sfdxauth.txt
sfdxauth.txt
file to login: sfdx auth:sfdxurl:store -f ./sfdxurl.txt --set-default-dev-hub --alias <MyHubName> --json
This appears to work and all test users are created successfully. We are trying it over the course of the week and at the moment we haven't had any problems.
After talking to SF support, they have accepted that there is an issue with the JWT bearer flow when recreating the above scenario on Hyperforce orgs. They will also be raising a documentation bug so that the JWT bearer flow help pages can be updated with a caveat on this. No fix date has been given at the moment.
This issue has not received a response in 7 days. It will auto-close in 7 days unless a response is posted.
Closing as a workaround has been provided while SF fix the issue
@waterfif Has anything come of this? Have you seen the bug get fixed (e.g. on a later SF CLI version) or documented by Salesforce anywhere?
@b-bowers nothing as yet I'm afraid. Although they accepted that this was an issue they were less specific about at what point the issue would be fixed. Looking on the JWT Bearer Token Flow docs it hasn't even made it to there yet. We are continuing to use the work around using sfdxurl shown above and this appears to work well in a CI / CD context.
FWIW, this issue fixed itself as suddenly as it appeared. After about 12 hours of consistent failures on 11/14-11/15, this error went away by itself - no changes to our SF orgs or CI config.
@b-bowers thanks for the update. Our issue appeared to correlate with the move to Hyperforce (UK) over a weekend. The same commands that worked before the weekend, didn't work after and the only change was our move to Hyperforce. Were you notified that your source org was moving to Hyperforce? It may be nothing to do with it but that was our experience.
@waterfif our issue started about 2 weeks after our Hyperforce (US) migration.
We are still seeing this issue currently and we are also on hyperforce. https://github.com/forcedotcom/cli/issues/2575
The known issue is marked as "working as intended" so not sure if Salesforce will actually fix this
Note
The work around listed here will only work if the Connected App is setup not to expire sessions or refresh tokens. Otherwise, CI/CD would fail whenever those are set to expire. Which may be a security consideration
@nwcm the security issue is still a concern for us and we may attempt to switch back to JWT soon once we have confidence that the issue is fixed.
When talking to Salesforce Support - they attempted to give us the "Working As Expected" explanation but we pushed back on that as it clearly is not. JWT auth worked one day and the same commands did not work the next.
@waterfif @mshanemc ... This issue is happening again when we try to create a user .. { "code": 1, "context": "CreateUserCommand", "commandName": "CreateUserCommand", "message": "Error authenticating with JWT.\nErrors encountered:\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer", "name": "SfError", "status": 1, "stack": "SfError: Error authenticating with JWT.\nErrors encountered:\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer\n at SfError.wrap (/usr/local/lib/node_modules/@salesforce/cli/node_modules/@salesforce/core/lib/sfError.js:79:20)\n at catchCreateUser (file:///usr/local/lib/node_modules/@salesforce/cli/node_modules/@salesforce/plugin-user/lib/commands/org/create/user.js:244:23)\n at getNewUserAuthInfo (file:///usr/local/lib/node_modules/@salesforce/cli/node_modules/@salesforce/plugin-user/lib/commands/org/create/user.js:227:16)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n at async CreateUserCommand.run (file:///usr/local/lib/node_modules/@salesforce/cli/node_modules/@salesforce/plugin-user/lib/commands/org/create/user.js:71:33)\n at async CreateUserCommand._run (/usr/local/lib/node_modules/@salesforce/cli/node_modules/@oclif/core/lib/command.js:304:22)\n at async Config.runCommand (/usr/local/lib/node_modules/@salesforce/cli/node_modules/@oclif/core/lib/config/config.js:417:25)\n at async run (/usr/local/lib/node_modules/@salesforce/cli/node_modules/@oclif/core/lib/main.js:85:16)", "exitCode": 1, "warnings": [ "The --target-dev-hub flag is deprecated and is no longer used by this command. The flag will be removed in API version 57.0 or later." ] }
Any suggestion or work around will be really useful
Looks like the error message has now changed to reflect the JWT restriction when creating users in Hyperforce
JwtHyperforceError: This command doesn't work when authorizing an org using the JWT flow if the org is on Hyperforce.
@subashniprasannasagecom
@waterfif @mshanemc ... This issue is happening again when we try to create a user .. Any suggestion or work around will be really useful
Best option I can think of, while I'm discovering this issue myself today too Subs...
Is to create an anon apex file to create the users instead, you can run this apex using sf apex run -f <YOUR_SCRIPT> -o <YOU_ORG_ALIAS>
and I suspect the apex won't have this error.
The issue I'm having, as far as I can tell is the same. In my javascript that connects to SF using
new jsforce.Connection({ instanceUrl: sfOrg.instanceUrl, accessToken: sfOrg.accessToken });
And then tries to create a user using the sf org create user
CLI command.
I get an error saying:
Error: sf org create user failed with exit code:- 1 "code": 1, "actions": [ "Authorize your Dev Hub with either the
org login web
ororg login sfdx-url
command. You can then successfully use theorg create user
command on scratch orgs that you create with your Dev Hub." ], "context": "CreateUserCommand", "commandName": "CreateUserCommand", "message": "This command doesn't work when authorizing an org using the JWT flow if the org is on Hyperforce.", "name": "JwtHyperforceError", "status": 1 "Stack":" JwtHyperforceError: This command doesn't work when authorizing an org using the JWT flow if the org is on Hyperforce. at Messages.createError (/opt/hostedtoolcache/node/20.12.2/x64/lib/node_modules/@salesforce/cli/node_modules/@salesforce/core/lib/messages.js:444:16) at getValidatedConnection (file:///opt/hostedtoolcache/node/20.12.2/x64/lib/node_modules/@salesforce/cli/node_modules/@salesforce/plugin-user/lib/commands/org/create/user.js:248:24) at async CreateUserCommand.run (file:///opt/hostedtoolcache/node/20.12.2/x64/lib/node_modules/@salesforce/cli/node_modules/@salesforce/plugin-user/lib/commands/org/create/user.js:57:22) at async CreateUserCommand._run (/opt/hostedtoolcache/node/20.12.2/x64/lib/node_modules/@salesforce/cli/node_modules/@oclif/core/lib/command.js:311:22) at async Config.runCommand (/opt/hostedtoolcache/node/20.12.2/x64/lib/node_modules/@salesforce/cli/node_modules/@oclif/core/lib/config/config.js:433:25) at async run (/opt/hostedtoolcache/node/2 "
I found this comment from mshanemc on a similar thread that also suggests my hunch as a workaround... So it's what I'm going to go for.
Comment here from @mshanemc https://github.com/forcedotcom/cli/issues/2575#issuecomment-1821774722
Hopefully this helps anyone else struggling to understand and "solve" this issue.
Summary
As part of our CI/CD pipeline we are experiencing issues creating users on a scratch org created using the JWT authentication flow.
The 3 basic steps involved in this process are:
Steps To Reproduce
sf login org jwt --username "${DEV_HUB_USERNAME}" --jwt-key-file config/server.key --set-default-dev-hub --alias DevHub --client-id "${CLIENT_ID}" --json
Output:
sf org create scratch --set-default --definition-file "config/project-scratch-def.json" --alias usrtst --duration-days 1 --wait 10 --target-dev-hub DevHub --json
Project Definition File (config/project-scratch-def.json):
Output:
Andy Miller
:sf org create user --set-alias amiller --definition-file ./setup/user-defs/amiller.json --target-org usrtst --json
User Definition File (setup/user-defs/amiller.json):
Output:
Expected result
A user called Andy Miller is created in the
usrtst
scratch org and can be retrieved via the salesforce cli using the commandsf org list users
Actual result
A user called Andy Miller is created in the
usrtst
scratch org but the JWT error appears to prevent any further retrieval of the user using the cli.System Information
Shell
git bash
sf version --verbose --json
Additional information