Create an Identity Mapping


JFrog Xray
Content Type

Description: Creates an identity mapping for an OIDC configuration.

Since: Artifactory 7.x.x

Security: Requires a valid admin token

Usage: POST /access/api/v1/oidc/{provider_name}/identity_mappings {identity mapping configuration JSON

The JSON record must have the following fields.

  • name - Mandatory. Name of the identity mapping.

  • description - The description of the identity mapping.

  • provider_name - Mandatory. Name of the OIDC configuration.

  • priority - The priority of the identity mapping.

    The priority should be a number. The higher priority is set for the lower number. If you do not enter a value, the identity mapping is assigned the lowest priority.

    We recommend that you assign the highest priority (1) to the strongest permission gate. Set the lowest priority to the weakest permission for a logical and effective access control setup.

  • claims - Mandatory. Claims information from the OIDC provider.

    • sub

    • workflow_ref

  • token_spec - Mandatory. Specifications of the token.

    • username - Optional. User name of the OIDC user.

    • scope - Mandatory if you do not provide the user. Scope of the token. You can use applied-permissions/user, applied-permissions/admin, or applied-permissions/group.

    • audience - Optional. Sets the JFrog services to which the mapping applies. Default value is @, which applies to all services.

    • expires_in - Optional. Token expiry time in seconds. Default value is 3600.

Produces: text/plain

Sample Usage

curl -X POST -H "Content-type: application/json" \
     -H "Authorization: Bearer cOENUdUxv" \{provider_name}/identity_mappings -d \
	"name": "github-repo-read", 
	"provider_name": "github-oidc",
        "claims": { 
                    "sub": "repo:mosheya/access-oidc-poc:ref:refs/heads/main", 
                    "workflow_ref":  "mosheya/access-oidc-poc/.github/workflows/job.yaml@refs/heads/main"
        "token_spec": {
			  "username": "moshey",
			  "scope": "applied-permissions/user"
                          "audience": ["jfrt@service_id"],
                          "expires_in": 3600