@salesforce/cli : JWT Authentication Flow prevents the creation of test users in scratch org

[waterfif]

Summary

As part of our CI/CD pipeline we are experiencing issues creating users on a scratch org created using the JWT authentication flow.

The 3 basic steps involved in this process are:

• Grant Access to DevHub
• Create Scratch Org
• Create User in Scratch Org

Steps To Reproduce

• Grant Access to Dev Hub:
  sf login org jwt --username "${DEV_HUB_USERNAME}" --jwt-key-file config/server.key --set-default-dev-hub --alias DevHub --client-id "${CLIENT_ID}" --json

Output:

{
  "status": 0,
  "result": {
    "accessToken": ...,
    "orgId": ...,
    "loginUrl": "https://login.salesforce.com",
    "privateKey": ...,
    "clientId": ...,
    "instanceUrl": ...,
    "isDevHub": true,
    "username": ...
  },
  "warnings": []
}

• Create Scratch Org:
  sf org create scratch --set-default --definition-file "config/project-scratch-def.json" --alias usrtst --duration-days 1 --wait 10 --target-dev-hub DevHub --json

Project Definition File (config/project-scratch-def.json):

{
    "orgName": "Dev Scratch Org",
    "edition": "Enterprise",
    "features": ["API","ProviderFreePlatformCache"],
    "settings": {
        "securitySettings": {
            "sessionSettings": {
                "sessionTimeout": "TwoHours"
            }
        },
        "lightningExperienceSettings": {
            "enableS1DesktopEnabled": true
        }
    }
}

Output:

{
  "status": 0,
  "result": {
    ...
    },
    "authFields": {
     ...
    },
    "warnings": [],
    "orgId": ...
  },
  "warnings": []
}

• Create User Andy Miller:

sf org create user --set-alias amiller --definition-file ./setup/user-defs/amiller.json --target-org usrtst --json

User Definition File (setup/user-defs/amiller.json):

{
  "Username" : "[email protected]",
  "FirstName" : "Andy",
  "LastName" : "Miller",
  "Email" : "[email protected]",
  "Alias" : "amiller",
  "TimeZoneSidKey" : "Europe/London",
  "LocaleSidKey" : "en_us",
  "EmailEncodingKey" : "UTF-8",
  "LanguageLocaleKey" : "en_us",
  "profileName" : "Standard User",
  "permsets" : [ ],
  "generatePassword" : true
}

Output:

{
  "code": 1,
  "context": "CreateUserCommand",
  "commandName": "CreateUserCommand",
  "message": "Error authenticating with JWT.\nErrors encountered:\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer",
  "name": "SfError",
  "status": 1,
  "stack": "SfError: Error authenticating with JWT.\nErrors encountered:\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer\n    at SfError.wrap (C:\\Users\\frase\\AppData\\Roaming\\npm\\node_modules\\@salesforce\\cli\\node_modules\\@salesforce\\core\\lib\\sfError.js:79:20)\n    at catchCreateUser (C:\\Users\\frase\\AppData\\Roaming\\npm\\node_modules\\@salesforce\\cli\\node_modules\\@salesforce\\plugin-user\\lib\\commands\\org\\create\\user.js:255:30)\n    at getNewUserAuthInfo (C:\\Users\\frase\\AppData\\Roaming\\npm\\node_modules\\@salesforce\\cli\\node_modules\\@salesforce\\plugin-user\\lib\\commands\\org\\create\\user.js:238:16)\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at async CreateUserCommand.run (C:\\Users\\frase\\AppData\\Roaming\\npm\\node_modules\\@salesforce\\cli\\node_modules\\@salesforce\\plugin-user\\lib\\commands\\org\\create\\user.js:43:33)\n    at async CreateUserCommand._run (C:\\Users\\frase\\AppData\\Roaming\\npm\\node_modules\\@salesforce\\cli\\node_modules\\@oclif\\core\\lib\\command.js:117:22)\n    at async Config.runCommand (C:\\Users\\frase\\AppData\\Roaming\\npm\\node_modules\\@salesforce\\cli\\node_modules\\@oclif\\core\\lib\\config\\config.js:314:25)\n    at async run (C:\\Users\\frase\\AppData\\Roaming\\npm\\node_modules\\@salesforce\\cli\\node_modules\\@oclif\\core\\lib\\main.js:89:16)",
  "exitCode": 1,
  "warnings": [
    "The --target-dev-hub flag is deprecated and is no longer used by this command. The flag will be removed in API version 57.0 or later."
  ]
}

Expected result

A user called Andy Miller is created in the usrtst scratch org and can be retrieved via the salesforce cli using the command sf org list users

Actual result

A user called Andy Miller is created in the usrtst scratch org but the JWT error appears to prevent any further retrieval of the user using the cli.

System Information

Shell git bash

sf version --verbose --json

{
  "cliVersion": "@salesforce/cli/2.8.11",
  "architecture": "win32-x64",
  "nodeVersion": "node-v18.16.0",
  "osVersion": "Windows_NT 10.0.22621",
  "shell": "C:\\Program Files\\Git\\usr\\bin\\bash.exe",
  "rootPath": "C:\\Users\\frase\\AppData\\Roaming\\npm\\node_modules\\@salesforce\\cli",
  "pluginVersions": [
    "@oclif/plugin-autocomplete 2.3.8 (core)",
    "@oclif/plugin-commands 2.2.25 (core)",
    "@oclif/plugin-help 5.2.19 (core)",
    "@oclif/plugin-not-found 2.4.1 (core)",
    "@oclif/plugin-plugins 3.4.2 (core)",
    "@oclif/plugin-search 0.0.22 (core)",
    "@oclif/plugin-update 3.2.3 (core)",
    "@oclif/plugin-version 1.3.10 (core)",
    "@oclif/plugin-warn-if-update-available 2.1.0 (core)",
    "@oclif/plugin-which 2.2.32 (core)",
    "@salesforce/cli 2.8.11 (core)",
    "apex 2.3.14 (core)",
    "auth 2.8.16 (core)",
    "data 2.5.8 (core)",
    "deploy-retrieve 1.17.8 (core)",
    "env 2.1.11 (user)",
    "info 2.6.40 (core)",
    "limits 2.3.33 (core)",
    "login 1.2.29 (core)",
    "marketplace 0.1.3 (core)",
    "org 2.10.6 (core)",
    "schema 2.3.25 (core)",
    "settings 1.4.28 (core)",
    "signups 1.4.22 (user)",
    "sobject 0.2.6 (core)",
    "source 2.10.33 (core)",
    "telemetry 2.3.1 (core)",
    "templates 55.5.11 (core)",
    "trust 2.6.9 (core)",
    "user 2.3.32 (core)"
  ]
}

Additional information

[github-actions]

Thank you for filing this issue. We appreciate your feedback and will review the issue as soon as possible. Remember, however, that GitHub isn't a mechanism for receiving support under any agreement or SLA. If you require immediate assistance, contact Salesforce Customer Support.

[mshanemc]

I'm curious about this "Username" : "[email protected]",

Are you dynamically modifying the scratchDef file for each orgID to maintain uniqueness?? Do you know about the --set-unique-username on sf org create user so that you can leave the username out of the def file and let the CLI take care of that for you?

ok, now back to your problem.

• are you saying it works without JWT, or that you've only tested it with JWT?
• is your JWT ConnectedApp set up such that the Standard User profile automatically has access to it? If not, that's why the CLI can't connect as Andy (and the error message is correct). You could do it via a Profile or a PermissionSet

[waterfif]

Hi Shane,

Yes we are generating the username so we could definitely make use of the --set-unique-username in our setup.

To your first point - when we use the web authentication flow we can create our scratch org and test users without any issues. Unfortunately, as these commands are used on our CI/CD pipeline, JWT is our only alternative way of authenticating at the moment.

To your second point - unless I have made a mistake, we should be creating a user by connecting as the usrtst alias rather than connecting as Andy. The connected app is setup with the SFDX CLI permission set.

Finally, this is a pre-existing setup i.e. it has been working well until the start of this week. We have a call in to Salesforce to clarify what has changed.

[waterfif]

Just to clarify, we think that our LMO was moved to Hyperforce (GB) over the weekend. Would this have an effect on the above problem?

[mshanemc]

possibly. Did your problems not start until today?

Asking because there was an incident today with hyperforce orgs https://status.salesforce.com/generalmessages/1212?locale=en-US.

[waterfif]

The issue started Monday.

[SvataSejkora]

WE are having exactly same issue in the CI/CD Pipeline. With slight difference to the opening post. It is happening for at least a couple months.

EDIT: details about our setup

We are also using sfdx, as we did not yet moved to the sf. Some of our devs, including me, are using sf already, and the script, when run locally, behaves in a same way. You can notice that not all commands are aligned, I am aware, it is work in progress.

Connect to DEVHUB

sfdx force:auth:jwt:grant --username %system.DEV_HUB_USERNAME% -f certs/server.key -i %system.CONNECTED_APP_CONSUMER_KEY% --set-default-dev-hub

Create scratch

sfdx org:create:scratch --set-default --definition-file config/project-scratch-def.json --alias $1 --duration-days $days --wait 15

Create User

sfdx org create user --set-alias sales --definition-file config/SalesUser.json --target-org $1

The Error when creating the user

Warning: The --target-dev-hub flag is deprecated and is no longer used by this command. The flag will be removed in API version 57.0 or later.
Error (1): Error authenticating with JWT.
Errors encountered:
user hasn't approved this consumer
user hasn't approved this consumer
user hasn't approved this consumer
user hasn't approved this consumer
user hasn't approved this consumer

sf version --verbose --json

{
  "cliVersion": "@salesforce/cli/2.6.7",
  "architecture": "darwin-arm64",
  "nodeVersion": "node-v19.3.0",
  "osVersion": "Darwin 22.6.0",
  "shell": "zsh",
  "rootPath": "/Users/svatopluk.sejkora/.nvm/versions/node/v19.3.0/lib/node_modules/@salesforce/cli",
  "pluginVersions": [
    "@oclif/plugin-autocomplete 2.3.6 (core)",
    "@oclif/plugin-commands 2.2.23 (core)",
    "@oclif/plugin-help 5.2.17 (core)",
    "@oclif/plugin-not-found 2.3.37 (core)",
    "@oclif/plugin-plugins 3.2.7 (core)",
    "@oclif/plugin-search 0.0.22 (core)",
    "@oclif/plugin-update 3.1.32 (core)",
    "@oclif/plugin-version 1.3.8 (core)",
    "@oclif/plugin-warn-if-update-available 2.0.48 (core)",
    "@oclif/plugin-which 2.2.31 (core)",
    "@salesforce/cli 2.6.7 (core)",
    "apex 2.3.11 (core)",
    "auth 2.8.13 (core)",
    "community 2.3.10 (user)",
    "data 2.5.7 (core)",
    "deploy-retrieve 1.17.5 (core)",
    "info 2.6.39 (core)",
    "limits 2.3.31 (core)",
    "login 1.2.28 (core)",
    "org 2.10.3 (core)",
    "packaging 1.16.5 (user)",
    "schema 2.3.23 (core)",
    "settings 1.4.26 (core)",
    "sobject 0.2.6 (core)",
    "source 2.10.32 (core)",
    "telemetry 2.3.1 (core)",
    "templates 55.5.10 (core)",
    "trust 2.6.3 (core)",
    "user 2.3.29 (core)",
    "ci-sfdx-plugin 0.5.2 (user)",
    "sfdmu 4.30.0 (user)",
    "sfdx-git-delta 5.24.2 (user)"
  ]
}
****

[jdschleicher]

I think this is related. We cannot create scratch orgs on 2.9.8 if we first authenticate to our devhub using jwt flow.

Trying authentication to our devhub via auth-url seemed to work ( at least more consistently )

[github-actions]

This issue has not received a response in 7 days. It will auto-close in 7 days unless a response is posted.

[waterfif]

We are currently pursuing this with Salesforce support, however, we are currently using a workaround that entails:

1. Login locally with either device or web flows: sf org login web --set-default-dev-hub --alias <MyHubName>
2. Retrieve the sfdxAuthUrl value from the command: sf org display -o <MyHubName> --verbose --json. The value starts with force://PlatformCLI::.<refreshtoken>@<hub instance url>
3. Store the sfdxAuthUrl value in a secure property inside your CI platform
4. When starting your CI build on your CI platform, write the force://... value to a text file e.g. echo "${sfdx_auth_url_val}" > ./sfdxauth.txt
5. Use the sfdxauth.txt file to login: sfdx auth:sfdxurl:store -f ./sfdxurl.txt --set-default-dev-hub --alias <MyHubName> --json

This appears to work and all test users are created successfully. We are trying it over the course of the week and at the moment we haven't had any problems.

[waterfif]

After talking to SF support, they have accepted that there is an issue with the JWT bearer flow when recreating the above scenario on Hyperforce orgs. They will also be raising a documentation bug so that the JWT bearer flow help pages can be updated with a caveat on this. No fix date has been given at the moment.

[github-actions]

This issue has not received a response in 7 days. It will auto-close in 7 days unless a response is posted.

[waterfif]

Closing as a workaround has been provided while SF fix the issue

[b-bowers]

@waterfif Has anything come of this? Have you seen the bug get fixed (e.g. on a later SF CLI version) or documented by Salesforce anywhere?

[waterfif]

@b-bowers nothing as yet I'm afraid. Although they accepted that this was an issue they were less specific about at what point the issue would be fixed. Looking on the JWT Bearer Token Flow docs it hasn't even made it to there yet. We are continuing to use the work around using sfdxurl shown above and this appears to work well in a CI / CD context.

[b-bowers]

FWIW, this issue fixed itself as suddenly as it appeared. After about 12 hours of consistent failures on 11/14-11/15, this error went away by itself - no changes to our SF orgs or CI config.

[waterfif]

@b-bowers thanks for the update. Our issue appeared to correlate with the move to Hyperforce (UK) over a weekend. The same commands that worked before the weekend, didn't work after and the only change was our move to Hyperforce. Were you notified that your source org was moving to Hyperforce? It may be nothing to do with it but that was our experience.

[b-bowers]

@waterfif our issue started about 2 weeks after our Hyperforce (US) migration.

[nwcm]

We are still seeing this issue currently and we are also on hyperforce. #2575

The known issue is marked as "working as intended" so not sure if Salesforce will actually fix this

https://issues.salesforce.com/issue/a028c00000j5kSUAAY/an-error-message-returned-when-running-forceusercreate-for-scratch-org-of-hyperforce-using-oauth-20-jwt-bearer-flow

Note

The work around listed here will only work if the Connected App is setup not to expire sessions or refresh tokens. Otherwise, CI/CD would fail whenever those are set to expire. Which may be a security consideration

[waterfif]

@nwcm the security issue is still a concern for us and we may attempt to switch back to JWT soon once we have confidence that the issue is fixed.

When talking to Salesforce Support - they attempted to give us the "Working As Expected" explanation but we pushed back on that as it clearly is not. JWT auth worked one day and the same commands did not work the next.

[subashniprasannasagecom]

@waterfif @mshanemc ... This issue is happening again when we try to create a user ..
{
"code": 1,
"context": "CreateUserCommand",
"commandName": "CreateUserCommand",
"message": "Error authenticating with JWT.\nErrors encountered:\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer",
"name": "SfError",
"status": 1,
"stack": "SfError: Error authenticating with JWT.\nErrors encountered:\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer\nuser hasn't approved this consumer\n at SfError.wrap (/usr/local/lib/node_modules/@salesforce/cli/node_modules/@salesforce/core/lib/sfError.js:79:20)\n at catchCreateUser (file:///usr/local/lib/node_modules/@salesforce/cli/node_modules/@salesforce/plugin-user/lib/commands/org/create/user.js:244:23)\n at getNewUserAuthInfo (file:///usr/local/lib/node_modules/@salesforce/cli/node_modules/@salesforce/plugin-user/lib/commands/org/create/user.js:227:16)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n at async CreateUserCommand.run (file:///usr/local/lib/node_modules/@salesforce/cli/node_modules/@salesforce/plugin-user/lib/commands/org/create/user.js:71:33)\n at async CreateUserCommand._run (/usr/local/lib/node_modules/@salesforce/cli/node_modules/@oclif/core/lib/command.js:304:22)\n at async Config.runCommand (/usr/local/lib/node_modules/@salesforce/cli/node_modules/@oclif/core/lib/config/config.js:417:25)\n at async run (/usr/local/lib/node_modules/@salesforce/cli/node_modules/@oclif/core/lib/main.js:85:16)",
"exitCode": 1,
"warnings": [
"The --target-dev-hub flag is deprecated and is no longer used by this command. The flag will be removed in API version 57.0 or later."
]
}

Any suggestion or work around will be really useful

[waterfif]

Looks like the error message has now changed to reflect the JWT restriction when creating users in Hyperforce

JwtHyperforceError: This command doesn't work when authorizing an org using the JWT flow if the org is on Hyperforce.

[jofrippfairsailcom]

@subashniprasannasagecom

@waterfif @mshanemc ... This issue is happening again when we try to create a user ..
Any suggestion or work around will be really useful

Best option I can think of, while I'm discovering this issue myself today too Subs...
Is to create an anon apex file to create the users instead, you can run this apex using sf apex run -f <YOUR_SCRIPT> -o <YOU_ORG_ALIAS> and I suspect the apex won't have this error.

The issue I'm having, as far as I can tell is the same. In my javascript that connects to SF using
new jsforce.Connection({ instanceUrl: sfOrg.instanceUrl, accessToken: sfOrg.accessToken });
And then tries to create a user using the sf org create user CLI command.
I get an error saying:

Error: sf org create user failed with exit code:- 1
"code": 1,
"actions": [
"Authorize your Dev Hub with either the org login web or org login sfdx-url command. You can then successfully use the org create user command on scratch orgs that you create with your Dev Hub."
],
"context": "CreateUserCommand",
"commandName": "CreateUserCommand",
"message": "This command doesn't work when authorizing an org using the JWT flow if the org is on Hyperforce.",
"name": "JwtHyperforceError",
"status": 1
"Stack":"
JwtHyperforceError: This command doesn't work when authorizing an org using the JWT flow if the org is on Hyperforce.
at Messages.createError (/opt/hostedtoolcache/node/20.12.2/x64/lib/node_modules/@salesforce/cli/node_modules/@salesforce/core/lib/messages.js:444:16)
at getValidatedConnection (file:///opt/hostedtoolcache/node/20.12.2/x64/lib/node_modules/@salesforce/cli/node_modules/@salesforce/plugin-user/lib/commands/org/create/user.js:248:24)
at async CreateUserCommand.run (file:///opt/hostedtoolcache/node/20.12.2/x64/lib/node_modules/@salesforce/cli/node_modules/@salesforce/plugin-user/lib/commands/org/create/user.js:57:22)
at async CreateUserCommand._run (/opt/hostedtoolcache/node/20.12.2/x64/lib/node_modules/@salesforce/cli/node_modules/@oclif/core/lib/command.js:311:22)
at async Config.runCommand (/opt/hostedtoolcache/node/20.12.2/x64/lib/node_modules/@salesforce/cli/node_modules/@oclif/core/lib/config/config.js:433:25)
at async run (/opt/hostedtoolcache/node/2 "

I found this comment from mshanemc on a similar thread that also suggests my hunch as a workaround...
So it's what I'm going to go for.

Comment here from @mshanemc #2575 (comment)

Hopefully this helps anyone else struggling to understand and "solve" this issue.