Set ScratchOrg User Password on Create

[JosephAllen]

Has there been any thought to setting the password for the default scratch org users? Is it possible that OAuth token persistence is required because the default scratch org user has no password, therefore requiring OAuth for even GUI access?

Maybe adding a password parameter to the org:create command?

Maybe some options like this?

sfdx force:org:create --password MyPassword

Some flows might look like this:

1. POST https://[DevHubOrgDomain].my.salesforce.com/services/data/v51.0/sobjects/ScratchOrgInfo to create scratch org
2. GET https://[ScratchOrgDomain].my.salesforce.com/services/oauth2/authorize to get authorization_code
3. POST https://[ScratchOrgDomain].my.salesforce.com/oauth2/token to get refresh token and initial access token
4. POST https://[ScratchOrgDomain].my.salesforce.com/services/Soap/s/ to APEX Soap API to set user password using Apex system.setPassword method

All of these steps could be executed in on script without the need to persist tokens.

[github-actions[bot]]

Thank you for filing this feature request. We appreciate your feedback and will review the feature at our next grooming or sprint planning session. We prioritize feature requests with more upvotes and comments.

[uip-robot-zz]

This issue has been linked to a new work item: W-10017294

[mshanemc]

If you want to log into a scratch org via a password, you can use force:user:password:generate to get a password, then go to [login|test].salesforce.com or use the org's instance to login via your new password.

How would the --password flag work in scripting scenarios? All the orgs would have the same password and that password would be in the script in source control? Or would this be something that you wouldn't use for CI use cases?

[JosephAllen]

The password could be set via:

• environment variable
• script variable

Here are some password options

# create org 1
sfdx force:org:create --password MyPassword123
# create org 2
sfdx force:org:create --password 1234ZuluPassword

Once the password is set its easy to login to the ui and change it if needed. This would level set the security for Production Orgs, Sandboxes, Dev Orgs and Scratch orgs.

The only one that hasn't gotten a password by default are scratch orgs. The null password on scratch org may have been the genesis of persisting access tokens, because frontdoor.jsp and an access token are the only way to access the GUI of a scratch org.

[mshanemc]

we don't put secrets in flags, to keep them out of the terminal history.