Closed waterfif closed 11 months ago
github-actions[bot]
commented
12 months ago Thank you for filing this issue. We appreciate your feedback and will review the issue as soon as possible. Remember, however, that GitHub isn't a mechanism for receiving support under any agreement or SLA. If you require immediate assistance, contact Salesforce Customer Support.
mshanemc
commented
12 months ago I'm curious about this "Username" : "andymiller@00DAe000000JDnxMAG.com",
Are you dynamically modifying the scratchDef file for each orgID to maintain uniqueness?? Do you know about the --set-unique-username on sf org create user so that you can leave the username out of the def file and let the CLI take care of that for you?
ok, now back to your problem.
Standard User profile automatically has access to it? If not, that's why the CLI can't connect as Andy (and the error message is correct). You could do it via a Profile or a PermissionSet
waterfif
commented
12 months ago Hi Shane,
Yes we are generating the username so we could definitely make use of the --set-unique-username in our setup.
To your first point - when we use the web authentication flow we can create our scratch org and test users without any issues. Unfortunately, as these commands are used on our CI/CD pipeline, JWT is our only alternative way of authenticating at the moment.
To your second point - unless I have made a mistake, we should be creating a user by connecting as the usrtst alias rather than connecting as Andy. The connected app is setup with the SFDX CLI permission set.
Finally, this is a pre-existing setup i.e. it has been working well until the start of this week. We have a call in to Salesforce to clarify what has changed.
waterfif
commented
12 months ago Just to clarify, we think that our LMO was moved to Hyperforce (GB) over the weekend. Would this have an effect on the above problem?
mshanemc
commented
12 months ago possibly. Did your problems not start until today?
Asking because there was an incident today with hyperforce orgs https://status.salesforce.com/generalmessages/1212?locale=en-US.
waterfif
commented
12 months ago The issue started Monday.
SvataSejkora
commented
11 months ago WE are having exactly same issue in the CI/CD Pipeline. With slight difference to the opening post. It is happening for at least a couple months.
EDIT: details about our setup
We are also using sfdx, as we did not yet moved to the sf. Some of our devs, including me, are using sf already, and the script, when run locally, behaves in a same way. You can notice that not all commands are aligned, I am aware, it is work in progress.
Connect to DEVHUB
sfdx force:auth:jwt:grant --username %system.DEV_HUB_USERNAME% -f certs/server.key -i %system.CONNECTED_APP_CONSUMER_KEY% --set-default-dev-hubCreate scratch
sfdx org:create:scratch --set-default --definition-file config/project-scratch-def.json --alias $1 --duration-days $days --wait 15Create User
sfdx org create user --set-alias sales --definition-file config/SalesUser.json --target-org $1The Error when creating the user
Warning: The --target-dev-hub flag is deprecated and is no longer used by this command. The flag will be removed in API version 57.0 or later.
Error (1): Error authenticating with JWT.
Errors encountered:
user hasn't approved this consumer
user hasn't approved this consumer
user hasn't approved this consumer
user hasn't approved this consumer
user hasn't approved this consumersf version --verbose --json
{
"cliVersion": "@salesforce/cli/2.6.7",
"architecture": "darwin-arm64",
"nodeVersion": "node-v19.3.0",
"osVersion": "Darwin 22.6.0",
"shell": "zsh",
"rootPath": "/Users/svatopluk.sejkora/.nvm/versions/node/v19.3.0/lib/node_modules/@salesforce/cli",
"pluginVersions": [
"@oclif/plugin-autocomplete 2.3.6 (core)",
"@oclif/plugin-commands 2.2.23 (core)",
"@oclif/plugin-help 5.2.17 (core)",
"@oclif/plugin-not-found 2.3.37 (core)",
"@oclif/plugin-plugins 3.2.7 (core)",
"@oclif/plugin-search 0.0.22 (core)",
"@oclif/plugin-update 3.1.32 (core)",
"@oclif/plugin-version 1.3.8 (core)",
"@oclif/plugin-warn-if-update-available 2.0.48 (core)",
"@oclif/plugin-which 2.2.31 (core)",
"@salesforce/cli 2.6.7 (core)",
"apex 2.3.11 (core)",
"auth 2.8.13 (core)",
"community 2.3.10 (user)",
"data 2.5.7 (core)",
"deploy-retrieve 1.17.5 (core)",
"info 2.6.39 (core)",
"limits 2.3.31 (core)",
"login 1.2.28 (core)",
"org 2.10.3 (core)",
"packaging 1.16.5 (user)",
"schema 2.3.23 (core)",
"settings 1.4.26 (core)",
"sobject 0.2.6 (core)",
"source 2.10.32 (core)",
"telemetry 2.3.1 (core)",
"templates 55.5.10 (core)",
"trust 2.6.3 (core)",
"user 2.3.29 (core)",
"ci-sfdx-plugin 0.5.2 (user)",
"sfdmu 4.30.0 (user)",
"sfdx-git-delta 5.24.2 (user)"
]
}
****
jdschleicher
commented
11 months ago I think this is related. We cannot create scratch orgs on 2.9.8 if we first authenticate to our devhub using jwt flow.
Trying authentication to our devhub via auth-url seemed to work ( at least more consistently )
github-actions[bot]
commented
11 months ago This issue has not received a response in 7 days. It will auto-close in 7 days unless a response is posted.
waterfif
commented
11 months ago We are currently pursuing this with Salesforce support, however, we are currently using a workaround that entails:
sf org login web --set-default-dev-hub --alias <MyHubName>sfdxAuthUrl value from the command: sf org display -o <MyHubName> --verbose --json. The value starts with force://PlatformCLI::.<refreshtoken>@<hub instance url>sfdxAuthUrl value in a secure property inside your CI platformforce://... value to a text file e.g. echo "${sfdx_auth_url_val}" > ./sfdxauth.txtsfdxauth.txt file to login: sfdx auth:sfdxurl:store -f ./sfdxurl.txt --set-default-dev-hub --alias <MyHubName> --jsonThis appears to work and all test users are created successfully. We are trying it over the course of the week and at the moment we haven't had any problems.
waterfif
commented
11 months ago After talking to SF support, they have accepted that there is an issue with the JWT bearer flow when recreating the above scenario on Hyperforce orgs. They will also be raising a documentation bug so that the JWT bearer flow help pages can be updated with a caveat on this. No fix date has been given at the moment.
github-actions[bot]
commented
11 months ago This issue has not received a response in 7 days. It will auto-close in 7 days unless a response is posted.
waterfif
commented
11 months ago Closing as a workaround has been provided while SF fix the issue
b-bowers
commented
10 months ago @waterfif Has anything come of this? Have you seen the bug get fixed (e.g. on a later SF CLI version) or documented by Salesforce anywhere?
waterfif
commented
10 months ago @b-bowers nothing as yet I'm afraid. Although they accepted that this was an issue they were less specific about at what point the issue would be fixed. Looking on the JWT Bearer Token Flow docs it hasn't even made it to there yet. We are continuing to use the work around using sfdxurl shown above and this appears to work well in a CI / CD context.
b-bowers
commented
10 months ago FWIW, this issue fixed itself as suddenly as it appeared. After about 12 hours of consistent failures on 11/14-11/15, this error went away by itself - no changes to our SF orgs or CI config.
waterfif
commented
10 months ago @b-bowers thanks for the update. Our issue appeared to correlate with the move to Hyperforce (UK) over a weekend. The same commands that worked before the weekend, didn't work after and the only change was our move to Hyperforce. Were you notified that your source org was moving to Hyperforce? It may be nothing to do with it but that was our experience.
b-bowers
commented
10 months ago @waterfif our issue started about 2 weeks after our Hyperforce (US) migration.
nwcm
commented
9 months ago We are still seeing this issue currently and we are also on hyperforce. https://github.com/forcedotcom/cli/issues/2575
The known issue is marked as "working as intended" so not sure if Salesforce will actually fix this
Note
The work around listed here will only work if the Connected App is setup not to expire sessions or refresh tokens. Otherwise, CI/CD would fail whenever those are set to expire. Which may be a security consideration
waterfif
commented
9 months ago @nwcm the security issue is still a concern for us and we may attempt to switch back to JWT soon once we have confidence that the issue is fixed.
When talking to Salesforce Support - they attempted to give us the "Working As Expected" explanation but we pushed back on that as it clearly is not. JWT auth worked one day and the same commands did not work the next.
subashniprasannasagecom
commented
7 months ago @waterfif @mshanemc ... This issue is happening again when we try to create a user .. { "code": 1, "context": "CreateUserCommand", "commandName": "CreateUserCommand", "message": "Error authenticating with JWT.\nErrors encountered:\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer", "name": "SfError", "status": 1, "stack": "SfError: Error authenticating with JWT.\nErrors encountered:\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer\n at SfError.wrap (/usr/local/lib/node_modules/@salesforce/cli/node_modules/@salesforce/core/lib/sfError.js:79:20)\n at catchCreateUser (file:///usr/local/lib/node_modules/@salesforce/cli/node_modules/@salesforce/plugin-user/lib/commands/org/create/user.js:244:23)\n at getNewUserAuthInfo (file:///usr/local/lib/node_modules/@salesforce/cli/node_modules/@salesforce/plugin-user/lib/commands/org/create/user.js:227:16)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n at async CreateUserCommand.run (file:///usr/local/lib/node_modules/@salesforce/cli/node_modules/@salesforce/plugin-user/lib/commands/org/create/user.js:71:33)\n at async CreateUserCommand._run (/usr/local/lib/node_modules/@salesforce/cli/node_modules/@oclif/core/lib/command.js:304:22)\n at async Config.runCommand (/usr/local/lib/node_modules/@salesforce/cli/node_modules/@oclif/core/lib/config/config.js:417:25)\n at async run (/usr/local/lib/node_modules/@salesforce/cli/node_modules/@oclif/core/lib/main.js:85:16)", "exitCode": 1, "warnings": [ "The --target-dev-hub flag is deprecated and is no longer used by this command. The flag will be removed in API version 57.0 or later." ] }
Any suggestion or work around will be really useful
waterfif
commented
6 months ago Looks like the error message has now changed to reflect the JWT restriction when creating users in Hyperforce
JwtHyperforceError: This command doesn't work when authorizing an org using the JWT flow if the org is on Hyperforce.
jofrippfairsailcom
commented
4 months ago @subashniprasannasagecom
@waterfif @mshanemc ... This issue is happening again when we try to create a user .. Any suggestion or work around will be really useful
Best option I can think of, while I'm discovering this issue myself today too Subs...
Is to create an anon apex file to create the users instead, you can run this apex using sf apex run -f <YOUR_SCRIPT> -o <YOU_ORG_ALIAS> and I suspect the apex won't have this error.
The issue I'm having, as far as I can tell is the same. In my javascript that connects to SF using
new jsforce.Connection({ instanceUrl: sfOrg.instanceUrl, accessToken: sfOrg.accessToken });
And then tries to create a user using the sf org create user CLI command.
I get an error saying:
Error: sf org create user failed with exit code:- 1 "code": 1, "actions": [ "Authorize your Dev Hub with either the
org login webororg login sfdx-urlcommand. You can then successfully use theorg create usercommand on scratch orgs that you create with your Dev Hub." ], "context": "CreateUserCommand", "commandName": "CreateUserCommand", "message": "This command doesn't work when authorizing an org using the JWT flow if the org is on Hyperforce.", "name": "JwtHyperforceError", "status": 1 "Stack":" JwtHyperforceError: This command doesn't work when authorizing an org using the JWT flow if the org is on Hyperforce. at Messages.createError (/opt/hostedtoolcache/node/20.12.2/x64/lib/node_modules/@salesforce/cli/node_modules/@salesforce/core/lib/messages.js:444:16) at getValidatedConnection (file:///opt/hostedtoolcache/node/20.12.2/x64/lib/node_modules/@salesforce/cli/node_modules/@salesforce/plugin-user/lib/commands/org/create/user.js:248:24) at async CreateUserCommand.run (file:///opt/hostedtoolcache/node/20.12.2/x64/lib/node_modules/@salesforce/cli/node_modules/@salesforce/plugin-user/lib/commands/org/create/user.js:57:22) at async CreateUserCommand._run (/opt/hostedtoolcache/node/20.12.2/x64/lib/node_modules/@salesforce/cli/node_modules/@oclif/core/lib/command.js:311:22) at async Config.runCommand (/opt/hostedtoolcache/node/20.12.2/x64/lib/node_modules/@salesforce/cli/node_modules/@oclif/core/lib/config/config.js:433:25) at async run (/opt/hostedtoolcache/node/2 "
I found this comment from mshanemc on a similar thread that also suggests my hunch as a workaround... So it's what I'm going to go for.
Comment here from @mshanemc https://github.com/forcedotcom/cli/issues/2575#issuecomment-1821774722
Hopefully this helps anyone else struggling to understand and "solve" this issue.
Summary
As part of our CI/CD pipeline we are experiencing issues creating users on a scratch org created using the JWT authentication flow.
The 3 basic steps involved in this process are:
Steps To Reproduce
sf login org jwt --username "${DEV_HUB_USERNAME}" --jwt-key-file config/server.key --set-default-dev-hub --alias DevHub --client-id "${CLIENT_ID}" --jsonOutput:
sf org create scratch --set-default --definition-file "config/project-scratch-def.json" --alias usrtst --duration-days 1 --wait 10 --target-dev-hub DevHub --jsonProject Definition File (config/project-scratch-def.json):
Output:
Andy Miller:sf org create user --set-alias amiller --definition-file ./setup/user-defs/amiller.json --target-org usrtst --jsonUser Definition File (setup/user-defs/amiller.json):
Output:
Expected result
A user called Andy Miller is created in the
usrtstscratch org and can be retrieved via the salesforce cli using the commandsf org list usersActual result
A user called Andy Miller is created in the
usrtstscratch org but the JWT error appears to prevent any further retrieval of the user using the cli.System Information
Shell
git bashsf version --verbose --jsonAdditional information