"Error authenticating with the refresh token due to: invalid client credentials" when running "sfdx force:user:create"

[FabienTaillon]

Summary

While running sfdx force:user:create I'm getting an error: ERROR running force:user:create: Error authenticating with the refresh token due to: invalid client credentials The user is created though.

Steps To Reproduce:

On any Scratch Org (I tested with the Dreamhouse-lwc repo, I could repro), try tro create a user like this: sfdx force:user:create -f user.json

I'm using a basic user file:

{
    "Username": "richard@piedpiper.com.1234",
    "FirstName": "Richard",
    "LastName": "Hendricks",
    "profileName": "Standard Platform User"
}

Expected result

The user is created without any error.

Actual result

The user is created, but the command fails with an error.

Additional information

macOS BigSur

@oclif/plugin-autocomplete 0.3.0
@oclif/plugin-commands 1.3.0 (core)
@oclif/plugin-help 3.2.1 (core)
@oclif/plugin-not-found 1.2.4 (core)
@oclif/plugin-plugins 1.9.5 (core)
@oclif/plugin-update 1.3.10 (core)
@oclif/plugin-warn-if-update-available 1.7.0 (core)
@oclif/plugin-which 1.0.3 (core)
@salesforce/sfdx-scanner 2.5.1
@salesforce/sfdx-trust 3.6.0 (core)
alias 1.1.5 (core)
analytics 1.12.1 (core)
auth 1.4.6 (core)
config 1.2.3 (core)
evergreen 0.34.0
└─ evergreen-build 0.20.2
generator 1.1.3 (core)
salesforcedx 50.13.3 (core)
├─ schema 1.0.3 (core)
├─ limits 1.0.2 (core)
├─ user 1.0.5 (core)
├─ templates 50.4.0 (core)
├─ apex 0.1.4 (core)
├─ @salesforce/sfdx-plugin-lwc-test 0.1.7 (core)
├─ salesforce-alm 50.13.1 (core)
└─ custom-metadata 1.0.11 (core)
sfdx-cli 7.84.2 (core)

[github-actions[bot]]

Thank you for filing this issue. We appreciate your feedback and will review the issue as soon as possible. Remember, however, that GitHub isn't a mechanism for receiving support under any agreement or SLA. If you require immediate assistance, contact Salesforce Customer Support.

[WillieRuemmele]

Hi @FabienTaillon could you try installing the newest 'user' plugin version with sfdx plugins:intsall userand let me know if that fixes it? If that doesn't fix it could you add --dev-debug to the command and paste the output

[FabienTaillon]

It's failing too.

Here is the part of the log that fails:

sfdx:UserCreateCommand DEBUG Querying org for profile name [Standard Platform User] +5s
  sfdx:connection DEBUG request: {"method":"GET","url":"https://force-ability-5092-dev-ed.cs68.my.salesforce.com//services/data/v50.0/query?q=SELECT%20id%20FROM%20profile%20WHERE%20name%3D'Standard%20Platform%20User'","headers":{"content-type":"application/json","user-agent":"sfdx toolbelt:"}} +636ms
  sfdx:User DEBUG user create request body: {"username":"fabien@scratchorg.com.test3","emails":["fabien@texei.com"],"name":{"familyName":"Taillon"},"nickName":"fabien@scratchorg.com.test3","entitlements":[{"value":"00e1D000000teRKQAY"}]} +500ms
  sfdx:User DEBUG scimUrl: https://force-ability-5092-dev-ed.cs68.my.salesforce.com//services/scim/v1/Users +0ms
  sfdx:User DEBUG user create response.statusCode: 201 +1s
  sfdx:connection DEBUG request: {"method":"PATCH","url":"https://force-ability-5092-dev-ed.cs68.my.salesforce.com//services/data/v50.0/sobjects/User/0051D000005zPwmQAE","body":"{\"Alias\":\"UUser\",\"EmailEncodingKey\":\"UTF-8\",\"LanguageLocaleKey\":\"en_US\",\"LocaleSidKey\":\"en_US\",\"TimeZoneSidKey\":\"America/Los_Angeles\",\"FirstName\":\"Fabien\"}","headers":{"content-type":"application/json","user-agent":"sfdx toolbelt:","Content-Type":"application/json"}} +2s
  sfdx:User DEBUG Successfully Updated additional properties for user: fabien@scratchorg.com.test3 +650ms
  sfdx:core TRACE Setup child 'AuthInfoConfig' logger instance +3s
  sfdx:AuthInfoConfig INFO Reading config file: /Users/fabien/.sfdx/fabien@scratchorg.com.test3.json +6s
  sfdx:core TRACE Setup child 'AuthInfo' logger instance +2ms
  sfdx:core TRACE Setup child 'crypto' logger instance +1ms
  sfdx:crypto DEBUG retryStatus: undefined +4s
  sfdx:core TRACE Setup child 'keyChain' logger instance +0ms
  sfdx:keyChain DEBUG platform: darwin +4s
ERROR running force:user:create:  Error authenticating with the refresh token due to: invalid client credentials 
*** Internal Diagnostic ***

SfdxError: Error authenticating with the refresh token due to: invalid client credentials
    at Function.wrap (/Users/fabien/Documents/git/plugin-user/node_modules/@salesforce/core/lib/sfdxError.js:169:20)
    at UserCreateCommand.catchCreateUser (/Users/fabien/Documents/git/plugin-user/src/commands/force/user/create.ts:164:23)
    at UserCreateCommand.run (/Users/fabien/Documents/git/plugin-user/src/commands/force/user/create.ts:91:18)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
******

  sfdx:UserCreateCommand ERROR [
  sfdx:UserCreateCommand   '\u001b[1mERROR running force:user:create: \u001b[22m',
  sfdx:UserCreateCommand   '\u001b[31mError authenticating with the refresh token due to: invalid client credentials\u001b[39m',
  sfdx:UserCreateCommand   '\u001b[31m\u001b[39m\n' +
  sfdx:UserCreateCommand     '\u001b[31m*** Internal Diagnostic ***\u001b[39m\n' +
  sfdx:UserCreateCommand     '\u001b[31m\u001b[39m\n' +
  sfdx:UserCreateCommand     '\u001b[31mSfdxError: Error authenticating with the refresh token due to: invalid client credentials\u001b[39m\n' +
  sfdx:UserCreateCommand     '\u001b[31m    at Function.wrap (/Users/fabien/Documents/git/plugin-user/node_modules/@salesforce/core/lib/sfdxError.js:169:20)\u001b[39m\n' +
  sfdx:UserCreateCommand     '\u001b[31m    at UserCreateCommand.catchCreateUser (/Users/fabien/Documents/git/plugin-user/src/commands/force/user/create.ts:164:23)\u001b[39m\n' +
  sfdx:UserCreateCommand     '\u001b[31m    at UserCreateCommand.run (/Users/fabien/Documents/git/plugin-user/src/commands/force/user/create.ts:91:18)\u001b[39m\n' +
  sfdx:UserCreateCommand     '\u001b[31m    at processTicksAndRejections (internal/process/task_queues.js:97:5)\u001b[39m\n' +
  sfdx:UserCreateCommand     '\u001b[31m******\u001b[39m\n' +
  sfdx:UserCreateCommand     '\u001b[31m\u001b[39m'
  sfdx:UserCreateCommand ] +3s
  sfdx:Org DEBUG isDevHub is not cached - querying server... +4s

[FabienTaillon]

Looks like the commands crashing is in sfdx core: https://github.com/forcedotcom/sfdx-core/blob/main/src/user.ts#L349

[WillieRuemmele]

so the user IS created right? can you run sfdx force:user:display -u <new username> and see if it returns anything

[FabienTaillon]

Yes the user is created, I can see it in the Scratch Org.

[WillieRuemmele]

what's the output of user:display? I'm on plugin-user 1.0.12 and I'm not seeing this error, just trying to find what's different/ why you're seeing it.

[FabienTaillon]

ERROR running force:user:display: No AuthInfo found for name <username>, still the user does exists. As the error seems to be in sfdx-core, maybe this is where we have a different version. Not sure where I can see the version I have, if it's under salesforcedx, sfdx-cli or somewhere else.

[WillieRuemmele]

totally a possibility, if you're using an npm based installation of the CLI you could update to next weeks release with npm install sfdx-cli@latest-rc --global to see if it has already been resolved?

[FabienTaillon]

I got an error:

npm ERR! EEXIST: file already exists, symlink '../lib/node_modules/sfdx-cli/bin/run' -> '/usr/local/bin/sfdx'
npm ERR! File exists: /usr/local/bin/sfdx
npm ERR! Remove the existing file and try again, or run npm
npm ERR! with --force to overwrite files recklessly.

I know there was a rollback of some stuff on the CLI, so maybe I'll just wait for the new version to come out, update it and see if it fixes the issue. Otherwise I'll reinstall the whole CLI.

Then I'll come and update this issue.

[WillieRuemmele]

Hi @FabienTaillon could you try running this with the latest-rc build of the cli, you can install it with npm install sfdx-cli@latest-rc --global and uninstall it with npm uninstall sfdx-cli@latest-rc --global

[FabienTaillon]

Doesn't change anything.

What's weird is that after the command has failed (but the user is created), I can see an error in the login history of the created user:

[FabienTaillon]

Hi @WillieRuemmele, looks like the failing line is here.

On the computer where it fails, options looks like this (I've removed the real values for refreshToken and clientSecret):

{
  loginUrl: 'https://CS43.salesforce.com',
  refreshToken: 'XXXXX',
  clientId: 'SalesforceDevelopmentExperience',
  clientSecret: 'XXXXX'
}

However on a computer where it works, options looks like this:

{
  loginUrl: 'https://CS10.salesforce.com',
  refreshToken: 'XXXXX,
  clientId: 'PlatformCLI'
}

Not sure why it's different.

[FabienTaillon]

@WillieRuemmele so now it's working. Seeing that clientId was different, I reauthenticated to my DevHub, and now I don't get the error.

These information were coming from the file /Users/myuser/.sfdx/mySalesforceUsername@myorg.com.json and the file included "clientId": "SalesforceDevelopmentExperience", plus a clientSecret value.

After authenticating again, I now have "clientId": "PlatformCLI" and no clientSecret.

This looks like to be what the current CLI is expecting.

Maybe there was a change of the connected app used by the CLI at some point, moving from SalesforceDevelopmentExperience to PlatformCLI ? Plus a change where clientSecret isn't used anymore ?

I don't recall seeing anything about that, but if so that's a breaking change that may even impact other commands, if older format for files storing connections isn't supported anymore.

[FabienTaillon]

@amphro @clairebianchi maybe you'll know more on this connected app change (SalesforceDevelopmentExperience --> PlatformCLI) ?

[FabienTaillon]

I'm closing this one as I got it fixed, even though I don't know why the connected app changed. I'll let it up to you to see if this could be the root cause of other open issues. Thanks @WillieRuemmele for the help 👍