ARTIFACTORY: How to identify users and their login method

ARTIFACTORY: How to identify users and their login method
Products
Frog_Artifactory
Content Type
Use_Case
AuthorFullName__c
David Lee, Kanishk Sharma
articleNumber
000005777
FirstPublishedDate
2023-06-11T10:51:58Z
lastModifiedDate
2025-06-15
VersionNumber
2
How to identify users and their login method

There may be instances where it is important to determine the type of login method a user is using. By examining the artifactory-access.log, this information can be retrieved efficiently.

For example, when transitioning users from access tokens to passwords, it is necessary to identify all users who are currently using access tokens. This can be accomplished using the API Key/Token User Collection. To filter for all login entries with access tokens, execute the following command:
cat $JFROG_HOME/artifactory/var/log/artifactory-access.log | grep "\\[ACCEPTED LOGIN\\].*\\[token\\]$"


OUTPUT:
2025-06-06T12:28:06.772Z [2bde295e0fe3249c] [ACCEPTED LOGIN]   for client : anonymous / xx.xx.xx.xx [token]
2025-06-06T12:28:12.239Z [2e307f600f7fbd0e] [ACCEPTED LOGIN]   for client : anonymous / xx.xx.xx.xx [token]
2025-06-06T12:28:17.671Z [0315d64ea5ead313] [ACCEPTED LOGIN]   for client : anonymous / xx.xx.xx.xx [token]
2025-06-06T12:30:06.947Z [308fde78e374502b] [ACCEPTED LOGIN]   for client : jffe@01jq3then4hspb10agqp6515d3 / xx.xx.xx.xx [token]


Please note, the entry below is a message indicating Artifactory’s frontend service (jffe@01) authenticating with Artifactory, which doesn’t help us in this use case and may cause clutter.
2025-06-06T12:30:06.947Z [308fde78e374502b] [ACCEPTED LOGIN]   for client : jffe@01jq3then4hspb10agqp6515d3 / xx.xx.xx.xx [token]

To filter these messages out, we can add an additional grep to the previous command: 
cat artifactory-access.log | grep "\\[ACCEPTED LOGIN\\].*\\[token\\]$" | grep -wv jffe@*

In the event we are working with Docker, it may be less clear who is using a token to log in, as Artifactory will record a Docker login as a token login. The Docker client requires a token to authenticate, and there is currently no method to disable this behavior within the Docker client.

To distinguish whether a token was used by the Docker client, we will want to cross-reference the Trace ID of a login record between the artifactory-access.log and the artifactory-request.log.

1. Perform a Docker login
$ docker login artprod.mycompany
Authenticating with existing credentials... [Username: <username>]

Login Succeeded

2. In the artifactory-access.log, search for the record indicating a login by the user from the above step and find the associated Trace ID. As you can see, it looks almost identical to a standard token login made by a user. Here, the Trace ID for this login is e8692a908a9eabad
2025-06-06T12:51:15.356Z [e8692a908a9eabad] [ACCEPTED LOGIN]   for client : <username> / 127.0.0.1 [token]

3. In the artifactory-request.log, search for the associated Trace ID as shown below:
cat artifactory-request.log |  grep e8692a908a9eabad

4. After finding the record with the corresponding Trace ID, we can see that the Docker client made a GET request for a token from Artifactory and received a 200 response, further indicating a login from the Docker client via Access Toke
2025-06-06T12:51:15.356Z|e8692a908a9eabad|127.0.0.1|<username>|GET|/api/docker/docker-virtual/v2/|200|-1|2|39|docker/28.0.2 go/go1.23.7 git-commit/bea4de2 kernel/6.1.0-37-cloud-amd64 os/linux arch/amd64 UpstreamClient(Docker-Client/28.0.2 \(linux\))

Additionally, whenever a user uses a REST API with username and password, the corresponding log entry in the artifactory-access.log will not contain a “[token]” at the end, as we can see in the following output:
2025-06-06T13:11:16.817Z [6b92b36879c2d59c] [ACCEPTED LOGIN]   for client : <username> / 127.0.0.1