Update OIDC Identity Mapping

JFrog REST APIs

Content Type
REST API
ft:sourceType
Paligo

Description: Updates an existing OIDC identity mapping.

Since: Artifactory Cloud 7.73.1, Artifactory Self Hosted 7.77.3. The project_key was added in Artifactory Cloud 7.94.

Security: Requires a valid admin token

Usage: PUT /access/api/v1/oidc {JSON with OIDC Configuration}

Produces: application/json

Header parameter: Authorization: Bearer. For more information about creating tokens, see Create Token.

Parameters:

The JSON record contains the following fields:

Name

Type

Description

Required

name

string

Name of the identity provider.

Mandatory

description

string

A meaningful description of the identity mapping

Optional

provider_name

string

Name of the OIDC configuration. The OIDC provider that will connect with the JFrog Platform. This name must match the name configured in the OIDC provider. The provider name serves as an integral part of the identification process when the provider initiates a request for an access token from the JFrog Platform.

Mandatory

priority

integer

The priority of the identity mapping. The priority should be a number. The higher priority is set for the lower number. If you do not enter a value, the identity mapping is assigned the lowest priority. We recommend that you assign the highest priority (1) to the strongest permission gate. Set the lowest priority to the weakest permission for a logical and effective access control setup.

Mandatory

claims

object

Claims information from the OIDC provider. Should contain the following:

  • sub

  • workflow_ref

Mandatory

token_spec

string

Contains the following token specifications:

  • username - User name of the OIDC user. Optional.

  • scope - Scope of the token. You can use applied-permissions/user, applied-permissions/admin, or applied-permissions/group,. You can specify the group name after the group. For example, applied-permissions/group:readers. Mandatory if you do not provide the user.

  • audience - Sets the JFrog services to which the mapping applies. Default value is @, which applies to all services. Optional.

  • expires_in - Token expiry time in seconds. Default value is 3600. Optional.

Mandatory

project_key

string

If set, this Identity Mapping will be available in the scope of the given project (editable by platform admin and project admin). If not set, this Identity Mapping will be global and only editable by platform admin. Once set, the projectKey cannot be changed.

Optional

Sample Usage with a User

curl -X PUT -H "Content-type: application/json" \
     -H "Authorization: Bearer cOENUdUxv" \ 
     https://example.jfrog.io/access/api/v1/oidc/{provider_name}/identity_mappings -d \
     {
	"name": "github-repo-read", 
	"provider_name": "github-oidc",
        "claims": { 
                    "sub": "repo:mosheya/access-oidc-poc:ref:refs/heads/main", 
                    "workflow_ref":  "mosheya/access-oidc-poc/.github/workflows/job.yaml@refs/heads/main"
                  },
        "token_spec": {
			  "username": "moshey",
			  "scope": "applied-permissions/user"
                          "audience": ["jfrt@service_id"],
                          "expires_in": 3600
                      }
     }

Sample Usage with a Group

curl -X PUT -H "Content-type: application/json" \
     -H "Authorization: Bearer cOENUdUxv" \ 
     https://example.jfrog.io/access/api/v1/oidc/{provider_name}/identity_mappings -d \
     {
	"name": "github-repo-read", 
	"provider_name": "github-oidc",
        "claims": { 
                    "sub": "repo:mosheya/access-oidc-poc:ref:refs/heads/main", 
                    "workflow_ref":  "mosheya/access-oidc-poc/.github/workflows/job.yaml@refs/heads/main"
                  },
        "token_spec": {
			  "scope": "applied-permissions/group:readers"
                          "audience": ["jfrt@service_id"],
                          "expires_in": 3600
                      }
     }