OIDC Support to Frogbot

[AdiUbarale]

Hello Team, Do you have any plans to allow OIDC authentication for frogbot instead of using an access token? https://jfrog.com/blog/secure-access-development-jfrog-github-oidc/

Thanks, Adi

[gailazar300]

Dear @AdiUbarale , Supporting OIDC is included in our strategic roadmap; however, it is not slated for implementation within the calendar year of 2024.

[lukaspj]

You can extract the token with a GitHub action step and then inject it into Frogbot, we’ve been doing that and works fine so far we have an action like this:

name: 'Artifactory Access Token'
description: 'Acquire access token for Artifactory'
inputs:
  artifactory_url:
    description: "Artifactory URL"
    required: false
    default: "https://<URL>"
  audience:
    description: "OIDC Audience"
    required: false
    default: "github"
  provider:
    description: "OIDC Provider name, usually the customer identifier"
    required: true
  repository:
    description: "Repository name"
    required: true
  github_token:
    description: "GitHub Token"
    required: true

outputs:
  token:
    description: "newly acquired access token"
    value: ${{ steps.access-token.outputs.token }}
  username:
    description: "username for matching the token"
    value: ${{ inputs.provider }}/${{ inputs.repository }}-ci

runs:
  using: "composite"
  steps:
    - name: Get Access Token
      shell: bash
      id: access-token
      run: |
        curl -sLS -XPUT -H "Accept: application/vnd.github+json" \
          -H "Authorization: Bearer ${{ inputs.github_token }}" \
          -H "X-GitHub-Api-Version: 2022-11-28" \
          https://api.github.com/repos/<ORG>/${{ inputs.repository }}/actions/oidc/customization/sub \
          -d '{"use_default":false,"include_claim_keys":["repo"]}'

        ID_TOKEN=$(curl -sLS -H "User-Agent: actions/oidc-client" -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
        "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=${{ inputs.audience }}" | jq -r .value)

        REQ=$(curl -sLS -XPOST "${{ inputs.ARTIFACTORY_URL }}/access/api/v1/oidc/token" -H "Content-type: application/json" \
          -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"$ID_TOKEN\", \"provider_name\": \"${{ inputs.provider }}\"}")
        ACCESS_TOKEN=$(echo $REQ | jq -r .access_token)
        echo ::debug::ID_TOKEN=$(echo $ID_TOKEN | base64)
        echo ::debug::ACCESS_TOKEN_REQUEST=$REQ
        echo ::debug::ACCESS_TOKEN=$(echo $ACCESS_TOKEN | base64)
        echo ::add-mask::$ACCESS_TOKEN
        echo "token=$ACCESS_TOKEN" >> $GITHUB_OUTPUT

used like this:

      - name: Get Access Token
        uses: <insert-repo>/.github/actions/artifactory-access-token@v2
        id: access-token
        with:
          provider: <insert>
          github_token: ${{ secrets.GITHUB_TOKEN }}
          repository: <insert>

      - uses: jfrog/frogbot@54d0cfedebdb11ded3af3069fd3c69ab6727509d  # v2.20.2
        env:
          JF_URL: https://artifactory.novus.legogroup.io
          JF_ACCESS_TOKEN: ${{ steps.access-token.outputs.token }}
          JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}

[eranturgeman]

Hello @AdiUbarale and @lukaspj Im happy to inform you that OIDC authentication for GitHub is available for Frogbot now! Please refer to our docs to learn more about it if needed: https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/setup-frogbot-using-github-actions Hope this feature serves you well :)