-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sf org create user returns error after successfully creating user when using JWT auth #2575
Comments
Thank you for filing this issue. We appreciate your feedback and will review the issue as soon as possible. Remember, however, that GitHub isn't a mechanism for receiving support under any agreement or SLA. If you require immediate assistance, contact Salesforce Customer Support. |
After the user is created, the CLI is going to try to auth the new user with the same JWT connected app. Can you confirm that the created user will have access to do that (the Connected App allows their assigned Profile?) |
In this case probably not, the scratch org is created with a system admin user, which is the authentication used to run the command. Trying to create standard users which we don't need the cli to auth for nor do they need access to the connected app. There is no connected app in the scratch org for this, it is the connected app from the Partner Business Org. I assume this may only be available to system admins scratch orgs not standard users |
the purpose of Scratch org creation replicates the ConnectedApp from the DevHub into the scratch org. If you just want to create a user as a part of a script, I'd suggest either
|
@mshanemc If I create a scratch org, and then run
I think this command doesn't support the https://developer.salesforce.com/docs/atlas.en-us.sfdx_cli_reference.meta/sfdx_cli_reference/cli_reference_org_commands_unified.htm#cli_reference_org_create_user_unified The reason using |
Additionally, as we need this users authentication details, as the
|
@nwcm it works if the user being created has access to the ConnectedApp (ex: SystemAdmin or some other profile is allowed for the ConnectedApp, and the user being created is assigned that Profile). I'd guess that if you created a user that gets assigned the SystemAdmin profile it'd auth correctly. That's the trick
If not, please let me know what command you're using and screenshot your ConnectedApp settings (permissionSets/Profiles) to make sure you've got everything correct. You definitely can't set a password for a user that the CLI is not authenticated with. (That API/permission is called [there is an API to initiate the password reset process for a user that's not yourself, but they get an email link, etc to do the actual process] |
Hey @mshanemc Yeah even with
I also tried removing the permissionset and only having the profile defined but it still fails. I changed IP restrictions to lax and the same, i've run out of ideas. I also found https://salesforce.stackexchange.com/questions/409375/do-scratch-orgs-have-weird-behaviors-with-connected-apps-being-given-invalid-g I'm not sure how to confirm the connected app is cloned into the scratch org |
@mshanemc this problem looks to be directly related to this known issue as the steps to reproduce mirror ours ( https://issues.salesforce.com/issue/a028c00000j5kSUAAY/an-error-message-returned-when-running-forceusercreate-for-scratch-org-of-hyperforce-using-oauth-20-jwt-bearer-flow ) However the issue is marked as working as intended with no reference to a document explaining why it's expected for this not to work. |
Ahh, that was the missing step. I should have put together that you're likely on hyperforce trying this, had forgotten about that "feature". |
Thank you for filing this feature request. We appreciate your feedback and will review the feature at our next grooming or sprint planning session. We prioritize feature requests with more upvotes and comments. |
This issue has been linked to a new work item: W-14542428 |
I'm going to put an error message in there so people know why this isn't working. Marking that as a feature. |
Right, so if i'm understanding correctly. Any CI/CD using hyperforce orgs can only ever use the original user created with the scratch org. Probably also why the scratch org cannot authenticate new users on API only profile |
That's overly broad...you could use sfdx-url auth instead of JWT. Those work fine on hyperforce. I think there's also a really complex path to
|
I might be missing something, but sfdx-url seems to be limited to web auth flows. The only solution may be the creation of a connected app in every scratch org.
sf org login jwt `
--username $(DEV_PBO_USERNAME) `
--jwt-key-file $(pboPrivateKey.secureFilePath) `
--client-id $(DEV_PBO_CONSUMER_KEY) `
--alias cliDevHub `
--set-default-dev-hub `
--instance-url $(SFDC_PRODUCTION_URL)
sf org create scratch `
--target-dev-hub cliDevHub `
--definition-file ./scratchOrgDefinition.json `
--set-default `
--duration-days $(ORG_DURATION_DAYS) `
--wait 10 `
--alias scratchOrgAlias
sf org display --target-org scratchOrgAlias --verbose --json > authFile.json
sf org login sfdx-url --sfdx-url-file authFile.json --set-default --alias scratchOrgAlias
$username = "[email protected]"
sf org create user `
--target-org scratchOrgAlias `
username=$username `
profileName="System Administrator" |
Hello, any update for this issue? Until now every workaround involves manual authentication which cannot be automated. So this makes all our scratch organization tests creating users fail. |
It's never going to work on hyperforce wth JWT (that's a change in the underlying user replication infrastructure that the CLI can't do anything about). We're changing the command to throw an error before it even tries when it knows you're both JWT and hyperforce. If you need to automate this kind of thing, you'll need to do a non-JWT auth (ex: use sfdx-url). That's how we do our automated tests. |
Okay got it working. @mshanemc I think I have missed or misunderstood the proposed solutions in the different threads. Here is a step-by-step of what worked for me to move from JWT to sfdx-url authentication:
Once these steps are done, creating scratch orgs and users will work. If you need to re-authenticate to existing scratch orgs or users, make sure to persist their unique sfdx auth urls using So leaving these here and hope that helps someone else 😄 |
This issue is addressed in 2.21.7 (Dec 13, 2023). Thank you! |
Summary
When using
sf org create user
to create a user in a scratch org command returns error when using JWT authentication even if user is successfully created.Steps To Reproduce
sf org login jwt
Expected result
Actual result
System Information
Ubuntu - pwsh
Additional information
The text was updated successfully, but these errors were encountered: