GitHub Actions OIDC Integration

JFrog Platform Administration Documentation

Content Type
Administration / Platform
ft:sourceType
Paligo

JFrog OpenID Connect integration with GitHub Actions enables users to establish a trust relationship between their GitHub Actions and the JFrog Platform.

JFrog integration of OIDC with GitHub Actions provides the following benefits.

  • Passwordless experience: Eliminate the storage of basic credentials, permanent tokens, or API Keys in GitHub Secrets, thereby mitigating security risks.

  • Dynamic Token Generation: Efficient management of the token lifecycle with automated token generation with short-term lifespans. Significantly reduces the likelihood of outdated or unused tokens in the system, which minimizes security risks.

  • Consistent Access Control Policies: Consistently apply access control policies with a fine-grained permission model. Enforce the principle of least privilege, which grants only the necessary permissions for specific operations, resulting in a more secure environment.

  • Improved Developer Experience: Create seamless, efficient, user-friendly, and secure developer workflow by eliminating the need for manual token management.handle and manage tokens manually.

The following diagram provides the workflow of GitHub Action OIDC Integration with JFrog Platform.

OIDC_Configuration.png
  1. GitHub Actions Workflow requests for an ID token from the GitHub OIDC Provider when it encounters a connection to the JFrog Platform.

  2. GitHub OIDC Provider generates an ID token that contains multiple claims to establish a security-hardened and verifiable identity about the specific workflow that is trying to authenticate.

  3. The workflow sends the ID token to the JFrog Platform where JFrog Access processes the request.

  4. JFrog Access verifies the ID Token from GitHub by utilizing a certificate supplied from GitHub's JSON Web Key (JWK).

  5. JFrog Access validates claims in the ID token, the scope of the audience, and generates a short-lived access token that is available only for the duration that was configured when created the identity mapping.

  6. JFrog Access sends the access token to the GitHub Action Workflow to successfully validate the operation that involves the JFrog Platform.

Configure JFrog OIDC Integration with GitHub Actions

  1. Navigate to the Administration tab In the JFrog Platform UI.

  2. Click General | Manage Integrations.

    The Integrations page appears.

  3. Click New Integration | OpenID Connect.

    The OIDC Integration page appears.

    OIDCIntegration.png
  4. Select GitHub as the provider type.