Note
Dynamic mapping is supported from Artifactory version 7.95.
Identity mappings can contain dynamic mappings that are used to support verification or modification for a username or group name in the token subject based on a pattern. The pattern is a string that specifies which claim you want to extract from the token request. If the claim is not found, the token request fails. The pattern can be used to replace a part of the claim with a username, or to add data, or to verify that the data in the claim matches a definition. For a dynamic group definition, the pattern is applied to all groups and adds the pattern to the group scope.
When creating an identity mapping, you can choose for the token scope to create a Group Mapping with an identity mapping Pattern, as shown below.
Following are several examples of identity mapping patterns.
Example
For the following mapping, there will be no change. The identity mapping will take the actor
claim and use it as is.
{{actor}}
When the claims are applied, the pattern “actor” : “saidegreen”
in the token subject will be used as is: applied-permissions/user:saidegreen
.
Example
For the following, the dynamic mapping will try to find the actor
claim in the token request claim and add @jfrog.com
at the end.
{{actor}} | $0@Jfrog.com
When the claims are applied, the pattern “actor” : “saidegreen”
in the token subject will become applied-permissions/user:saidegreen@jfrog.com
.
Example
For the following, the dynamic mapping will try to find the actor
claim in the token request claim and then remove the @jfrog.com
at the end.
({{actor}})@jfrog.com|$1
When the claims are applied, the pattern “actor” : “username@jfrog.com”
in the token subject will become applied-permissions/user:username
.
Example
For the following, the dynamic mapping will look for email claims that start with jf
and end with jfrog.com
.
jf{{mail}}jfrog.com|$0
When the claims are applied, the pattern “mail” : “jfuserid30@jfrog.com”
in the token subject will become applied-permissions/user:jfuserid30@jfrog.comuser:username
. However, “mail” : “gituserid30@jforg.com”
will fail the request because the email does not start with jf
.
Example
For the following, the dynamic mapping will look for claims that contain group
and add to the end of the claim -jfrog
.
{{group}} | $0-jfrog
When the claims are applied, the claims claim("group", "gitgroup, gitgroup2, gitgroup3, gitgroup4")
will become applied-permissions/groups:"gitgroup-jfrog","gitgroup2-jfrog","gitgroup3-jfrog","gitgroup4-jfrog"
.
Example
Following are examples of dynamic mapping patterns with the format {claim value, pattern, result}
.
{"jfuser-f12jf", "jf{{actor}}jf|$1", "user-f12"} {“jfuser-f12jf”, jfrog{actor}}jfrog|$1, “jfroguser-f12jfrog”} {“user”, “{{actor}}”, “user”} {“user”, “{{actor}} | hub$0jfrog”, “hubuserjfrog”}