4

I've followed the docs here to create a cert and configured the following;

  • OAuth scopes: api, refresh_token, offline_access and web
  • Permitted users: Admin approved users are pre-authorized
  • Profiles: All (even though I suspect System Administrator should be enough)

I can successfully authenticate to the DevHub with force:auth:jwt:grant, but cannot authorize an associated Scratch Org. I run the following command;

sfdx force:auth:jwt:grant \
--clientid 3MVG97quAmFZJfVz.WJ55DLNvbWWJlZL.ag6Zr_Xp4u5TXmwoRKSdXVzB.KrzU1oXwQIkjCxczxHWcQpWBotZ \
--jwtkeyfile /keys/server.key \
--setalias scratchorg \
--username test-3zcz2xcrrsfb@example.com \
--instanceurl https://test.salesforce.com

But receive the following error;

ERROR running force:auth:jwt:grant:  This org appears to have a problem with its OAuth configuration. Reason: invalid_grant - user hasn't approved this consumer
username: test-3zcz2xcrrsfb@example.com,
clientId: 3MVG97quAmFZJfVz.WJ55DLNvbWWJlZL.ag6Zr_Xp4u5TXmwoRKSdXVzB.KrzU1oXwQIkjCxczxHWcQpWBotZ,
loginUrl: <Not Specified>,
privateKey: /keys/server.key

Try this:
Verify the OAuth configuration for this org. For JWT:
Ensure the private key is correct and the cert associated with the connected app has not expired.
Ensure the following OAuth scopes are configured [api, refresh_token, offline_access]. Ensure the username is assigned to a profile or perm set associated with the connected app.
Ensure the connected app is configured to pre-authorize admins.
  • Similar question #1 - solved by waiting, but my scratch org has been up for 24 hours.
  • Similar question #2 - the following values for instanceurl do not solve this; login, test, community
  • Blog post #1 - same as the official docs, still throws error
  • Blog post #2 - Step 3 Option 1 mentions setting Admin approved users are pre-authorized and enabling profiles, I've already done this
  • Similar question #3 - suggests the application needs to be authorized, which I'm guessing it is already, per Blog post #2 above.

How can I authorize my scratch org using JWT?

Stafford Williams
  • 191
  • 4
  • Salesforce DX has a refresh token for the scratch org it creates. Is there a reason you need to authenticate to the scratch org with JWT? – David Reed Mar 31 '20 at 00:06
  • Testing/building a CI pipeline on Developer Edition. I will pop the 6/day cap if I create a new scratch org every time while building this pipeline. – Stafford Williams Mar 31 '20 at 00:11

2 Answers2

2

The fix here for me was to create the Scratch Org after I had created the Connected App;

  • Scratch Org #1
    • Created before the Connected App was created
    • Cannot authorize at all, even 24 hours later, with JWT
  • Scratch Org #2
    • Created after the Connected App was created
    • Failed to authorize with JWT for about 2mins (per docs), but then connected successfully

It's not apparent to me what difference the Scratch Orgs have (ie; neither have reference to the Connected App)

Stafford Williams
  • 191
  • 4
0

I found a solution for this. The instanceurl value I used is the LoginUrl from the ScratchOrgInfo object queried from the devhub

Captain DX
  • 1