I'm having troubles authenticating to my Dev Hub Org using the JWT token. The command:
sfdx force:auth:jwt:grant --clientid *** --username *** --jwtkeyfile *** --setdefaultdevhubusername --instanceurl https://login.salesforce.com
results in:
ERROR: This org appears to have a problem with its OAuth configuration.
Reason: invalid_grant - expired authorization code
username: ***,
clientId: ***,
loginUrl: <Not Specified>,
privateKey: ***.
I'm curious about the Not specified
value for the loginUrl.
If it try to run the auth command in the context of a configured sfdx project, that has the default login url set to test.salesforce.org
, this URL appears as the loginUrl
and the authentication also fails (as I'm trying to login to a Dev Hub Org).
It seems that the --instanceurl
doesn't in fact override the login URL as documented? Or am I missing something here?
My sfdx
version is:
sfdx-cli/6.25.0 (linux-x64) node-v8.11.3
Best Answer
I finally managed to solve this myself, but I still believe there is a small bug in SFDX CLI that steered me off my course when debugging this.
The root cause turned out to be an incorrect system time set on the server I was running the
auth:jwt:grant
from - hence theexpired authorization code
, as the requests were coming "from the past".But, the error detail message is incorrect when it comes to the
loginUrl
parameter - it doesn't seem to notice the--instanceurl
option passed to the command. The command itself runs fine and targets correct instance, it's just the error message that has a differentloginUrl
that was actually used. And that made me spend quite some time wondering about the instance URLs rather than the JWT flow and grants.