Introduction
This article provides a quick step-by-step guide to integrating Artifactory with GitLab OIDC (OpenID Connect) using the JFrog OIDC Token Exchange REST API.
Configure Artifactory
Here, we use the Generic OIDC provider type with the following values and Identity Mapping Claims JSON, focusing solely on the issuer:
Configure the Gitlab Pipeline
We create a new Pipeline using the following script in the .gitlab-ci.yml:
before_script:
- apt-get -qq update
- apt-get install -y jq
exchange_token:
stage: build
id_tokens: # Gitlab Id Tokens and their include claims are documented at
# https://docs.gitlab.com/ci/secrets/id_token_authentication/
FIRST_ID_TOKEN:
aud: https://gitlab.com
script:
- |
ACCESS_TOKEN=$(curl -XPOST "${JF_CLOUD_URL}/access/api/v1/oidc/token" -H "Content-Type: application/json" -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"$FIRST_ID_TOKEN\", \"provider_name\": \"jeremyl-gitlab\"}" | jq -r '.access_token')
echo "TOKEN=${ACCESS_TOKEN}" > build.env
cat build.env
# Use $ACCESS_TOKEN directly in subsequent commands if needed
curl -XPUT -H "Authorization: Bearer $ACCESS_TOKEN" "${JF_CLOUD_URL}/artifactory/jeremyl-generic/test2.txt" -d "This is content of the test2.txt file deployed from our gitlab-oidc test pipeline"
artifacts:
reports:
dotenv: build.env
environment: production
* We bring jq into the environment and then we extract the ACCESS_TOKEN by piping the OIDC exchange response through jq -r '.access_token' .
* JF_CLOUD_URL is a configured Variable pointing to our JFrog Host machine.
* The ACCESS_TOKEN is written to the build.env file, which can then be used as an artifact and passed to subsequent jobs in the pipeline
View the Results
In the pipeline output, we can see the successful token exchange and file deployment:
