Configure an OIDC Integration

JFrog Platform Administration Documentation

Content Type
Administration / Platform
ft:sourceType
Paligo

You can configure an OIDC integration to connect the JFrog Platform with other services that use OpenID. This procedure includes configuration for two OIDC providers, for example, JFrog Platform and GitHub OIDC Provider, which includes configuring trust policy (identity mapping) between the two providers.

  1. Navigate to the Administration module In the JFrog Platform UI.

  2. Select General Management| Manage Integrations.

    Navigate to Administration Module | General | Manage Integrations , if you use the classic navigation. Classic navigation is available for JFrog self-hosted customers with version 7.90 or previous only.

    The Integrations page appears.

  3. Click New Integration | OpenID Connect.

    The OIDC Integration page appears.

    token-issuer-azure-oidc.png

    Item

    Description

    Required

    Provider Name

    The OIDC provider that will connect with the JFrog Platform. This name must match the name configured in the OIDC provider. The provider name serves as an integral part of the identification process when the provider initiates a request for an access token from the JFrog Platform.

    Mandatory

    Provider Type

    Select the provider type, either Github, Azure, or Generic OpenID Connect.

    Mandatory

    Description

    Add a description to help you identify the configuration.

    Optional

    Provider URL

    Enter the provider URL. If you choose Generic OpenID integration, the URL should match the URL in the OpenID provider configuration.

    Mandatory

    Audience

    Enter the name of the audience for this integration. Determines the scope of the integration and must match the configuration in the OIDC provider.

    Optional

    Token Issuer

    Provide the token issuer in a situation where the OIDC provider URL is not the same as the token issuer.

    Optional

  4. Enter the OIDC provider name that you want to connect with the JFrog Platform. The provider name must match the configuration in the OIDC provider.

    In GitHub OIDC integration, for example, you must enter the same provider name that you configure in the JFrog Platform in the following section of the GitHub Actions YAML file.

    \"provider_name\": \"<your provider name> \"}"

    The following snippet shows part of a sample GitHub Actions YAML file, where the provider name is github-oidc-integration.

    - name: Fetch Access Token from Artifactory id: fetch_access_token env: ID_TOKEN: ${{ steps.idtoken.outputs.id_token }} run: | ACCESS_TOKEN=$(curl \ -X POST \ -H "Content-type: application/json" \ https://example.jfrog.io/access/api/v1/oidc/token \ -d \ "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"$ID_TOKEN\", \"provider_name\": \"github-oidc-integration\"}" | jq .access_token | tr -d '"')
    

  5. Select the provider type.

    You can choose between the following options.

    • GitHub

    • Azure

    • Generic OpenID Connect

  6. Enter the description of the OIDC integration.

  7. Enter the provider URL.

    If you choose GitHub, the provider URL is automatically set as https://token.actions.githubusercontent.com.

  8. Optionally, enter the name of the audience for this integration.

    The audience determines the scope of the integration. You must use scope definitions as provided by the OIDC provider.

  9. Click Save and Continue to continue to configure identity mappings.

    You can create multiple identity mappings for an integration. Each mappings has a priority field. Prioritization ensures that the relevant token is generated by considering the configured JSON claim.

    For more information, see Configure Identity Mappings.

    You can also click Save to save the configuration and configure identity mappings later.

  10. You can use the Show snippet option to generate code with the definitions you created above to include in your authentication workflow. For more information, see generating and copying a snippet.