Apex Code Development You need to sign in to do that
Don't have an account?
Frans Flippo 14 SFDX org sessions expiring
Since a week or so I suddenly get `INVALID_SESSION_ID: Session expired or invalid` errors when trying to deploy to a sandbox. Around the same time, I suddenly started seeing the line `*** Deploying with REST ***` when running an `sfdx force:source:deploy`.
I never used to see my token expire before. Now I have to daily go and re-auth my org connection.
This seems like a regression. What's going on?
I never used to see my token expire before. Now I have to daily go and re-auth my org connection.
This seems like a regression. What's going on?
By default the expiration of refresh token is set to "Refresh token is valid until revoked"
One way to find whats going on is look into your "Connected Apps OAuth Usage page by navigating to Apps >Connected Apps OAuth Usage in your org.
Also, check session settings.
https://dreamevent.secure.force.com/articleView?id=sf.admin_sessions.htm&type=5
Thanks,
Agreed with Frans, I am also getting this error when I never used to before.
For further context, I am already authorized in my sandbox from my local computer using sfdx and salesforce CLI. By default this uses the out of the box "Salesforce CLI" connected app in the sandbox. And Salesforce does not let us edit this connected app's session settings.
https://help.salesforce.com/articleView?id=000335524&type=1&mode=1
Thanks,
- Turn "Lock sessions to the IP address from which they originated" OFF,
- Turn "Enforce login IP ranges on every request" ON,
- Select the connected app's IP relaxation policy "Enforce IP restriction", and
- Add Salesforce's internal IP range 10.0.0.0 to 10.255.255.255 to the list of profiles needing to use Salesforce's REST API
Number 1 was already off. Number 2 wasn't on so I enabled it. There are no connected apps in the org in question. Number 4 I'm hesitant on because I don't want to lock down the profile at all. I'm assuming it referencing login IP ranges? We need to interactively log into this org, I don't want to lock it down to SF's internal IP range.Basically, I'm in VSCode. From the CLI I run "sfdx force:auth:web:login --setalias 'org alias' --instanceurl https://login.salesforce.com --setdefaultusername". A browser window opens at the SF login page. I enter in my credentials (yes, they're correct), and then the process stalls at RemoteAccessAuthorizationPage.apexp. No feedback, no errors, no timeouts, no logs, nothing. This org is just a Developer Edition created from Environment Hub where I push code for preview. But it isn't specific to only this org. I can't authorize against any orgs at all within VSCode.
Now, I just viewed the code in the browser for RemoteAccesAuthorizationPage and it's trying to redirect to "http://localhost:1717/OauthRedirect?code=<SESSION_ID>" (I blanked out the session id). I ran 'netstat -an' and, sure enough, there's a TCP session listening on that port. I've confirmed that this is a VSCode-related session (I quit VSCode and the session disappeared, restarted VSCode and the session is back). So, now I'm wondering if this is all VSCode related? I noticed earlier that there was an update, but don't know anything more than that.
However, on retry it goes through:
I understand this issue is happening with the latest sfdx CLI version but we don't need to re authorize everytime we get this error. We can run sfdx force:org:list which refreshes the connection to the org and then we can run the deploy or push/pull command.
Since March 1st every 2 hours i loose the session, force:org:list does sort it for a little while, but takes a while to run when you have a lot of orgs.
I raised a support case, and got a response to re-authorise the org: this worked and I am able to deploy again.
However am concerned as others here are reporting the issue, and if we have to re-authorise the org frequently it will be a pain.
Just updating CLI as well hoping it clears this issue, but for those connecting to the default org to fix:
I've found that doing a
applies the same temporary fix as its reaching out, and I can then source:deploy to any org.
sfdx force:org:open
to restore connection. This works for me.
From VS Code, open File -> Preferences -> Settings.
Search for and enable the setting: Salesforcedx-vscode-core > Experimental: Deploy Retrieve
Enjoy.
Following. I tried updating our Oauth installation to use Enforce IP restrictions, but relax for refresh tokens. Still getting the invalid session.
However, I updated from 7.92.0-88320113e7 to 7.93.1-762bca056d and this worked to resolve the issue for today.
I suspect the issue here is the SFDX connected app, which has "Immediately expire refresh tokens" selected and there appears to be no way to deselect it. I'm not sure if this is a change from a recent release or not (maybe someone else can research that) but it appears to be this policy that forces SFDX orgs to re-authorize frequently.
As others have stated, you can try typing any of the following in the VSC console to restore the connection:
Alternately...if you have access, you could try to delete the SFDX connected app. This will require going into App Manager and under SFDX, select "View". There will be a Delete button at the top.
NOTE: I just deleted my own SFDX and I can still connect through VSC, so I'm certain that it doesn't break things but I'm not certain yet if this will solve the session expiration issue.
This is a platform issue and is currently being tracked in GitHub
https://github.com/forcedotcom/cli/issues/899
Copying the contributor's comment from the above GitHub thread:
"The REST API does not auto-refresh as it does with SOAP via jsforce. This is a bug and is being tracked internally with W-9016781."
As per https://github.com/forcedotcom/cli/issues/942 , Starting in version 51.0, Salesforce CLI uses REST by default for deployments. The bug is related to this recent change.
Recommend following the GitHub thread to receive the updates from the product team directly.
Thank you
Salesforce support