The following diagram provides the workflow of GitHub Action OIDC Integration with JFrog Platform.
GitHub Actions Workflow requests for an ID token from the GitHub OIDC Provider when it encounters a connection to the JFrog Platform.
GitHub OIDC Provider generates an ID token that contains multiple claims to establish a security-hardened and verifiable identity about the specific workflow that is trying to authenticate.
The workflow sends the ID token to the JFrog Platform where JFrog Access processes the request.
JFrog Access verifies the ID Token from GitHub by utilizing a certificate supplied from GitHub's JSON Web Key (JWK).
JFrog Access validates claims in the ID token, the scope of the audience, and generates a short-lived access token that is available only for the duration that was configured when you created the identity mapping.
JFrog Access sends the access token to the GitHub Action Workflow to successfully validate the operation that involves the JFrog Platform.
Whenever your job runs, JFrog Platform utilizes the GitHub’s OIDC Provider and generates an OIDC token. This token contains multiple claims to establish a verifiable identity for the workflow that is authenticating.
Include a step in your job to request this token from GitHub’s OIDC provider and send it to the JFrog Platform. At this step, the JFrog Platform verifies the ID Token from GitHub by utilizing a certificate supplied from GitHub’s JSON Web Key (JWK).
Once the JFrog Platform successfully validates the claims presented in the token, it provides a short-lived access token that is available only for the duration that was configured when you created the identity mapping.
For a sample workflow, see Sample GitHub Actions Workflow YAML. For more information about setting up OIDC integration with GitHub Actions, see Sample Integration with GitHub.