Troubleshooting JWT Authorization
Here's the scenario; you're attempting to use the JSON Web Token (JWT) authorization using the SFDX command line interface. But things aren't going as you anticipated. You're receiving the following error
ERROR running auth:jwt:grant
We encountered a JSON web token error, which is likely not an issue with Salesforce CLI. Here's the error: Error authenticating with JWT config due to: user hasn't approved this consumer.
It's okay. It happens to everyone. This is especially common after you've refreshed a Salesforce sandbox. Specifically, if you've got some continuous integration pipelines that use JWT and the refresh caused the pipeline to fail.
So how do you resolve this and get back to the business of CRM development?
Option 1: pre-authorize the connected app for specific profiles.
- Login to your salesforce Organization
- Within Setup navigate to the App configurations
- Setup > Create > Apps > YOUR_CONNECTED_APP_DEFINITION
- Click the "Manage" button
- Edit the policies on the resulting page
- Permitted Users: Admin approved users are pre-authorized
- Go down to the Profiles section of the app configuration
- Make sure System Administrator is listed or add the Profile if it is missing
- If you are using another profile then add that one instead of the System Administrator
Option 2: approve the connected app for the specific User.
The long version of what we're attempting to do can be read here: https://help.salesforce.com/articleView?id=remoteaccess_authenticate.htm&language=en_US. It all boils down to the following steps.
Construct an authorization request using the following guidelines:
- Start the URL by deciding if you are trying to connect to a sandbox/developer Org or a production Salesforce environment
- Production: https://login.salesforce.com
- Sandbox or Developer: https://test.salesforce.com
- Then append the authorization endpoint details
- Now we need to tell Salesforce the Connected App definition that we are authorizing. The consumer key that was generated in the Connected App definition is what tells Salesforce the permissions and other details that we are authorizing. Anyway, go to Setup within the Salesforce Org where the Connected App is defined. Setup > Create > Apps. Then click the link for the app. On the resulting page you will see the Consumer Key. Copy it.
- While you're on the Connected App definition page copy the Callback URL. If there is more than one simply copy one.
The result of all this information is a single URL that you can use for authorizing the Connected App definition for a given User. It will look like:
Now open your browser, copy the URL we created and paste it into your browser. You should be directed to a page asking you to login to Salesforce. Once logged in you will be asked to confirm that you are okay with the connected application accessing your Salesforce Org and data on your behalf. Go ahead and indicate that it's okay and you agree.
Upon authorization you'll be redirected to callback URL you found in the Connected App definition and appended in the authorization URL. That page may not render. Especially if you used some sort of localhost blah, blah, blah in the redirect_uri. It doesn't matter that the redirect didn't work. You should be fine.
Simply navigate to your User record in Salesforce and confirm that the Connected App is listed in the "OAuth Connected Apps" related list. If you don't see that the authorization worked then go back to the beginning and try again.