Configure an OIDC Integration

JFrog Platform Administration Documentation
Content Type
Administration / Platform
ft:sourceType
Paligo

You can configure an OIDC integration to connect the JFrog Platform with other services that use OpenID. This procedure includes configuration for two OIDC providers, for example, JFrog Platform and GitHub OIDC Provider, which includes configuring trust policy (identity mapping) between the two providers.

  1. Navigate to the Administration module In the JFrog Platform UI.

  2. Select General Management| Manage Integrations.

    Navigate to Administration Module | General | Manage Integrations , if you use the classic navigation. Classic navigation is available for JFrog self-hosted customers with version 7.90 or previous only.

    The Integrations page appears.

  3. Click New Integration | OpenID Connect.

    The OIDC Integration page appears.

    token-issuer-azure-oidc.png

    Item

    Description

    Required

    Provider Name

    The OIDC provider that will connect with the JFrog Platform. This name must match the name configured in the OIDC provider. The provider name serves as an integral part of the identification process when the provider initiates a request for an access token from the JFrog Platform.

    Mandatory

    Provider Type

    Select the provider type: from GitHub, Azure, or Generic OpenID Connect. The Generic OpenID Connect option can support other providers such as Okta, Jenkins, GitLab, and GitHub Enterprise.

    Mandatory

    Description

    Add a description to help you identify the configuration.

    Optional

    Provider URL

    Enter the provider URL. If you choose Generic OpenID integration, the URL should match the URL in the OpenID provider configuration.

    Mandatory

    Audience

    Enter the name of the audience for this integration. Determines the scope of the integration and must match the configuration in the OIDC provider.

    Optional

    Token Issuer

    Provide the token issuer in a situation where the OIDC provider URL is not the same as the token issuer.

    Optional

    Azure app ID

    If the application has custom signing keys as a result of using the claims-mapping feature, you must provide the Azure App ID. See the Azure documentation for more information. (Only relevant for Azure provider type)

    Optional

    Organization

    Enter your GitHub organization name. (Only relevant for GitHub provider type, Starting from Artifactory version 7.110.1)

    Mandatory, unless 'enable_permissive_configuration' is enabled.

    Enable Permissive Configuration

    Allows authentication without organization restrictions. For security best practices, it is recommended to add restrictions to limit access and enforce stricter controls. (Only relevant for GitHub provider type, Starting from Artifactory version 7.110.1)

    Optional

  4. Enter the OIDC provider name that you want to connect with the JFrog Platform. The provider name must match the configuration in the OIDC provider.

    In GitHub OIDC integration, for example, you must enter the same provider name that you configure in the JFrog Platform in the following section of the GitHub Actions YAML file.

    \"provider_name\": \"<your provider name> \"}"

    The following snippet shows part of a sample GitHub Actions YAML file, where the provider name is github-oidc-integration.

    - name: Fetch Access Token from Artifactory id: fetch_access_token env: ID_TOKEN: ${{ steps.idtoken.outputs.id_token }} run: | ACCESS_TOKEN=$(curl \ -X POST \ -H "Content-type: application/json" \ https://example.jfrog.io/access/api/v1/oidc/token \ -d \ "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"$ID_TOKEN\", \"provider_name\": \"github-oidc-integration\"}" | jq .access_token | tr -d '"')

  5. Select the provider type.

    You can choose between the following options.

    • GitHub

    • Azure

    • Generic OpenID Connect

  6. Enter the description of the OIDC integration.

  7. Enter the provider URL.

    If you choose GitHub, the provider URL is automatically set as https://token.actions.githubusercontent.com.

  8. (Optional) Enter the name of the audience for this integration.

    The audience determines the scope of the integration. You must use scope definitions as provided by the OIDC provider.

  9. Take provider-specific additional steps:

    • (Optional) For GitHub, select Enable Permissive Configuration to enable authentication without organization restrictions. Note: this is not recommended, as the permissive configuration may grant broader access.

    • For Azure, if the application has custom signing keys as a result of using the claims-mapping feature, you must provide the Azure App ID. See the Azure documentation for more information. (Only relevant for Azure provider type)

  10. Click Save and Continue to continue configuring identity mappings.

    You can create multiple identity mappings for an integration. Each mapping has a priority field. Prioritization ensures that the relevant token is generated by considering the configured JSON claim.

    For more information, see Configure Identity Mappings.

    You can also click Save to save the configuration and configure identity mappings later.

  11. You can use the Show snippet option to generate code with the definitions you created above to include in your authentication workflow. For more information, see generating and copying a snippet.