Configure an OIDC Integration

JFrog Platform Administration Documentation

Content Type
Administration / Platform
ft:sourceType
Paligo

You can configure an OIDC integration to connect the JFrog Platform with other services that use OpenID. This procedure includes configuration for two OIDC providers, for example, JFrog Platform and GitHub OIDC Provider, which includes configuring trust policy (identity mapping) between the two providers.

  1. Navigate to the Administration tab In the JFrog Platform UI.

  2. Click General | Manage Integrations.

    The Integrations page appears.

  3. Click New Integration | OpenID Connect.

    The OIDC Integration page appears.

    token-issuer-azure-oidc.png

    Azure

    Artifactory

    Required

    Provider Name

    The OIDC provider that will connect with the JFrog Platform. This name must match the name configured in the OIDC provider. The provider name serves as an integral part of the identification process when the provider initiates a request for an access token from the JFrog Platform.

    Mandatory

    Provider Type

    Select the provider type, either Github, Azure, or Generic OpenID Connect.

    Mandatory

    Description

    Add a description to help you identify the configuration.

    Optional

    Provider URL

    Enter the provider URL. If you choose Generic OpenID integration, the URL should match the URL in the OpenID provider configuration.

    Mandatory

    Audience

    Enter the name of the audience for this integration. Determines the scope of the integration and must match the configuration in the OIDC provider.

    Optional

    Token Issuer

    Provide the token issuer in a situation where the OIDC provider URL is not the same as the token issuer.

    Optional

  4. Enter the OIDC provider name that you want to connect with the JFrog Platform.

    The provider name must match the configuration in the OIDC provider.

    For example, in GitHub OIDC integration, you must enter the same provider name that you configure in the JFrog Platform in the following section of the GitHub Actions YAML file.

    \"provider_name\": \"<your provider name> \"}"

    The following snippet shows part of a sample GitHub Actions YAML file, where the provider name is github-oidc-integration.

    - name: Fetch Access Token from Artifactory
            id: fetch_access_token
            env:
              ID_TOKEN: ${{ steps.idtoken.outputs.id_token }}
            run: |
              ACCESS_TOKEN=$(curl \
              -X POST \
              -H "Content-type: application/json" \
              https://example.jfrog.io/access/api/v1/oidc/token \
              -d \
              "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"$ID_TOKEN\", \"provider_name\": \"github-oidc-integration\"}" | jq .access_token | tr -d '"')
              echo ACCESS_TOKEN=$ACCESS_TOKEN >> $GITHUB_OUTPUT
  5. Select the provider type.

    You can choose between the following options.

    • GitHub

    • Azure

    • Generic OpenID Connect

  6. Enter the description of the OIDC integration.

  7. Enter the provider URL.

    If you choose GitHub, the provider URL is automatically set as https://token.actions.githubusercontent.com.

  8. Enter the name of the audience for this integration.

    The audience determines the scope of the integration. You must fetch the scope from the OIDC provider.

    For example, in GitHub OIDC integration, you must enter the scope that you configure in the JFrog Platform in the following section of the GitHub Actions YAML file.

    "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=<your scope>" 

    The following snippet shows part of a sample GitHub Actions YAML file, where the audience name is jfrog-github.

    - name: Get ID Token (cURL method)
            id: idtoken
            run: |
              ID_TOKEN=$(curl -sLS -H "User-Agent: actions/oidc-client" -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
              "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
              echo "ID_TOKEN=${ID_TOKEN}" >> $GITHUB_OUTPUT

    You can also set the scope as an environment variable.

    jobs:
      build:
        runs-on: ubuntu-latest
        env:
          OIDC_AUDIENCE: 'jfrog-github'

    Then, write a script that uses the environment variable.

    - name: Get ID Token (@actions/core method)
            uses: actions/github-script@v7
            id: idtoken
            with:
              script: |
                const coredemo = require('@actions/core');
                let id_token = await coredemo.getIDToken(process.env.OIDC_AUDIENCE);
                coredemo.setOutput('id_token', id_token);
  9. Click Save and Continue to continue to configure identity mappings.

    You can create multiple identity mappings for an integration. Each mappings has a priority field. Prioritization ensures that the relevant token is generated by considering the configured JSON claim.

    For more information, see Configure Identity Mappings.

    You can also click Save to save the configuration and configure identity mappings later.