Skip to content

Add Config OIDC Authentication & Token Exchange Support #2938

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 107 commits into from
Apr 6, 2025
Merged

Add Config OIDC Authentication & Token Exchange Support #2938

merged 107 commits into from
Apr 6, 2025
+369 −15

Conversation

EyalDelarea
Copy link
Contributor

@EyalDelarea EyalDelarea commented Mar 27, 2025
edited
Loading

  • All tests have passed. If this feature is not already covered by the tests, new tests have been added.
  • The pull request is targeting the dev branch.
  • The code has been validated to compile successfully by running go vet ./....
  • The code has been formatted properly using go fmt ./....

Summary

This PR introduces OIDC token exchange support to the JFrog CLI. It enables users running in CI environments to authenticate using OIDC tokens provided by the platform (e.g., GitHub Actions) and securely configure JFrog CLI without storing long-lived credentials.

📌 New Features

1. jf c add – Configure a JFrog Server via OIDC ( For CI/CD use )

You can now configure a JFrog CLI server using an OIDC provider in CI environments only (non-interactive mode). This supports GitHub, Azure, or any general OIDC provider.

✅ Example (non-interactive-only):
jf c add \
  --url=https://ecosysjfrog.jfrog.io \
  --oidc-provider-name=setup-jfrog-cli-test \
  --interactive=false

Make sure the following environment variable is injected:

export JFROG_CLI_OIDC_EXCHANGE_TOKEN_ID=<your_oidc_token>
🧪 CI Workflow

The .github/workflows/oidcTests.yml workflow automatically:

  • Retrieves a GitHub Actions OIDC token.
  • Runs jf c add with OIDC flags.
  • Executes jf rt ping to validate the token.
Name:
  jf c add - Adds a server configuration.

Usage:
  jf config add
  jf config add <server ID>
  
Options:
  --access-token              [Optional] JFrog Platform access token.
  --access-token-stdin        [Default: false] Set to true if you'd like to provide the access token via stdin.
  --application-key value     [Optional] JFrog ApplicationKey Key
  --artifactory-url           [Optional] JFrog Artifactory URL. (example: https://acme.jfrog.io/artifactory)
  --basic-auth-only           [Default: false] Set to true to disable replacing username and password/API key with an automatically created access token that's refreshed hourly. Username and password/API key will still be used with commands which use external tools or the JFrog Distribution service. Can only be passed along with username and password/API key options.
  --client-cert-key-path      [Optional] Private key file for the client certificate in PEM format.
  --client-cert-path          [Optional] Client certificate file in PEM format.
  --distribution-url          [Optional] JFrog Distribution URL. (example: https://acme.jfrog.io/distribution)
  --enc-password              [Default: true] If set to false then the configured password will not be encrypted using Artifactory's encryption API.
  --insecure-tls              [Default: false] Set to true to skip TLS certificates verification, while encrypting the Artifactory password during the config process.
  --interactive               [Default: true, unless $CI is true] Set to false if you do not want the config command to be interactive. If true, the --url option becomes optional.
  --mission-control-url       [Optional] JFrog Mission Control URL. (example: https://acme.jfrog.io/mc)
  --oidc-audience value       [Optional] The audience for the OIDC token.
  --oidc-provider-name value  [Optional] The OIDC provider to be used for the token exchange.
  --oidc-provider-type value  [Default: GitHub] The type of the OIDC provider.
  --oidc-token-id value       [Optional] The ID of the OIDC token to be exchanged.
  --overwrite                 [Default: false] Overwrites the instance configuration if an instance with the same ID already exists.
  --password                  [Optional] JFrog Platform password or API key.
  --password-stdin            [Default: false] Set to true if you'd like to provide the password via stdin.
  --pipelines-url             [Optional] JFrog Pipelines URL. (example: https://acme.jfrog.io/pipelines)
  --ssh-key-path              [Optional] SSH key file path.
  --ssh-passphrase            [Optional] SSH key passphrase.
  --url                       [Optional] JFrog platform URL. (example: https://acme.jfrog.io)
  --user                      [Optional] JFrog Platform username.
  --xray-url                  [Optional] JFrog Xray URL. (example: https://acme.jfrog.io/xray)

2. jf eot <platformUrl> <oidc-provider-name> <oidc-token-id> – Exchange OIDC Token for Access Token

A new CLI command to directly exchange an OIDC token for a short-lived JFrog access token.

✅ Example:
jf eot \
   https://ecosysjfrog.jfrog.io \
   setup-jfrog-cli-test \
   $JFROG_CLI_OIDC_EXCHANGE_TOKEN_ID
📤 Output:
{ AccessToken: **** Username: **** }
  • Supports optional metadata: audience, project, application key, repository.
Name:
  jf eot - Exchanges a token ID from an OIDC provider with a JFrog server to a valid access token and returns the access token and the username.

Usage:
  jf eot -<platformUrl> <oidc-token-id> <oidc-provider-name> [--oidc-audience <audience>] [--oidc-provider-type <type>] [--ApplicationKey <key>] [--Project <project>] [--repository <repository>]
  
Arguments:
    platformUrl (mandatory)
      The URL of the platform where the OIDC token exchange will take place.
      
     oidc-provider-name (mandatory)
      The provider name.

     oidc-token-id (mandatory)
      The ID of the OIDC token to be exchanged.



Options:
  --application-key value     [Optional] JFrog ApplicationKey Key
  --oidc-audience value       [Optional] The audience for the OIDC token.
  --oidc-provider-type value  [Default: GitHub] The type of the OIDC provider.
  --project                   [Optional] JFrog Artifactory project key.
  --repository                [Mandatory] Repository name to filter resource.
  --url                       [Optional] JFrog Artifactory URL. (example: https://acme.jfrog.io/artifactory)

🧪 Tests

  • ✅ Unit test TestOidcExchangeToken verifies the output of eot is correctly masked.
  • ✅ End-to-end GitHub Actions tests added (oidcTests.yml) across Linux, Windows, and macOS.
  • 🔁 Existing accessTests.yml updated to inject GitHub OIDC token for full flow validation.

🔗 Dependencies

This PR depends on:

@EyalDelarea EyalDelarea added the new feature Automatically generated release notes label Mar 27, 2025
@EyalDelarea EyalDelarea added the safe to test Approve running integration tests on a pull request label Apr 6, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Apr 6, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 6, 2025

👍 Frogbot scanned this pull request and did not find any new security issues.

@EyalDelarea EyalDelarea merged commit a50d0cd into jfrog:dev Apr 6, 2025
13 of 14 checks passed
@EyalDelarea EyalDelarea changed the title Add OIDC Authentication & Token Exchange Support Add Config OIDC Authentication & Token Exchange Support Apr 8, 2025
@BrewTestBot BrewTestBot mentioned this pull request Apr 16, 2025
Merged
@mgriffin13 mgriffin13 mentioned this pull request Apr 18, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asafgabai asafgabai asafgabai requested changes

Assignees
No one assigned
Labels
new feature Automatically generated release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@EyalDelarea @asafgabai