Support OIDC Token Exchange During Server Configuration #1369
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
devbranch.gofmtfor formatting the code before submitting the pull request.✨ Add OIDC Authentication Support to
jf config(Non-Interactive)This PR introduces support for configuring a JFrog server using OIDC token exchange in non-interactive mode — a key enabler for CI/CD systems like GitHub Actions, Azure Pipelines, and others.
Highlights:
OidcTokenExchangeCommandingeneral/token, encapsulating the OIDC token exchange flow.--oidc-*flags injf configwhen run non-interactively:JFROG_CLI_USAGE_CONFIG_OIDCfor usage tracking.📣 CI-Focused, Non-Interactive-Only
OIDC support is currently only available for non-interactive CLI config, making it ideal for:
Interactive terminal flows are not yet supported to minimize risk and limit rollout scope.
🗂 CLI Utils
Added a utility to read application.key from the local ~/.jfrog/config.yml file or from the JFROG_CLI_APPLICATION_KEY environment variable.
🧾 Supported OIDC Parameters
Can be provided via flags or environment variables:🅰️ :
Args
urloidc-provider-nameoidc-provider-type(defaults toGitHub)Flags 🎏 :
--oidc-token-id--oidc-audience(optional)JFROG_CLI_APPLICATION_KEY,JFROG_CLI_PROJECT,JFROG_CLI_CI_JOB_ID,JFROG_CLI_CI_RUN_ID,JFROG_CLI_SOURCECODE_REPOSITORY📌 Example: Configuring OIDC Auth in CI
jf config add my-server \ --url=https://my.jfrog.io \ --oidc-provider-name=GitHub \ --oidc-provider-type=GitHub \ --oidc-token-id=$ID_TOKEN \ --interactive=falseThis will exchange the
$ID_TOKENfor an access token and store it in the CLI config.📊 Updated Usage Reporting
Usage is now tracked when the OIDC token exchange command runs:
✅ Removed legacy env var
JFROG_CLI_USAGE_CONFIG_OIDC.✅ Added direct usage tracking via
ExecAndThenReportUsage()during token exchange.This improves visibility and consistency across all environments — not just those using GitHub Actions.
🔗 Related Work
This PR depends on [jfrog-client-go#1103](jfrog/jfrog-client-go#1103), which adds support for the OIDC token exchange endpoint.