forcedotcom
`sf org open` opens wrong user
Summary
I created a few test users (usr1, usr2, usr3) on scratch org using sf org create user like this:
sf org user create -o tst -f .\config\user\def_adviser.json -a usr1
Successfully created user "[email protected]" with ID 005Ad00000FIZzaIAH for org 00DAd000008CqMPMA0.
See more details about this user by running "sf org user display -o [email protected]".
sf org user create -o tst -f .\config\user\def_adviser.json -a usr2
Successfully created user "[email protected]" with ID 005Ad00000FIaE5IAL for org 00DAd000008CqMPMA0.
See more details about this user by running "sf org user display -o [email protected]".
sf org user create -o tst -f .\config\user\def_adviser.json -a usr3
Successfully created user "[email protected]" with ID 005Ad00000FIaHJIA1 for org 00DAd000008CqMPMA0.
See more details about this user by running "sf org user display -o [email protected]".
and then I tried to login as those users using sf org open -o usr1 or usr2 or usr3.
Expected result
I should login as the specified user.
Actual result
It will ask me for password reset for specified user once, BUT log me in as scratch admin user. Even if I logged out of "User User" (the main user), sf org open would still open the main user and not the one I specify.
However, if I specified different browser using sf org open -o usr1 --browser edge, it will log me in as specified user BUT only for the first time.
Following attempt with different user will still open the first user:
sf org open -o usr3 --browser edge
If I logout from that user on Edge and try to login as usr3, it will still log me in as usr1. If it's my first login as usr3, it will prompt me to change password for usr3 and still login as usr1, a user from which I logged out and which shouldn't have active session.
What's even more interesting is that usr3 will have this login in Login History, but usr1 does not, even though it logged me as usr1 and I act as usr1. This may hint some security issue present in Salesforce.
Additional information
- This is user definition file:
{
"FirstName": "Adviser",
"LastName": "Test1",
"TimeZoneSidKey": "Europe/London",
"LocaleSidKey": "en_US",
"EmailEncodingKey": "UTF-8",
"LanguageLocaleKey": "en_US",
"profileName": "Standard User"
}
-
Scratch Org was created using Org Shape, so I have more user licenses available than empty scratch org.
-
This started affecting our automated tests, which used to open specific test user and now open admin user instead.
System Information
CLI:
@salesforce/cli/2.102.6 win32-x64 node-v23.3.0
Plugin Version:
@oclif/plugin-autocomplete 3.2.34 (core)
@oclif/plugin-commands 4.1.32 (core)
@oclif/plugin-help 6.2.32 (core)
@oclif/plugin-not-found 3.2.64 (core)
@oclif/plugin-plugins 5.4.46 (core)
@oclif/plugin-search 1.2.28 (core)
@oclif/plugin-update 4.7.3 (core)
@oclif/plugin-version 2.2.32 (core)
@oclif/plugin-warn-if-update-available 3.1.46 (core)
@oclif/plugin-which 3.2.39 (core)
@salesforce/cli 2.102.6 (core)
agent 1.24.2 (core)
apex 3.6.19 (core)
api 1.3.3 (core)
auth 3.7.18 (core)
code-analyzer 5.0.0 (user)
community 3.3.8 (user)
custom-metadata 3.3.33 (user)
data 4.0.51 (core)
deploy-retrieve 3.22.38 (core)
dev 2.1.12 (user)
info 3.4.80 (core)
lightning-dev 2.10.2 (user)
limits 3.3.64 (core)
marketplace 1.3.8 (core)
org 5.9.22 (core)
packaging 1.22.1 (user)
schema 3.3.78 (core)
settings 2.4.42 (core)
sobject 1.4.68 (core)
telemetry 3.6.53 (core)
templates 56.3.60 (core)
trust 3.7.113 (core)
user 3.6.34 (core)
@salesforce/sfdx-scanner 4.7.0 (user)
sfdmu 4.33.17 (user)
sfdx-hardis 4.52.0 (user)
SF ENV. VARS.
SF_AUTOUPDATE_DISABLE,true
SF_DISABLE_AUTOUPDATE,true
SF_UPDATE_INSTRUCTIONS,Use "npm update --global @salesforce/cli" to update npm-based installations.
SF_BETA_TRACK_FILE_MOVES,true
Windows: true
Shell: powershell
Channel: stable
Diagnostics
:white_check_mark: pass - salesforcedx plugin isn’t installed :white_check_mark: pass - you don't have any linked plugins :white_check_mark: pass - [@salesforce/plugin-trust] can ping: https://registry.npmjs.org :white_check_mark: pass - [@salesforce/plugin-trust] can ping: https://registry.yarnpkg.com :white_check_mark: pass - [@salesforce/plugin-trust] can ping: https://registry.npmjs.org/ :white_check_mark: pass - using latest or latest-rc CLI version :white_check_mark: pass - can access: https://test.salesforce.com :white_check_mark: pass - can access: https://appexchange.salesforce.com/services/data :white_check_mark: pass - can access: https://developer.salesforce.com/media/salesforce-cli/sf/channels/stable/sf-win32-x64-buildmanifest :x: fail - [@salesforce/plugin-auth] CLI supports v2 crypto :white_check_mark: pass - [@salesforce/plugin-auth] CLI using stable v1 crypto :white_check_mark: pass - [@salesforce/plugin-deploy-retrieve] sourceApiVersion matches apiVersion
One more thing - Looking at login (contentDoor) pages that appear as first thing in login after issuing sf org open -o usr1, I can see that JWT has usr1 ID. But it logs me in as usr3, which wasn't logged in before that.
{"enc":"A256GCM","aud":"00DAd000008CqMP","kid":"{\"t\":\"00DAd000008CqMP\",\"v\":\"02GAd000000zHgf\",\"a\":\"contentdoorusertransientkeyencrypt\",\"u\":\"005Ad00000FIZza\"}","crit":["iat"],"iat":1756060540278,"exp":0}```
┌─────────┬───────┬─────────────────────────────────────────────┬──────────────────────┬────────────────────┐ │ Default │ Alias │ Username │ Profile Name │ User Id │ ├─────────┼───────┼─────────────────────────────────────────────┼──────────────────────┼────────────────────┤ │ (A) │ tst │ [email protected] │ System Administrator │ 005Ad00000FIZZlIAP │ │ │ usr1 │ [email protected] │ Standard User │ 005Ad00000FIZzaIAH │ │ │ usr2 │ [email protected] │ Standard User │ 005Ad00000FIaE5IAL │ │ │ usr3 │ [email protected] │ Standard User │ 005Ad00000FIaHJIA1 │
Hey @pkozuchowski, did this just recently start being an issue for you?
I am seeing some similar results. I was able to work around this by going into Setup > Security > Session Management and removing existing sessions. After I did that, I was able to open the org as different users.
Hey @pkozuchowski, did this just recently start being an issue for you?
I am seeing some similar results. I was able to work around this by going into Setup > Security > Session Management and removing existing sessions. After I did that, I was able to open the org as different users.
I think it is recent issue, because we have automated tests pipeline that uses CLI to switch between different personas and it only started failing recently.
Hey @pkozuchowski, which browser are you using?
I'm able to reproduce the issue only in Chrome (even in incognito mode). For other browsers like Edge and Safari it works as expected.
![git2gus[bot] avatar](https://avatars.githubusercontent.com/in/19654?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thank you for filing this issue. We appreciate your feedback and will review the issue as soon as possible. Remember, however, that GitHub isn't a mechanism for receiving support under any agreement or SLA. If you require immediate assistance, contact Salesforce Customer Support.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hello @pkozuchowski :wave: None of the versions of sf you shared match the latest release.
Shared: 2.102.6
Latest: 2.106.6
Update to the latest version of Salesforce CLI (docs) and confirm that you're still seeing your issue.
You can also try the rc and nightly releases! (docs)
After updating, share the full output of sf version --verbose --json
Hello @pkozuchowski :wave: Your version of nodeJS (23) is not supported.
We recommend using LTS and we support anything Node says is Current, Active and Maintenance.
See Node's version status.
This issue will be closed. If you're able to reproduce your issue on a supported node version, please open a new issue.
Hey @pkozuchowski, I’m following up on this issue. I tried to reproduce this issue today but was unable to, even when using Chrome.
Could you please confirm if you are still experiencing this behavior?
Hey @pkozuchowski, I’m following up on this issue. I tried to reproduce this issue today but was unable to, even when using Chrome.
Could you please confirm if you are still experiencing this behavior?
Hey @EstebanRomero84. In general, we see this issue in CI/CD automated browser tests, which open browser in private mode, so I suspect this isn't a standalone issue.
I've updated CLI to latest version (2.107.6 ) did another round of testing and I can still reproduce the issue on Edge after a few tries:
$ sf org open -o adviser
Opening org 00DQ1000007wsvFMAQ as user [[email protected]](mailto:[email protected])
This should be Adviser, but logs me in as Adviser Manager.
Chrome Tests:
- [x]
sf org open --browser chrome -o adviser-> Logs as Adviser Test -> Logged out. - [x]
sf org open --browser chrome -o adviserManager-> Logs as AdviserManager Test -> Logged out. - [x]
sf org open --browser chrome -o asc-> Password Reset -> Logs as ASC -> Logged out. - [x]
sf org open --browser chrome -o adviser-> Logs as Adviser Test -> Logged out. - [x]
sf org open --browser chrome -o adviserManager-> Logs as AdviserManager Test -> Logged out. - [x]
sf org open --browser chrome -o adviser-> Logs as Adviser Test -> Not logging out manually - [ ]
sf org open --browser chrome -o adviserManager-> Logs as Adviser Test - [ ]
sf org open --browser chrome -o adviserManager-> Logs as Adviser Test - [ ]
sf org open --browser chrome -o asc-> Logs as Adviser Test > Logged out. - [ ]
sf org open --browser chrome -o adviserManager-> Logs as Adviser Test > Logged out. - [ ]
sf org open --browser chrome -o ascManager-> Password Reset for ASC Manager -> Logs as Adviser Test > Logged out. - [ ]
sf org open --browser chrome -o adviserManager-> Logs as Adviser Test > Logged out. - [x] Closed Chrome and made sure there's no chrome process
- [x]
sf org open --browser chrome -o adviserManager-> Logs as AdviserManager Test > Logged out. - [x]
sf org open --browser chrome -o asc-> Logs as ASC Test -> Not logged out. - [ ]
sf org open --browser chrome -o adviser-> Logs as ASC Test
As you can see, after trying for some time, it started to log me as wrong user.
Hello @pkozuchowski :wave: None of the versions of sf you shared match the latest release.
Shared: 2.102.6
Latest: 2.107.6
Update to the latest version of Salesforce CLI (docs) and confirm that you're still seeing your issue.
You can also try the rc and nightly releases! (docs)
After updating, share the full output of sf version --verbose --json
Very helpful of you bot.
{
"architecture": "win32-x64",
"cliVersion": "@salesforce/cli/2.107.6",
"nodeVersion": "node-v23.3.0",
"osVersion": "Windows_NT 10.0.26100",
"rootPath": "C:\\Users\\piotr\\AppData\\Roaming\\npm\\node_modules\\@salesforce\\cli",
"shell": "powershell",
"pluginVersions": [
"@oclif/plugin-autocomplete 3.2.34 (core)",
"@oclif/plugin-commands 4.1.33 (core)",
"@oclif/plugin-help 6.2.33 (core)",
"@oclif/plugin-not-found 3.2.68 (core)",
"@oclif/plugin-plugins 5.4.47 (core)",
"@oclif/plugin-search 1.2.30 (core)",
"@oclif/plugin-update 4.7.5 (core)",
"@oclif/plugin-version 2.2.33 (core)",
"@oclif/plugin-warn-if-update-available 3.1.48 (core)",
"@oclif/plugin-which 3.2.40 (core)",
"@salesforce/cli 2.107.6 (core)",
"agent 1.24.10 (core)",
"apex 3.8.0 (core)",
"api 1.3.3 (core)",
"auth 3.9.7 (core)",
"code-analyzer 5.0.0 (user) published 148 days ago (Tue Apr 29 2025) (latest is 5.4.0)",
"community 3.3.8 (user) published 257 days ago (Sat Jan 11 2025) (latest is 3.3.41)",
"custom-metadata 3.3.33 (user) published 368 days ago (Sun Sep 22 2024) (latest is 3.3.68)",
"data 4.0.56 (core)",
"deploy-retrieve 3.23.3 (core)",
"dev 2.1.12 (user) published 600 days ago (Sat Feb 03 2024) (latest is 2.5.1)",
"info 3.4.87 (core)",
"lightning-dev 2.10.2 (user) published 230 days ago (Thu Feb 06 2025) (latest is 3.5.1)",
"limits 3.3.67 (core)",
"marketplace 1.3.8 (core)",
"org 5.9.28 (core)",
"packaging 1.22.1 (user) published 777 days ago (Thu Aug 10 2023) (latest is 2.20.5)",
"schema 3.3.81 (core)",
"settings 2.4.48 (core)",
"sobject 1.4.73 (core)",
"telemetry 3.6.56 (core)",
"templates 56.3.65 (core)",
"trust 3.7.113 (core)",
"user 3.6.38 (core)",
"@salesforce/sfdx-scanner 4.7.0 (user) published 330 days ago (Tue Oct 29 2024) (latest is 4.12.0)",
"sfdmu 4.33.17 (user) published 511 days ago (Thu May 02 2024) (latest is 4.38.0)",
"sfdx-hardis 4.52.0 (user) published 418 days ago (Fri Aug 02 2024) (latest is 6.5.3)"
]
}
Hello @pkozuchowski :wave: Your version of nodeJS (23, 23) is not supported.
We recommend using LTS and we support anything Node says is Current, Active and Maintenance.
See Node's version status.
This issue will be closed. If you're able to reproduce your issue on a supported node version, please open a new issue.