Description: Creates an identity mapping for an OIDC configuration.
Since: Artifactory Cloud 7.73.1, Artifactory Self Hosted 7.77.3.
Security: Requires a valid admin token
Usage:POST /access/api/v1/oidc/{provider_name}/identity_mappings {identity mapping configuration JSON
Produces: application/json
Parameters:
The JSON record contains the following fields:
name | string | Name of the identity mapping | Mandatory |
description | string | The description of the identity mapping | Optional |
provider_name | string | Name of the OIDC configuration. The OIDC provider that will connect with the JFrog Platform. This name must match the name configured in the OIDC provider. The provider name serves as an integral part of the identification process when the provider initiates a request for an access token from the JFrog Platform. | Mandatory |
priority | integer | The priority of the identity mapping. The priority should be a number. The higher priority is set for the lower number. If you do not enter a value, the identity mapping is assigned the lowest priority. We recommend that you assign the highest priority (1) to the strongest permission gate. Set the lowest priority to the weakest permission for a logical and effective access control setup. | Mandatory |
claims | object | Claims information from the OIDC provider: for more information, see JSON Claims. Starting from Artifactory 7.94.1, you can enter multiple values and wildcard values in JSON claims: for more information, see Multiple Values in JSON Claims and Wildcard Values in JSON Claims. Should contain the following:
| Mandatory |
token_spec | object | Contains the following token specifications:
| Mandatory |
Name | Type | Description | Required |
|---|
Produces: application/json
Header parameter: Authorization: Bearer. For more information about creating tokens, see Create Token.
Sample Request:
{
"name": "github-repo-read",
"provider_name": "github-oidc",
"projectKey": "projectkey",
"claims": {
"sub": "repo:johnf/access-oidc-poc:ref:refs/heads/main",
"workflow_ref": "johnf/access-oidc-poc/.github/workflows/job.yaml@refs/heads/main"
},
"token_spec": {
"username": "johnf",
"scope": "applied-permissions/user",
"audience": ["jfrt@service_id"],
"expires_in": 3600
"username_pattern": "{{actor}}"
}
}Sample Usage
Example with a user:
curl -X POST -H "Content-type: application/json" \
-H "Authorization: Bearer cOENUdUxv" \
https://example.jfrog.io/access/api/v1/oidc/{provider_name}/identity_mappings -d \
{
"name": "github-repo-read",
"provider_name": "github-oidc",
"claims": {
"sub": "repo:johnf/access-oidc-poc:ref:refs/heads/main",
"workflow_ref": "johnf/access-oidc-poc/.github/workflows/job.yaml@refs/heads/main"
},
"token_spec": {
"username": "johnf",
"scope": "applied-permissions/user",
"audience": ["jfrt@service_id"],
"expires_in": 3600
}
}
Example with a group:
curl -X POST -H "Content-type: application/json" \
-H "Authorization: Bearer cOENUdUxv" \
https://example.jfrog.io/access/api/v1/oidc/{provider_name}/identity_mappings -d \
{
"name": "github-repo-read",
"provider_name": "github-oidc",
"claims": {
"sub": "repo:johnf/access-oidc-poc:ref:refs/heads/main",
"workflow_ref": "johnf/access-oidc-poc/.github/workflows/job.yaml@refs/heads/main"
},
"token_spec": {
"scope": "applied-permissions/groups:readers",
"audience": ["jfrt@service_id"],
"expires_in": 3600
}
}
Example with dynamic user mapping:
curl -X POST -H "Content-type: application/json" \
-H "Authorization: Bearer cmd" \
https://example.jfrog.io/access/api/v1/oidc/oidc-sample/identity_mappings -d \
{
"name": "github-repo-read",
"description": "mapping example",
"claims": {
"workflow": "example-workflow",
"sub": "repo:octo-org/octo-repo:environment:prod"
},
"token_spec":
"scope": "applied-permissions/user",
"audience": "audience",
"expires_in": 100,
"username_pattern": "{{actor}}"
},
"priority": 0
}
Example with dynamic group mapping:
curl -X POST -H "Content-type: application/json" \
-H "Authorization: Bearer cmd" \
https://example.jfrog.io/access/api/v1/oidc/oidc-sample/identity_mappings -d \
{
"name": "github-repo-read",
"description": "mapping example",
"claims": {
"workflow": "example-workflow",
"sub": "repo:octo-org/octo-repo:environment:prod"
},
"token_spec": {
"username": "username",
"scope": "applied-permissions/user",
"audience": "audience",
"expires_in": 100,
"groups_pattern": "{{group}}"
},
"priority": 0
}Example with a multiple values claim:
curl -X POST -H "Content-type: application/json" \
-H "Authorization: Bearer cmd" \
https://example.jfrog.io/access/api/v1/oidc/oidc-sample/identity_mappings -d \
{
"name": "github-multi-claims",
"description": "mapping example",
"claims": {
"workflow": "example-workflow",
"sub": "repo:octo-org/octo-repo:environment:prod",
"repository": ["jfrog/jfrog-cli", "jfrog/artifactory-client-java", "jfrog/setup-jfrog-cli", “artifactory/**”]
},
"token_spec": {
"scope": "applied-permissions/user",
"audience": "audience",
"expires_in": 100,
"username_pattern": "{{actor}}"
},
"priority": 0
}Example with a wildcard claim:
curl -X POST -H "Content-type: application/json" \
-H "Authorization: Bearer cmd" \
https://example.jfrog.io/access/api/v1/oidc/oidc-sample/identity_mappings -d \
{
"name": "github-wild-card",
"description": "mapping example",
"claims": {
"workflow": "example-workflow",
"sub": "repo:octo-org/octo-repo:environment:prod",
"repository": "jfrog/*"
},
"token_spec": {
"scope": "applied-permissions/user",
"audience": "audience",
"expires_in": 100,
"usernamePattern": "{{actor}}"
},
"priority": 0
}