OIDC Token Exchange

JFrog REST APIs

Content Type
REST API
ft:sourceType
Paligo

Description: Exposes the token endpoint to retrieve a temporary access token. The scope of the token is determined using identity mappings.

Since: Artifactory Cloud 7.73.1, Artifactory Self Hosted 7.77.3

Security: Requires a valid admin token

Usage: POST /access/api/v1/oidc/token {JSON with token information}

Produces: application/json

Header parameter: Authorization: Bearer. For more information about creating tokens, see Create Token.

Parameters:

The JSON record contains the following fields:

Name

Type

Description

provider_name

string

Name of the provider

description

string

The description of the identity mapping

provider_type

string

The provider type, such as Github, Azure, or Generic OpenID Connect.

issuer_url

integer

OIDC issuer URL. For GitHub actions, the URL is https://token.actions.githubusercontent.com/.

audience

string

Informational field that you can use to include details of the audience that uses the OIDC configuration

project_key

string

If set, this Identity Mapping will be available in the scope of the given project (editable by the platform admin and project admin). If not set, this Identity Mapping will be global and only editable by platform admin. Once set, the projectKey cannot be changed.

Optional

Sample Usage

curl -X POST -H "Content-type: application/json" \
     -H "Authorization: Bearer cOENUdUxv" \ 
     https://example.jfrog.io/access/api/v1/oidc/token -d \
     '{“grant_type”: “urn:ietf:params:oauth:grant-type:token-exchange”, \
      “subject_token_type”:”urn:ietf:params:oauth:token-type:id_token”, \
      “subject_token”: <ID_TOKEN>, \
      "provider_name": "github-oidc"
      "project_key": "jfac"}'