You can configure an OIDC integration to connect the JFrog Platform with other services that use OpenID. This procedure includes configuration for two OIDC providers, for example, JFrog Platform and GitHub OIDC Provider, which includes configuring trust policy (identity mapping) between the two providers.
Navigate to the Administration module In the JFrog Platform UI.
Select General Management| Manage Integrations.
Navigate to Administration Module | General | Manage Integrations , if you use the classic navigation. Classic navigation is available for JFrog self-hosted customers with version 7.90 or previous only.
The Integrations page appears.
Click New Integration | OpenID Connect.
The OIDC Integration page appears.
Item
Description
Required
Provider Name
The OIDC provider that will connect with the JFrog Platform. This name must match the name configured in the OIDC provider. The provider name serves as an integral part of the identification process when the provider initiates a request for an access token from the JFrog Platform.
Mandatory
Provider Type
Select the provider type, either Github, Azure, or Generic OpenID Connect.
Mandatory
Description
Add a description to help you identify the configuration.
Optional
Provider URL
Enter the provider URL. If you choose Generic OpenID integration, the URL should match the URL in the OpenID provider configuration.
Mandatory
Audience
Enter the name of the audience for this integration. Determines the scope of the integration and must match the configuration in the OIDC provider.
Optional
Token Issuer
Provide the token issuer in a situation where the OIDC provider URL is not the same as the token issuer.
Optional
Enter the OIDC provider name that you want to connect with the JFrog Platform. The provider name must match the configuration in the OIDC provider.
In GitHub OIDC integration, for example, you must enter the same provider name that you configure in the JFrog Platform in the following section of the GitHub Actions YAML file.
\"provider_name\": \"<your provider name> \"}"
The following snippet shows part of a sample GitHub Actions YAML file, where the provider name is
github-oidc-integration
.- name: Fetch Access Token from Artifactory id: fetch_access_token env: ID_TOKEN: ${{ steps.idtoken.outputs.id_token }} run: | ACCESS_TOKEN=$(curl \ -X POST \ -H "Content-type: application/json" \ https://example.jfrog.io/access/api/v1/oidc/token \ -d \ "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"$ID_TOKEN\", \"provider_name\": \"github-oidc-integration\"}" | jq .access_token | tr -d '"')
Select the provider type.
You can choose between the following options.
GitHub
Azure
Generic OpenID Connect
Enter the description of the OIDC integration.
Enter the provider URL.
If you choose GitHub, the provider URL is automatically set as
https://token.actions.githubusercontent.com
.Optionally, enter the name of the audience for this integration.
The audience determines the scope of the integration. You must use scope definitions as provided by the OIDC provider.
Click Save and Continue to continue to configure identity mappings.
You can create multiple identity mappings for an integration. Each mappings has a priority field. Prioritization ensures that the relevant token is generated by considering the configured JSON claim.
For more information, see Configure Identity Mappings.
You can also click Save to save the configuration and configure identity mappings later.
You can use the Show snippet option to generate code with the definitions you created above to include in your authentication workflow. For more information, see generating and copying a snippet.