cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon forcedotcom

sf org login jwt - audience is invalid when authenticating with sandbox org

Open drewski89 opened this issue 6 months ago • 1 comments

Note Before you submit your issue, make sure that:

  • You're using the latest version of Salesforce CLI.
  • You've searched both open and closed issues for related posts.
  • You've used the doctor command to diagnose common issues.
  • You understand that GitHub Issues don't adhere to any agreement or SLA.
    • If you require immediate assistance, use official channels such as Salesforce Customer Support.

Summary

When attempting to authorize with a jwt, the --instance-url parameter seems to not be taken into consideration when the command is executed.

The result when attempting to authenticate with a sandbox always returns "audience is invalid [audience=http://login.salesforce.com login=https://test.salesforce.com]"

The command being executed is as follows: Actual input is modified for privacy:

sf org login jwt --username [email protected] --jwt-key-file server.key --client-id CONSUMER_KEY_FROM_ExternalClientApp --alias myorg --instance-url https://test.salesforce.com

Steps To Reproduce

Run the below command with proper input information (information below for username and client-id is purposefully not true to the org for privacy reasons).

sf org login jwt --username [email protected] --jwt-key-file server.key --client-id CONSUMER_KEY_FROM_ExternalClientApp --alias myorg --instance-url https://test.salesforce.com

Expected result

--instance-url should be considered when attempting to connect to the org.

Actual result

The login attempt is logged in the user record login history section of the sandbox, but the jwt fails to validate due to audience being invalid.

Additional information

I have tried setting the following environment variables as well with no change:

SF_AUDIENCE_URL=https://test.salesforce.com SFDX_AUDIENCE_URL=https://test.salesforce.com

I have also used my sandbox org's my domain url:

https://domain--a.sandbox.my.salesforce.com

Issue persists.

I have attempted running this command locally on my mac as well as on my linux server.

System Information

Shell: bash

{
  "architecture": "linux-x64",
  "cliVersion": "@salesforce/cli/2.93.7",
  "nodeVersion": "node-v22.16.0",
  "osVersion": "Linux 6.1.112-122.189.amzn2023.x86_64",
  "rootPath": "/usr/local/lib/node_modules/@salesforce/cli",
  "shell": "bash",
  "pluginVersions": [
    "@oclif/plugin-autocomplete 3.2.30 (core)",
    "@oclif/plugin-commands 4.1.26 (core)",
    "@oclif/plugin-help 6.2.[28](--Removed--) (core)",
    "@oclif/plugin-not-found 3.2.56 (core)",
    "@oclif/plugin-plugins 5.4.40 (core)",
    "@oclif/plugin-search 1.2.24 (core)",
    "@oclif/plugin-update 4.6.43 (core)",
    "@oclif/plugin-version 2.2.[29](--Removed--) (core)",
    "@oclif/plugin-warn-if-update-available 3.1.41 (core)",
    "@oclif/plugin-which 3.2.35 (core)",
    "@salesforce/cli 2.93.7 (core)",
    "agent 1.23.0 (core)",
    "apex 3.6.19 (core)",
    "api 1.3.3 (core)",
    "auth 3.7.0 (core)",
    "data 4.0.39 (core)",
    "deploy-retrieve 3.22.22 (core)",
    "info 3.4.66 (core)",
    "limits 3.3.56 (core)",
    "marketplace 1.3.8 (core)",
    "org 5.8.0 (core)",
    "packaging 2.15.4 (core)",
    "schema 3.3.66 (core)",
    "settings 2.4.[31](--Removed--) (core)",
    "sobject 1.4.60 (core)",
    "telemetry 3.6.44 (core)",
    "templates 56.3.50 (core)",
    "trust 3.7.98 (core)",
    "user 3.6.25 (core)"
  ]
}

drewski89 avatar Jun 24 '25 16:06 drewski89