sf org create user returns error after successfully creating user when using JWT auth

[nwcm]

Summary

When using sf org create user to create a user in a scratch org command returns error when using JWT authentication even if user is successfully created.

Steps To Reproduce

1. Auth using sf org login jwt

sf org login jwt `
        --username $(orgUsername) `
        --jwt-key-file $(jwtKeyFile) `
        --client-id $(clientId) `
        --alias scratchOrgAlias `
        --instance-url $(orgLoginUrl)

2. Create user

    sf org create user --target-org scratchOrgAlias --definition-file $def --set-unique-username

Expected result

• If user is created command should exit normally

Actual result

• User is successfully created in org
• CLI returns below

Errors encountered:
user hasn't approved this consumer
user hasn't approved this consumer
user hasn't approved this consumer
user hasn't approved this consumer
user hasn't approved this consumer
    at SfError.wrap (/home/vsts/.config/yarn/global/node_modules/@salesforce/core/lib/sfError.js:79:20)
    at catchCreateUser (/home/vsts/.config/yarn/global/node_modules/@salesforce/plugin-user/lib/commands/org/create/user.js:255:30)
    at getNewUserAuthInfo (/home/vsts/.config/yarn/global/node_modules/@salesforce/plugin-user/lib/commands/org/create/user.js:238:16)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async CreateUserCommand.run (/home/vsts/.config/yarn/global/node_modules/@salesforce/plugin-user/lib/commands/org/create/user.js:43:33)
    at async CreateUserCommand._run (/home/vsts/.config/yarn/global/node_modules/@salesforce/sf-plugins-core/node_modules/@oclif/core/lib/command.js:117:22)
    at async Config.runCommand (/home/vsts/.config/yarn/global/node_modules/@salesforce/cli/node_modules/@oclif/core/lib/config/config.js:400:25)
    at async run (/home/vsts/.config/yarn/global/node_modules/@salesforce/cli/node_modules/@oclif/core/lib/main.js:85:16); exitCode=1; warnings=System.Object[]}
@{code=1; context=CreateUserCommand; commandName=CreateUserCommand; message=Error authenticating with JWT.

System Information

Ubuntu - pwsh

{
  "architecture": "linux-x64",
  "cliVersion": "@salesforce/cli/2.17.14",
  "nodeVersion": "node-v18.18.2",
  "osVersion": "Linux 6.2.0-1015-azure",
  "rootPath": "/home/vsts/.config/yarn/global/node_modules/@salesforce/cli",
  "shell": "bash",
  "pluginVersions": [
    "@oclif/plugin-autocomplete 3.0.1 (core)",
    "@oclif/plugin-commands 3.0.6 (core)",
    "@oclif/plugin-help 6.0.5 (core)",
    "@oclif/plugin-not-found 3.0.3 (core)",
    "@oclif/plugin-plugins 4.1.7 (core)",
    "@oclif/plugin-search 1.0.6 (core)",
    "@oclif/plugin-update 4.1.3 (core)",
    "@oclif/plugin-version 2.0.6 (core)",
    "@oclif/plugin-warn-if-update-available 3.0.2 (core)",
    "@oclif/plugin-which 3.0.8 (core)",
    "@salesforce/cli 2.17.14 (core)",
    "apex 2.3.20 (core)",
    "auth 2.8.26 (core)",
    "data 2.6.3 (core)",
    "deploy-retrieve 1.20.0 (core)",
    "info 3.0.1 (core)",
    "limits 3.0.1 (core)",
    "login 2.0.1 (core)",
    "marketplace 1.0.2 (core)",
    "org 2.11.8 (core)",
    "schema 3.0.1 (core)",
    "settings 2.0.2 (core)",
    "sobject 0.2.15 (core)",
    "source 2.11.0 (core)",
    "telemetry 3.1.0 (core)",
    "templates 55.5.18 (core)",
    "trust 3.0.2 (core)",
    "user 2.3.42 (core)"
  ]
}

Additional information

[github-actions]

Thank you for filing this issue. We appreciate your feedback and will review the issue as soon as possible. Remember, however, that GitHub isn't a mechanism for receiving support under any agreement or SLA. If you require immediate assistance, contact Salesforce Customer Support.

[mshanemc]

After the user is created, the CLI is going to try to auth the new user with the same JWT connected app. Can you confirm that the created user will have access to do that (the Connected App allows their assigned Profile?)

[nwcm]

In this case probably not, the scratch org is created with a system admin user, which is the authentication used to run the command.

Trying to create standard users which we don't need the cli to auth for nor do they need access to the connected app.

There is no connected app in the scratch org for this, it is the connected app from the Partner Business Org. I assume this may only be available to system admins scratch orgs not standard users

[mshanemc]

the purpose of org create user is to create users that are auth'd via the CLI so you can do CLI stuff as that user. Auth is built into the process. I understand why that's confusing and maybe we could fix it.

Scratch org creation replicates the ConnectedApp from the DevHub into the scratch org.

If you just want to create a user as a part of a script, I'd suggest either

1. use sf data create record and pass the fields it needs
2. create a user via an apex script executed by sf apex run -f <your file>

[nwcm]

@mshanemc
I understand, however I think there is some odd behavior in the org create user command.

If I create a scratch org, and then run org create user in a ci/cd context for using the auth, even with system admin that user returns the error. So, the propose of creating a user and switching authentication context for commands isn't working for me using jwt.

Scratch org creation replicates the ConnectedApp from the DevHub into the scratch org.

I think this command doesn't support the jwt authentication method. There is nothing additional in the documentation for using jwt. As you would have to create the user, grant them access to the connected app, then authenticate?

https://developer.salesforce.com/docs/atlas.en-us.sfdx_cli_reference.meta/sfdx_cli_reference/cli_reference_org_commands_unified.htm#cli_reference_org_create_user_unified
https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_scratch_orgs_users.htm

The reason using org create user is more useful is being able to define the user definition with all user information and permissionset.

[nwcm]

Additionally, as we need this users authentication details, as the org user create fails we are unable to use org password generate for this user.

@{code=1; context=GenerateUserPasswordCommand; commandName=GenerateUserPasswordCommand; message=No authorization information found for [email protected].; name=NamedOrgNotFoundError; status=1; stack=NamedOrgNotFoundError: No authorization information found for [email protected].

https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_auth_connected_app.htm

[mshanemc]

I think this command doesn't support the jwt authentication method.

@nwcm it works if the user being created has access to the ConnectedApp (ex: SystemAdmin or some other profile is allowed for the ConnectedApp, and the user being created is assigned that Profile). I'd guess that if you created a user that gets assigned the SystemAdmin profile it'd auth correctly.

That's the trick

1. Profile/PermSet has access to connectedApp in devHub
2. ConnectedApp is replicated to scratch org (that's how the Admin user gets access to the scratch org)
3. User is created that has one of the Profile/PermSets that can use the ConnectedApp.

If not, please let me know what command you're using and screenshot your ConnectedApp settings (permissionSets/Profiles) to make sure you've got everything correct.

You definitely can't set a password for a user that the CLI is not authenticated with. (That API/permission is called selfSetPassword, meaning an admin can't do it for other users, on for themselves). That's why the org password generate uses --on-behalf-of as a user that the CLI has auth'd and not just anybody in the org.

[there is an API to initiate the password reset process for a user that's not yourself, but they get an email link, etc to do the actual process]

[nwcm]

Hey @mshanemc

Yeah even with System Administrator profile configured it still fails to authenticate as the new user

$user = sf org create user `
            --target-org scratchOrgAlias `
            username=$username `
            profileName="System Administrator" `
            --json | ConvertFrom-JSON

I also tried removing the permissionset and only having the profile defined but it still fails.

I changed IP restrictions to lax and the same, i've run out of ideas. I also found https://salesforce.stackexchange.com/questions/409375/do-scratch-orgs-have-weird-behaviors-with-connected-apps-being-given-invalid-g

I'm not sure how to confirm the connected app is cloned into the scratch org

[ns-091]

@mshanemc this problem looks to be directly related to this known issue as the steps to reproduce mirror ours ( https://issues.salesforce.com/issue/a028c00000j5kSUAAY/an-error-message-returned-when-running-forceusercreate-for-scratch-org-of-hyperforce-using-oauth-20-jwt-bearer-flow )

However the issue is marked as working as intended with no reference to a document explaining why it's expected for this not to work.

[mshanemc]

Ahh, that was the missing step. I should have put together that you're likely on hyperforce trying this, had forgotten about that "feature".

[github-actions]

Thank you for filing this feature request. We appreciate your feedback and will review the feature at our next grooming or sprint planning session. We prioritize feature requests with more upvotes and comments.

[git2gus]

This issue has been linked to a new work item: W-14542428

[mshanemc]

I'm going to put an error message in there so people know why this isn't working. Marking that as a feature.

[nwcm]

Right, so if i'm understanding correctly. Any CI/CD using hyperforce orgs can only ever use the original user created with the scratch org.

Probably also why the scratch org cannot authenticate new users on API only profile

[mshanemc]

Right, so if i'm understanding correctly. Any CI/CD using hyperforce orgs can only ever use the original user created with the scratch org.

That's overly broad...you could use sfdx-url auth instead of JWT. Those work fine on hyperforce.

I think there's also a really complex path to

1. create a new ConnectedApp in the scratch org (and keep the cert handy!)
2. re-auth the admin user using that
3. org create user

[nwcm]

@mshanemc

I might be missing something, but sfdx-url seems to be limited to web auth flows. The only solution may be the creation of a connected app in every scratch org.

https://developer.salesforce.com/docs/atlas.en-us.sfdx_cli_reference.meta/sfdx_cli_reference/cli_reference_org_commands_unified.htm#cli_reference_org_login_sfdx-url_unified

NOTE: The "sf org display --verbose" command displays the refresh token only for orgs authorized with the web server flow, and not the JWT bearer flow.

sf org login jwt `
  --username $(DEV_PBO_USERNAME) `
  --jwt-key-file $(pboPrivateKey.secureFilePath) `
  --client-id $(DEV_PBO_CONSUMER_KEY) `
  --alias cliDevHub `
  --set-default-dev-hub `
  --instance-url $(SFDC_PRODUCTION_URL)
        
sf org create scratch `
  --target-dev-hub cliDevHub `
  --definition-file ./scratchOrgDefinition.json `
  --set-default `
  --duration-days $(ORG_DURATION_DAYS) `
  --wait 10 `
  --alias scratchOrgAlias

sf org display --target-org scratchOrgAlias --verbose --json > authFile.json
sf org login sfdx-url --sfdx-url-file authFile.json --set-default --alias scratchOrgAlias

$username = "[email protected]"

sf org create user `
  --target-org scratchOrgAlias `
  username=$username `
  profileName="System Administrator"

[dshelgunov]

Hello, any update for this issue? Until now every workaround involves manual authentication which cannot be automated. So this makes all our scratch organization tests creating users fail.

[mshanemc]

It's never going to work on hyperforce wth JWT (that's a change in the underlying user replication infrastructure that the CLI can't do anything about). We're changing the command to throw an error before it even tries when it knows you're both JWT and hyperforce.

If you need to automate this kind of thing, you'll need to do a non-JWT auth (ex: use sfdx-url). That's how we do our automated tests.

[dshelgunov]

Okay got it working. @mshanemc I think I have missed or misunderstood the proposed solutions in the different threads.

Here is a step-by-step of what worked for me to move from JWT to sfdx-url authentication:

1. In the SF cli, logout from all authenticated accounts including the dev-hub account.
2. Use sf org login web to link back your dev-hub account previously using JWT.
3. Now you can get the sfdx auth url from sf org display --target-org TestOrg1 --verbose
4. In the cli, logout again from the dev-hub account.
5. Again link the dev-hub account but now using the previously fetched Sfdx Auth Url with sf org login sfdx-url

Once these steps are done, creating scratch orgs and users will work. If you need to re-authenticate to existing scratch orgs or users, make sure to persist their unique sfdx auth urls using sf org display --target-org TestOrgOrUser --verbose when initially creating these.

So leaving these here and hope that helps someone else 😄

[jshackell-sfdc]

This issue is addressed in 2.21.7 (Dec 13, 2023). Thank you!