Integration of JFrog OIDC with Azure DevOps

JFrog Platform Administration Documentation
Content Type
Administration / Platform

This guide walks you through the process of configuring OpenID Connect (OIDC) integration between JFrog and Azure DevOps. This integration allows JFrog to trust the Azure DevOps identity provider and authenticate users and pipelines securely via short-lived tokens.

This guide contains the following steps:

  1. Configure the Service Connection in Azure DevOps

  2. Configure OpenID Connect Integration and Identity Mappings in the JFrog Platform

  3. (Optional) Use OIDC Output Variables in Pipelines

Step 1: Configure the Service Connection in Azure DevOps

Before setting up the integration in JFrog, you need to create a Service Connection in Azure DevOps to obtain the necessary information, such as the Organization GUID and token issuer URL. For more information, see the Azure Documentation.

  1. In Azure DevOps, go to Project settingsService connections

  2. Click New service connection, select JFrog Platform as the type of service connection, and click Next

  3. In the Authentication method field, select OpenID Connect Integration

  4. Enter the following information in the module fields:

    oidc_azure_parameters.png

    1. In the Server URL field, enter your full JFrog domain URL: for example, https://my.jfrog.io/

    2. In the OpenID Connect Provider Name field, enter a name you will later use in the JFrog integration: for example, azure-oidc

    3. In the Platform URL field, enter your JFrog Platform base URL: for example, https://my.jfrog.io/

    4. (Optional) In the Service Connection Name field, enter a name for the connection: this name must match the sub-claim format used in your identity mapping Description

  5. Run a pipeline using this service connection—even if it fails, the output will include valuable information needed for the next steps. Look in the pipeline logs and copy the following values:

    OIDC Token Issuer: https://vstoken.dev.azure.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
OIDC Token Subject: sc://<DevopsOrgName>/<ProjectName>/<ServiceConnectionName>
OIDC Token Audience: api://AzureADTokenExchange

    Note

    Do not log the full ID token or access token. However, it is safe to log claims like sub, aud, or iss for debugging.

Step 2: Configure OpenID Connect Integration and Identity Mappings in the JFrog Platform

Now that you have the values from the pipeline output, you can create the integration and identity mappings in JFrog.

  1. Log in to your JFrog instance as an administrator

  2. Navigate to: AdministrationGeneral ManagementManage Integrations

  3. Click New Integration, and select OpenID Connect from the drop-down menu.

  4. Enter the following values in the module fields:

    oidc_azure_jfrog_integration.png

    1. In the Provider Name field, enter a name for the integration: enter the same name as you did in Azure DevOps OpenID Connect Provider Name.

    2. In the Provider Type field, select Azure from the drop-down menu

    3. (Optional) In the Description field, enter a description for the integration

    4. In the Provider URL field, enter your Azure DevOps URL: for example, https://vstoken.dev.azure.com/{ORG_GUID}

    5. In the Audience field, enter: api://AzureADTokenExchange

    6. Leave the Token Issuer field blank, unless you are using a custom token issuer.

  5. With the integration in place, define Identity Mappings to authorize specific Azure DevOps service connections and projects. To do so, Select the Administration module, and then select General Management > Manage Integrations.

  6. Select the Integration you have created, click the option menu to the right, and select + Create Identity Mapping from the drop-down menu.

    1. Fill in the module fields: for more information, see: Identity Mappings.

    2. In the Claims JSON field, create the identity mapping based on the ID token from Azure DevOps, which has the following structure:

      {
  "jti": "<guid>",
  "sub": "sc://<DevopsOrgName>/<ProjectName>/<ServiceConnectionName>",
  "aud": "api://AzureADTokenExchange",
  "iss": "https://vstoken.dev.azure.com/<ORG_GUID>"
}

      Create the identity mapping in the Claims JSON field based on the "sub" claim, and use wildcards (*) where appropriate.

      azure_oidc_claims_json.png

      For example:

      • The mapping sc://MyOrg/MyProject/MyConnection would allow access to the MyProject project

      • The mapping sc://MyOrg/*/MyConnection would allow access to all projects under the MyConnection connection.

Optional: Use OIDC Output Variables in Pipelines

When using OIDC authentication, the JFrog Azure DevOps tasks automatically export the following variables:

  • oidc_user

  • oidc_token

You can use these output variables in later pipeline steps. For example:

- task: JfrogCliV2@1
  name: jfStep
  inputs:
    jfrogPlatformConnection: 'azure-oidc'
    command: 'jf rt ping'

- task: PowerShell@2
  inputs:
    targetType: 'inline'
    script: |
      echo "OIDC Username: $($jfStep.oidc_user)"
      echo "OIDC Token: $env:oidc_token"