JSON Claims

JFrog Platform Administration Documentation

Content Type
Administration / Platform
ft:sourceType
Paligo

The JSON Web tokens (JWT) used by OIDC and OAuth applications contain pieces of information about the user known as claims. A JSON Claim is information that an identity provider states about a user inside the token they issue for that user. These claims are used to

In an OIDC response, claims data is typically contained in the ID Token issued by the identity provider in the form of a JWT. Identity mappings contain JSON Claims that are used to provide token information.

JSON web token claims are pieces of information asserted about a Subject (user). For example, an ID token, which is always a JWT, can contain a claim called name that asserts that the name of the user undergoing authentication is "Sally Doe". In a JWT, a claim appears as a name/value pair where the name is always a string and the value can be any JSON value.

For example, the following JSON object contains three claims (sub, name, admin):

{
      "sub": "1234567890",
      "name": "Sally Doe",
      "admin": true
 }

The JWT specification defines seven reserved claims that are not required, but are recommended to allow interoperability with third-party applications. They include the following basic claims:

JSON Claim

Description

sub (subject)

Subject of the JWT (user’s identity)

iss (issuer)

Issuer of the JWT

aud (audience)

Recipient of the JWT

iat (issue time)

Time at which the JWT was issued; can be used to determine age of the JWT

exp (expiration time)

Time after which the JWT expires

nbf (not before time)

Time before which the JWT must not be accepted for processing

jti (JWT ID)

Unique identifier; can be used to prevent the JWT from being replayed (allows a token to be used only once)

For more information, see a list of OIDC standard user claims. See also a full list of JSON claims.

You can define your own custom claims which you control and you can add them to a token by configuring them in the identity mapping that you create for an OIDC integration.

When you configure your cloud to trust GitHub's OIDC provider, you must add conditions that filter incoming requests, so that untrusted repositories or workflows will not be able to request access tokens for your cloud resources. We strongly encourage people to set at least one claim in the identity mapping. If you don't add claims anyone that knows the service account to target can get access.

Before granting an access token, your cloud provider checks that the subject and other claims used to set conditions in its trust settings match those in the request's JSON Web Token (JWT). As a result, you must ensure you correctly define the subject and other conditions in your cloud provider. See also Security Hardening.

The OIDC trust configuration steps and the syntax to set conditions for cloud roles (using Subject and other claims) will vary depending on which cloud provider you're using. For some examples, see Example subject claims.

Multiple Values

From Artifactory version 7.94.1, multiple values are supported for JSON Claims. Identity mappings use JSON Claims to define the scope of generated access tokens. You can now define the scope of an access token for multiple values, for example for multiple repositories and environments.

Example

Following is an example of a JSON Claim definition for multiple repositories.

{
 "repository":["jfrog/jfrog-cli", "jfrog/artifactory-client-java", "jfrog/setup-jfrog-cli"]
}

Wildcard Values

Wildcard values are supported from Artifactory version 7.94.1 for JSON Claims. You can now define the scope of an access token using wildcard values, and can use both explicit and implied patterns.

Examples

Following are two examples of a JSON Claim definition for repositories using a wildcard.

{
  "repository": "jfrog/*"
}
{
  "repository": "jfrog/jfrog-cli/**"
}