OIDC Authentication Flow Support (jfrog#259)

Author: EyalDelarea

.github/workflows/cli-oidc-test.yml

@@ -0,0 +1,45 @@
+# This action is an integration test for OIDC workflow
+name: CLI OpenID Connect Test
+on:
+  push:
+    branches:
+      - master
+
+  # Triggers the workflow on labeled PRs only.
+  pull_request_target:
+    types: [ labeled ]
+
+
+# Ensures that only the latest commit is running for each PR at a time.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }}
+  cancel-in-progress: true
+permissions:
+  id-token: write
+jobs:
+  OIDC-Test:
+    if: contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'push'
+    name: OIDC-Access integration test (${{ matrix.os }})
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ ubuntu, windows, macos ]
+    runs-on: ${{ matrix.os }}-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+        with:
+          ref:
+            ${{ github.event.pull_request.head.ref || github.sha }}
+
+      - name: Setup JFrog CLI
+        id: setup-jfrog-cli
+        uses: ./
+        env:
+          JF_URL: ${{ secrets.JFROG_PLATFORM_URL }}
+        with:
+          oidc-provider-name: setup-jfrog-cli-test
+
+      - name: Test JFrog CLI
+        run: |
+          jf rt ping

.github/workflows/oidc-test.yml renamed to .github/workflows/manual-oidc-test.yml

@@ -1,5 +1,6 @@
 # This action is an integration test for OIDC workflow
-name: OpenID Connect Test
+# Which uses the manual approach for backwards compliantly
+name: Manual OpenID Exchange Connect Test
 on:
   push:
     branches:
@@ -40,6 +41,8 @@ jobs:
           "name": "${{ env.OIDC_PROVIDER_NAME }}",
           "issuer_url": "https://token.actions.githubusercontent.com",
           "provider_type": "GitHub",
+          "enable_permissive_configuration": "true",
+          "token_issuer" : "",
           "description": "This is a test configuration created for OIDC-Access integration test" }'
 
       - name: Create OIDC integration Identity Mapping
@@ -67,6 +70,8 @@ jobs:
           JF_URL: ${{ secrets.JFROG_PLATFORM_URL }}
         with:
           oidc-provider-name: ${{ env.OIDC_PROVIDER_NAME }}
+          # The last version which outputs OIDC params as step outputs
+          version: '2.74.1'
 
       - name: Test JFrog CLI
         run: |

README.md

@@ -118,7 +118,21 @@ Example step utilizing OpenID Connect:
       oidc-provider-name: setup-jfrog-cli
 ```
 
-**Notice:** When using OIDC authentication, this action outputs both the OIDC token and the OIDC token username. These can be utilized within the current workflow to log into the JFrog platform through other actions or clients (e.g., for use with `docker login`). The added outputs are `oidc-token` and `oidc-user`, respectively.
+**Notice:**
+
+Depending on the version of the CLI and how it is provisioned, this action intelligently chooses the optimal OIDC authentication flow:
+
+✅ Native OIDC (Recommended Path)
+
+If you are using JFrog CLI version 2.75.0 or above and not downloading the CLI from Artifactory
+(via the download-repository input),
+the setup action will use the CLI's native `--oidc-token-id` authentication mechanism.
+
+🔁 Manual Fallback (for legacy or remote setups)
+
+If the CLI version is below 2.75.0, or if you're downloading the CLI from Artifactory using download-repository, the action will automatically fall back to a manual OIDC token exchange using the JFrog Platform REST API.
+
+📝 This fallback logic is kept for backward compatibility but is planned for deprecation to avoid maintaining duplicate authentication flows.
 
 ### Handling Self-Signed Certificates
 

action.yml

@@ -4,7 +4,7 @@ author: "JFrog"
 inputs:
     version:
         description: "JFrog CLI Version"
-        default: "2.73.0"
+        default: "2.75.0"
         required: false
     download-repository:
         description: "Remote repository in Artifactory pointing to 'https://releases.jfrog.io/artifactory/jfrog-cli'. Use this parameter in case you don't have an Internet access."