Skip to content

Commit b244122

Browse files
EyalDelareaEyalDelarea
authored
Add config OIDC docs (#197)
1 parent d579673 commit b244122

File tree

1 file changed

+92
-1
lines changed

1 file changed

+92
-1
lines changed

jfrog-applications/jfrog-cli/get-started/configurations/jfrog-platform-configuration.md

+92-1
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,8 @@ jf atc toad
5151

5252
## Adding and Editing Configured Servers
5353

54-
The **config add** and **config edit** commands are used to add and edit JFrog Platform server configuration, stored in JFrog CLI's configuration storage. These configured servers can be used by the other commands. The configured servers' details can be overridden per command by passing in alternative values for the URL and login credentials. The values configured are saved in file under the JFrog CLI home directory.
54+
The **config add** and **config edit** commands are used to add and edit JFrog Platform server configuration, stored in JFrog CLI's configuration storage. These configured servers can be used by the other commands. The configured servers' details can be overridden per command by passing in alternative values for the URL and login credentials. The values configured are saved in a file under the JFrog CLI home directory.
55+
5556

5657
| | |
5758
|------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -74,9 +75,45 @@ The **config add** and **config edit** commands are used to add and edit JFrog P
7475
| `--user` | <p>[Optional]</p><p>JFrog Platform username.</p> |
7576
| `--xray-url` | \[Optional] Xray URL. (example: https://acme.jfrog.io/xray) |
7677
| `--overwrite` | <p>[Available for <em>config add</em> only]<br>[Default: false]<br>Overwrites the instance configuration if an instance with the same ID already exists.</p> |
78+
| `--oidc-provider-name` | <p>[Optional]</p><p>OIDC provider name for CI authentication.</p> |
79+
| `--oidc-provider-type` | <p>[Default: GitHub]</p><p>OIDC provider type (e.g., GitHub, Azure).</p> |
80+
| `--oidc-token-id` | <p>[Optional]</p><p>The OIDC token ID to use for authentication.</p> |
81+
| `--oidc-audience` | <p>[Optional]</p><p>Audience for the OIDC token.</p> |
82+
| `--application-key` | <p>[Optional]</p><p>JFrog Application Key to associate with the authentication.</p> |
7783
| **Command arguments:** | |
7884
| server ID | A unique ID for the server configuration. |
7985

86+
### Adding a Server with OIDC Authentication
87+
88+
Starting from version 2.75.0, jf c add supports authentication using OIDC.
89+
90+
This is used internally when using the CLI inside a CI/CD pipeline, where the OIDC token is provided by the CI/CD system (e.g., GitHub Actions).
91+
92+
Also note that the integration needs to be defined in the platform before running the command.
93+
94+
#### 🔒 Important Notes about OIDC Authentication:
95+
96+
Before executing the command, ensure that an OIDC integration has been set up on the platform. For more details, refer to the [OIDC Integration](https://www.jfrog.com/confluence/display/JFROG/OIDC+Integration) documentation.
97+
98+
OIDC tokens are short-lived and ⚠️**do not support refresh**⚠️.
99+
OIDC access tokens are not renewable. They are intended for one-time use during CI pipelines and do not have an automatic refresh mechanism like other tokens. Consequently, the authentication will only be valid for the duration of the pipeline or until the token expires.
100+
101+
This functionality is primarily designed for CI/CD pipelines use.
102+
103+
##### Example :
104+
⚠️ **OIDC authentication must be used in non-interactive mode. Ensure --interactive=false is set.**
105+
```
106+
jf c add \
107+
--url=https://platform.jfrog.io \
108+
--oidc-provider-name=setup-jfrog-cli-test \
109+
--interactive=false
110+
```
111+
112+
Make sure the following environment variable is injected:
113+
```
114+
export JFROG_CLI_OIDC_EXCHANGE_TOKEN_ID=<your_oidc_token>
115+
```
116+
80117
## Removing Configured Servers
81118

82119
The _config remove_ command is used to remove JFrog Platform server configuration, stored in JFrog CLI's configuration storage.
@@ -166,3 +203,57 @@ Starting from version 2.36.0, JFrog CLI also supports encrypting sensitive data
166203
2. Store the key in an environment variable named **JFROG_CLI_ENCRYPTION_KEY**.
167204
168205
The configuration will be encrypted the next time JFrog CLI attempts to access the config. If you have configurations already stored before setting the environment variable, you'll need to reconfigure the servers stored in the config.
206+
207+
208+
---
209+
210+
211+
212+
### Exchanging OIDC Token for Access Token
213+
214+
The `exchange-oidc-token` (alias: `eot`) command is used to exchange an OIDC token (such as those provided by GitHub Actions or other CI systems) for a JFrog Platform access token and associated username. This is useful in automation workflows where credentials must be derived securely via an identity provider.
215+
216+
#### 🔒 Important Notes about OIDC Authentication:
217+
218+
Before executing the command, ensure that an OIDC integration has been set up on the platform.
219+
For more details,
220+
refer to the [JFrog OIDC Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/openid-connect-integration) documentation.
221+
222+
OIDC tokens are short-lived and ⚠️**do not support refresh**⚠️.
223+
OIDC access tokens are not renewable. They are intended for one-time use during CI pipelines and do not have an automatic refresh mechanism like other tokens. Consequently, the authentication will only be valid for the duration of the pipeline or until the token expires.
224+
225+
✅ This command can be used independently, or indirectly through `jf c add` when the required environment variables are set.
226+
227+
| | |
228+
|------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
229+
| Command name | exchange-oidc-token |
230+
| Abbreviation | eot |
231+
| **Command arguments:** | |
232+
| `oidc-provider-name` | <p>[Mandatory]</p><p>The name of the OIDC provider.</p> |
233+
| `oidc-token-id` | <p>[Mandatory]</p><p>The OIDC token (JWT) issued by the CI provider. This is typically retrieved from a CI environment variable such as GitHub’s `ACTIONS_ID_TOKEN`.</p> |
234+
| **Command options:** | |
235+
| `--platformUrl` | <p>[Mandatory]</p><p>The URL of the JFrog Platform instance. Mandatory if no config is already present</p> |
236+
| `--oidc-audience` | <p>[Optional]</p><p>The audience for the OIDC token.</p> |
237+
| `--oidc-provider-type` | <p>[Optional, default: GitHub]</p><p>The type of provider (e.g. GitHub).</p> |
238+
| `--application-key` | <p>[Optional]</p><p>JFrog Application key for attribution.</p> |
239+
| `--project` | <p>[Optional]</p><p>Project key (if applicable).</p> |
240+
| `--repository` | <p>[Optional]</p><p>Source code repository name.</p> |
241+
242+
### Example
243+
244+
```
245+
jf eot \
246+
https://platform.jfrog.io \
247+
$JFROG_CLI_OIDC_EXCHANGE_TOKEN_ID \
248+
my-integration-name \
249+
--oidc-audience=my-audience \
250+
--oidc-provider-type=GitHub \
251+
--application-key=my-app-key \
252+
--project=my-project \
253+
--repository=my-repo
254+
```
255+
256+
### Sample Output
257+
```
258+
{ AccessToken: **** Username: **** }
259+
```

0 commit comments

Comments
 (0)