Salesforcedx-vscode: VSCode SFDX: Authorize an Org fails with EACCES error

seems like your network or machine configuration (maybe firewall) is blocking access to the localhost oAuth callback port.

You could try to use a different port by adding this line to your sfdx-project.json file:

"oauthLocalPort" : "1919"

@rendall as pointed out on the previous comment by @ChuckJonas, this looks like an issue with a firewall or something in your machine blocking that call to the default port 1717. Can you confirm if that's the scenario and if updating the port in use resolves it?

Hi @ChuckJonas and @lcampos

My apologies for not getting back sooner.

Yes, changing the local port was one of the first things I tried ("oauthLocalPort": 1919), and it fails with the same error. I suspect that there is a SFDX service exposed at the oauthLocalPort that is not starting on my machine for some reason.

I am happy to help actively track this down. What is SFDX expecting to find at localhost:1717? Do you have insight into what this is, when it might start, if it writes error logs, etc?

For completeness, here is the error with oauthLocalPort:1919:

{ Error: listen EACCES: permission denied 127.0.0.1:1919
    at Server.setupListenHandle [as _listen2] (net.js:1253:19)
    at listenInCluster (net.js:1318:12)
    at GetAddrInfoReqWrap.doListen [as callback] (net.js:1451:7)
    at GetAddrInfoReqWrap.onlookup [as oncomplete] (dns.js:61:10)
  code: 'EACCES',
  errno: 'EACCES',
  syscall: 'listen',
  address: '127.0.0.1',
  port: 1919 }

It is definitely not a proxy issue:

• I have tried this over several different networks: home, work, public
• No other service fails, irrespective of port
• I do not have a local proxy

I got the same result using the same repro steps.

I don’t know if this is related to port exclusion/reservation, however, the ranges from netsh (Non-Administered port exclusions) match the ports which doesn’t work for me.

netsh interface ip show excludedportrange protocol=tcp

@DFKA solved the immediate problem for me, so thanks for that! I was not aware that "Administered port exclusions" were even a thing. I changed 'oauthLocalPort' to a port _not_ in that list and the extension behaved as expected.

I think this should still be considered a bug since the error is unmanaged and undocumented, but that's not my call :)

But this is here for any Windows dev who needs a work-around:

As DFKA noted, type netsh interface ip show excludedportrange protocol=tcp into your terminal which lists a series of port ranges. Find a port not in the list, and add it as the value to a oauthLocalPort field on the root level object of sfdx-project.json.

There is one final piece to the puzzle, and it definitely is a bug. The oauthLocalPort is ignored at callback, and it uses the 1717 port.

To reproduce:

• set oauthLocalPort to anything working not 1717
• type the command sfdx force:auth:web:login -d -a DevHub
• authorize at the login screen
• note that the redirect is to http://localhost:1717/OauthRedirect?code=aPrxrDqe....

This redirect should be to the oauthLocalPort set in sfdx-project.json

The workaround is to replace the 1717 in the browser url with the alternate port.

An alternative approach that seems to work is to restart in safe mode with networking enabled and add 1717 to your own range, and then restart back to normal.

netsh interface ip add excludedportrange protocol=tcp startport=1717 numberofports=1

An alternative approach that seems to work is to restart in safe mode with networking enabled and add 1717 to your own range, and then restart back to normal.

netsh interface ip add excludedportrange protocol=tcp startport=1717 numberofports=1

Thanks so much @DFKA ! May I ask, how did you come to know about netsh in the first place, and its application in this situation? Very much appreciated. Who or what set these port exclusions? What is their purpose? Do you know, off-hand?

I should have just started with netsh, however, I took somewhat of a detour.

I first tried with a high port-number, which worked, and I could see that node.exe was bound to the port.
I then used Process Monitor with the original port (1717) and saw that node.exe was looking at the registry, with one of the entries being:
HKLM\SYSTEM\CurrentControlSet\services\tcpip\Parameters

I knew that Parameters contained ReservedPorts, which was deprecated some time back and replaced with netsh’s excludedportrange.

The excludedportrange is used to reserve a range of ports, so that a request for a random port does not pick one of them.

I initially thought that it was Hyper-V or one of my Virtual Switches which had reserved the ports, however, I seem to remember that they are reserving ports around 50000, so I have not checked it.
You could check to see if a process are using any of the ports within the excluded range, the issue being that it is highly likely a short lived connection.

I'm closing this since it looks like the fix is to switch which port is used by the cli depending on the computer's setup port restrictions.

Hi,
I have noticed that it is not enough to just
set oauthLocalPort field on the root level object of sfdx-project.json.
It will say that some other parameters are missing.
I'm running ForceCode menu, and not have the overview of all pieces, so it's hard to troubleshoot this "localhost:1717" issue at my desk.
I tried also to kill process listening localhost:1717, some node.js process. on the windows machine.
But that all did not help to get that "authorization web page to open".
But have to admit that there is no such issue on MacBook Pro device.

in VSC ForceCode output:
Cannot start the OAuth redirect server on port PortInUseAction.,
0: Kill the process running on port 1717 or use a custom connected app and update OauthLocalPort in the sfdx-project.json file.,
commandName: AuthWebLoginCommand,
stack: PortInUse: Cannot start the OAuth redirect server on port PortInUseAction.

My need is just connect Sandbox ORG to retrieve meta-data by pakcage.xml
Agree that some timeout could help, otherwise the ForceCode Loading... ForceCode: Executing 1 Tasks never ends.

And after ForceCode NewProject there is only one force.json file
but in issue #279 scenario after this step would expect at least 2 files
force.json
sfdx-project.json

I'm not sure should new project have both files.
Is there any place I could check the default ForceCode New Project file structure?

Kind regards,
Edgars

Hi @EdgarsEv, ForceCode is a different vscode extension than the ones on this repo and we do not own that codebase. I suggest you post your question on their project's repo.

@lcampos ,
I just tried this, but just adding an oauthLocalPort to sfdx-project.json doesn't seem to be whole story.
I did this, and the Error: listen EACCES did disappear.
But, the callback from SF after login still tried to connect to 1717.
I changed the port in the URL to the port I had chosen (1771) and this worked - the Project in VS Code was updated and the browser was redirected to the Org's home page.
What else is needed to make this process seamless?
Thank you!