forcedotcom
Expired Access/Refresh Token Unable to Authenticate
Summary
This happens every so often, and the only resolution has been to reinstall vscode & plugins. I am hoping to get a better solution.
All CLI commands fail (source diff, retrieve, deploy, etc) with various errors, usually about an expired token. However, using sfdx force:auth:web:login successfully still does not resolve this error.
Steps To Reproduce:
- I don't know how to reproduce this issue. I don't know what is causing it, nor why it sporadically pops up.
Expected result
After getting a Selected components are not available in the org or Error authenticating with the refresh token due to: expired access/refresh token, and then successfully re-authenticating using sfdx force:auth:web:login, the previously attempted CLI commands should work.
Actual result
Instead of being resolved, the expired token errors continue no matter how many times you reauthenticate.
System Information
- Which shell/terminal are you using? zsh
{ "cliVersion": "sfdx-cli/7.160.0", "architecture": "darwin-x64", "nodeVersion": "node-v16.16.0", "pluginVersions": [ "@oclif/plugin-autocomplete 0.3.0 (core)", "@oclif/plugin-commands 1.3.0 (core)", "@oclif/plugin-help 3.3.1 (core)", "@oclif/plugin-not-found 1.2.6 (core)", "@oclif/plugin-plugins 1.10.11 (core)", "@oclif/plugin-update 1.5.0 (core)", "@oclif/plugin-warn-if-update-available 1.7.3 (core)", "@oclif/plugin-which 1.0.4 (core)", "@salesforce/sfdx-diff 0.0.6", "@salesforce/sfdx-plugin-lwc-test 1.0.0 (core)", "alias 2.1.0 (core)", "apex 1.1.0 (core)", "auth 2.2.2 (core)", "community 2.0.0 (core)", "config 1.4.14 (core)", "custom-metadata 2.0.0 (core)", "data 2.0.4 (core)", "generator 2.0.2 (core)", "info 2.0.1 (core)", "limits 2.0.1 (core)", "org 2.0.3 (core)", "salesforce-alm 54.6.2 (core)", "schema 2.1.1 (core)", "sfdx-cli 7.160.0 (core)", "sfdx-git-delta 5.3.0", "signups 1.2.0 (core)", "source 2.0.7 (core)", "telemetry 2.0.0 (core)", "templates 55.0.0 (core)", "trust 2.0.1 (core)", "user 2.1.0 (core)" ], "osVersion": "Darwin 21.4.0" }
Additional information
Here is an example attempt at using diff and retrieve CLI commands, failing due to token errors or "components not in org" (they are, but it clearly can't connect), and then auth-ing and getting the same error again. Changing the org alias and authenticating again doesn't resolve the issue.
5:21:05.179 Starting SFDX: Diff File Against Org
Selected components are not available in the org 15:21:19.355 Starting SFDX: Retrieve Source from Org
Error authenticating with the refresh token due to: expired access/refresh token Starting SFDX: Authorize an Org
15:21:59.480 sfdx force:auth:web:login --setalias XXXXX --instanceurl https://test.salesforce.com --setdefaultusername Successfully authorized [email protected] with org ID XXXXXXXXXX 15:22:30.365 sfdx force:auth:web:login --setalias XXXXX --instanceurl https://test.salesforce.com --setdefaultusername ended with exit code 0
15:22:43.636 Starting SFDX: Retrieve Source from Org
Error authenticating with the refresh token due to: expired access/refresh token
Thank you for filing this issue. We appreciate your feedback and will review the issue as soon as possible. Remember, however, that GitHub isn't a mechanism for receiving support under any agreement or SLA. If you require immediate assistance, contact Salesforce Customer Support.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@PhilTerz I see that you are trying to work with an org that lives on a sandbox instance given that the instance url references test.salesforce.com.
What kind of org is the org; a scratch org a sandbox? After you authenticate to the org, could you send me the contents of the auth file stored in $HOME/.sfdx, redacting the sensitive data, but leave the properties names.
Would you be willing to give this a try on latest version of sfdx-cli?
What is the result of sfdx plugins?
Thank you for a quick response, @peternhale . The org I'm having issue with is a Full sandbox Unlimited edition.
I have updated sfdx update to 7.161.0 and retried, same issue.
This is the auth file
{ "username": "[email protected]", "accessToken": "XXXXX:XXXXX", "instanceUrl": "https://XXXXXXXXX.my.salesforce.com", "orgId": "XXXXXXXXXXX", "loginUrl": "https://test.salesforce.com/", "refreshToken": "XXXXXX:XXXXXXX", "clientId": "PlatformCLI", "isDevHub": false, "timestamp": "2022-06-23T16:43:14.221Z", "instanceApiVersion": "55.0", "instanceApiVersionLastRetrieved": "8/2/2022, 11:58:18 AM" }
sfdx plugins gives these two lines
@salesforce/sfdx-diff 0.0.6
sfdx-git-delta 5.3.0
I was not apart of the org at the time; but I think it was created just by New Sandbox in the sandbox tab from prod. It's been refreshed a couple times, and it has worked for me for months until last week.
To note, this issue has happened intermittently in other orgs as well. This is just a current case.
Thanks for the info. I will try with one of our own sandboxes to see if I can auth to fail.
FYI, I just confirmed when I create a new user and authenticate through that user instead, I am able to use all sfdx commands without error in the same org.
@PhilTerz I just got my sandbox. I was able to do a auth web login successfully and I am randomly trying dx commands that require the user and thus far no expired auth tokens. I'll keep poking at it to see if I can find the magic combo that causes this issue.
The structure of the auth json files are all the same unfortunately. I know I'm not giving you a lot to go off, but I can't find the reason either.
To be clear, most sfdx commands and auths are working perfectly. There are just some instances like this where it gets completely stuck.
@PhilTerz without something more concrete I am not sure what else can be done at this moment.
One thing that might help is a log file that includes a failure.
@PhilTerz a colleague asked if you could verify something. For any one of the failing auths run sfdx force:org:display -u <username> --verbose. Check the fields like access token to see if the look correct. If they don't there may be an issue with encrypt/decrypt of these critical fields.
@peternhale Yes it looks like these do not match up. Good catch! Is the decryption something on my end or sdfx's?
@PhilTerz encryption is handled by sfdx.
Could I get a bit detail on "these do not match up?"
Sorry for the vagueness.
When I use the sfdx force:org:display -u <username> --verbose command, it outputs the access token for that user. That format of [org id]![security token].[...] shows me that the security token printing from that command doesn't match the security token I've received previously from that user.
Was I understanding you correctly? That was how I interpreted
@PhilTerz That's great information, thank you.
In general these are the steps you are taking.
- Login to an org with auth:web:login with uname/password (login is successful)
- Work on the org using various sfdx commands (all is good)
- Try to run a sfdx command with the user but it fails with one of the errors above
- You try to authenticate the user again, but the attempt fails.
- reinstall vscode and sfdx
- Start from scratch
Does this represent the cycle?
I would suggest that the next time this occurs you try to logout from the org sfdx auth:logout -u ... and then try the web login again. The logout will remove any trace of the org's data on your local system. If this works I think it would avoid the reinstall of the products.
@peternhale Yes those are the general steps.
I actually did use the logout command, and reauthenticated with web login and got the error again. Unfortunately this did not work either.
Is reinstall the only solution at the time?
Hello im having the same issue here. Twice a day or more my refresh token expires and i have to delete everything in the .sfdx folder and relogin and close vscode and restart it again to be able to reauthenticate.
For info this happens for my scratchOrg.
sfdx-cli/7.169.1 win32-x64 node-v16.17.0
@gaelCangy - can you run sfdx doctor and let me know what it suggests? Also, what is the exact error with stack trace that you're seeing? You can get a stack trace if you run the command appending --dev-debug. When the error occurs, can you check the contents of the auth file for that org (C:\Users\<me>\.sfdx) and verify that the accessToken and refreshToken values are encrypted? You can compare the values with the output of sfdx force:org:display -u <org-username>
Hello @shetzel got the error today. Here are the info you requested:
-
The suggestions from sfdx doctor --dev-debug
"suggestions": [ "Check https://github.com/forcedotcom/cli/issues for CLI issues posted by the community.", "Check http://status.salesforce.com for general Salesforce availability and performance." ] -
When comparing the Access Token in the .sfdx folder vs the sfdx force:org:display the two are completely different. Here is the error I got:
Alias momentum Client Id PlatformCLI Connected Status RefreshTokenAuthError -
What do you mean by encrypted for the Access and refresh token in the .sfdx folder?
When comparing the Access Token in the .sfdx folder vs the sfdx force:org:display the two are completely different. That's good. The tokens should be encrypted in the file, but when displayed with the
force:org:displaycommand it should be unencrypted.
I'll need the stack trace though if you can get it. The next time it fails, if you can run the same command again but append --dev-debug and attach the last 100-200 lines of debug output (be sure to scrub anything you don't want shared). Alternatively, you could run the command with our doctor command and it will generate a few files with debug output. To do that run, sfdx doctor --command "<the-full-command-with-params>"
Is it possible that your org security settings have a very short refresh token security policy?
This issue has not received a response in 7 days. It will auto-close in 7 days unless a response is posted.