Configure an OIDC Integration

JFrog Platform Administration Documentation

ft:sourceType
Paligo

You can configure an OIDC integration to connect the JFrog Platform with other services that uses OpenID.

  1. Navigate to the Administration tab In the JFrog Platform UI.

  2. Click General | Manage Integrations.

    The Integrations page appears.

  3. Click New Integration | OpenID Connect.

    The OIDC Integration page appears.

    OIDCIntegration.png
  4. Enter the OIDC provider name that you want to connect with the JFrog Platform.

    The provider name must match the configuration in the OIDC provider.

    For example, in GitHub OIDC integration, you must enter the same provider name that you configure in the JFrog Platform in the following section of the GitHub Actions YAML file.

    \"provider_name\": \"<your provider name> \"}"

    The following snippet shows part of a sample GitHub Actions YAML file, where the provider name is github-oidc-integration.

    - name: Fetch Access Token from Artifactory
            id: fetch_access_token
            env:
              ID_TOKEN: ${{ steps.idtoken.outputs.id_token }}
            run: |
              ACCESS_TOKEN=$(curl \
              -X POST \
              -H "Content-type: application/json" \
              https://example.jfrog.io/access/api/v1/oidc/token \
              -d \
              "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"$ID_TOKEN\", \"provider_name\": \"github-oidc-integration\"}" | jq .access_token | tr -d '"')
              echo ACCESS_TOKEN=$ACCESS_TOKEN >> $GITHUB_OUTPUT
  5. Select the provider type.

    You can choose between the following options.

    • GitHub

    • Generic OpenID Connect

  6. Enter the description of the OIDC integration.

  7. Enter the provider URL.

    If you choose GitHub, the provider URL is automatically set as https://token.actions.githubusercontent.com.

  8. Enter the name of the audience for this integration.

    The audience determines the scope of the integration. You must fetch the scope from the OIDC provider.

    For example, in GitHub OIDC integration, you must enter the scope that you configure in the JFrog Platform in the following section of the GitHub Actions YAML file.

    "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=<your scope>" 

    The following snippet shows part of a sample GitHub Actions YAML file, where the audience name is jfrog-github.

    - name: Get ID Token (cURL method)
            id: idtoken
            run: |
              ID_TOKEN=$(curl -sLS -H "User-Agent: actions/oidc-client" -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
              "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
              echo "ID_TOKEN=${ID_TOKEN}" >> $GITHUB_OUTPUT

    You can also set the scope as an environment variable.

    jobs:
      build:
        runs-on: ubuntu-latest
        env:
          OIDC_AUDIENCE: 'jfrog-github'

    Then, write a script that uses the environment variable.

    - name: Get ID Token (@actions/core method)
            uses: actions/github-script@v7
            id: idtoken
            with:
              script: |
                const coredemo = require('@actions/core');
                let id_token = await coredemo.getIDToken(process.env.OIDC_AUDIENCE);
                coredemo.setOutput('id_token', id_token);
  9. Click Save and Continue to continue to configure identity mappings.

    You can create multiple identity mappings for an integration. Each mappings has a priority field. Prioritization ensures that the relevant token is generated by considering the configured JSON claim.

    For more information, see Configure Identity Mappings.

    You can also click Save to save the configuration and configure identity mappings later.