🐸
JFrog Applications
  • JFrog Applications
  • JFrog Applications
    • JFrog CLI
      • Download and Install
      • Authentication
      • Shell Auto Completion
      • Usage
      • Configurations
        • JFrog Platform Configuration
        • Proxy Support
      • CLI AI Assistant
        • AI Assistant Addendum
      • Binaries Management with JFrog Artifactory
        • Environment Variables
        • Authentication
        • Verifying Artifactory's Accessibility
        • Generic Files
        • Using File Specs
        • Using Placeholders
        • Build Integration
        • Package Managers Integration
        • Storing Symlinks in Artifactory
        • cURL Integration
        • Managing Configuration Entities
        • Release Lifecycle Management
        • Transferring Files Between Artifactory Servers
        • Cleaning Up Unreferenced Files from a Git LFS Repository
        • Evidence Service
      • CLI for JFrog Security
        • Download Updates for Xray's Database
        • How Tos
          • Scan your code dependencies
          • Scan your Binaries
          • Enrich your SBOM JSONs & XMLs
          • JFrog Curation
          • Scan Published Builds
          • Count Contributing Developers
      • CLI for JFrog Distribution
      • CLI for JFrog Cloud Transfer
      • CLI Command Summaries
      • JFrog CLI Plugins
        • JFrog CLI Plugins Developer Guide
    • IDE
      • Visual Studio Code
        • VS Code Prerequsites Per Language
        • Supported Technologies
        • Install the JFrog VS Code Extension
          • Connect VS Code to the JFrog Platform
        • Manage VS Code IDE
        • Quick Start
        • How Tos
          • Analyze your Results
            • Resolve Issues
            • Ignore Findings
      • JetBrains IDEs
        • Supported Technologies
        • Install the JFrog IDEA Plugin
        • Connect the JFrog Plugin to the JFrog Platform
        • Using the JFrog Plugin in the JetBrains IDEs
        • Plugin Configuration
        • Apply Xray Policies and Watches
        • Troubleshooting
      • Eclipse
        • Supported Technologies
        • Install and Setup of the JFrog Eclipse IDE Plugin
        • Scan Gradle Projects with the JFrog Eclipse IDE Plugin
        • Use the JFrog Eclipse IDE Plugin
      • Visual Studio
        • Supported Technologies
        • Install and Setup the JFrog Visual Studio Extension
        • Use the JFrog Visual Studio Extension
    • JFrog Frogbot
      • Supported Technologies
      • Setup
        • Frogbot Configuration
        • Setup Frogbot Using GitHub Actions
          • OIDC Authentication
          • Scan Git Repository Full Template
          • Scan Pull Request Full Template
        • Setup Frogbot Using Jenkins
        • Setup Frogbot Using JFrog Pipelines
        • Setup Frogbot Using GitLab CI
          • GitLab Full Template
        • Setup Frogbot Using Azure Pipelines
      • Scan Execution
        • Scan Git Repositories
          • View Security Alerts on GitHub
        • Scan Pull Requests
          • Scan GitHub Pull Request
          • Scan GitLab Pull Request
          • Scan Azure Repos Pull Request
          • Scan Bitbucket Server Pull Request
          • Pull Request Scan Results
      • Frogbot Badge
  • CI & SDKs
    • CI Integrations
      • Maven Artifactory Plugin
      • GitLab Templates for JFrog
      • Jenkins JFrog Plugin
      • Bamboo JFrog Plugin
      • GitHub Actions
      • Artifactory Gradle Plugin
    • SDKs
      • Artifactory Java Client
      • JFrog Go Client
  • JFrog Security Features
    • SCA
    • Contextual Analysis
    • Infrastructure as Code (IaC)
    • Secrets
    • SAST
      • Integrations
      • Ignore Findings
Powered by GitBook

© 2024 JFrog Ltd All Rights Reserved

On this page
  • General
  • JFrog Platform configuration
  • Workflow configuration
  • Example for OpenID Connect Usage
  • Troubleshooting
  • Scan failures due to token expiration
Export as PDF
  1. JFrog Applications
  2. JFrog Frogbot
  3. Setup
  4. Setup Frogbot Using GitHub Actions

OIDC Authentication

Authenticating using OpenID Connect (OIDC)

PreviousSetup Frogbot Using GitHub ActionsNextScan Git Repository Full Template

Last updated 6 months ago

General

The sensitive connection details, such as the access token used by JFrog Frogbot, can be automatically generated by the action instead of storing it as a secret in GitHub. This is made possible by leveraging the OpenID-Connect (OIDC) protocol. This protocol can authenticate the workflow issuer and supply a valid access token. Learn more about this integration in this blog post. To utilize the OIDC protocol, follow these steps:

JFrog Platform configuration

  1. Configure an OIDC Integration: This phase sets an integration between GitHub Actions to the JFrog platform.

    1. Navigate to the Administration tab In the JFrog Platform UI

    2. Click General | Manage Integrations

    3. Click New Integration | OpenID Connect:

    4. Configure the OIDC integration:

The 'Provider Name' value should be used as the 'oidc-provider-name' input in Workflow Configuration step 2 below.

The 'Audience' field does NOT represent the 'aud' claim that can be added to identity-mapping configured in the 'Claims JSON' (shown below). Only claims that are included in the 'Claims Json' created during step 2 will be validated.

  1. Configure an identity mapping: This phase sets an integration between a particular GitHub repository to the JFrog platform.

    An identity mapping is a configuration object utilized by the JFrog Platform to associate incoming OIDC claims with particular selected fields. These fields might include repository, actor, workflow, and others. To configure the identity mapping, click on the identity mapping created in section 1 and then click on Add Identity Mapping. In the 'priority' field insert the value '1' and fill in the rest of the required fields:

    You have the flexibility to define any valid list of claims required for request authentication. You can check a list of the possible claims here. Example Claims JSON:

    {
    "repository": "repository-owner/my-repository"
}

Workflow configuration

  1. Set required permissions: In the course of the protocol's execution, it's imperative to acquire a JSON Web Token (JWT) from GitHub's OIDC provider. To request this token, it's essential to configure the specified permission in the workflow file:

    permissions:
    id-token: write

  2. Pass the 'oidc-provider-name' input to the Action (Required): The 'oidc-provider-name' parameter designates the OIDC configuration whose one of its identity mapping should align with the generated JWT claims. This input needs to align with the 'Provider Name' value established within the OIDC configuration in the JFrog Platform.

  3. Pass the 'oidc-audience' input to the Action (Optional): The 'oidc-audience' input defines the intended recipients of an ID token (JWT), ensuring access is restricted to authorized recipients for the JFrog Platform. By default, it contains the URL of the GitHub repository owner. It enforces a condition, allowing only workflows within the designated repository/organization to request an access token. Read more about it here.

Example for OpenID Connect Usage

- uses: jfrog/frogbot@v2
  env:
      JF_URL: ${{ vars.JF_URL }}
      JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  with:
      oidc-provider-name: frogbot-integration

Troubleshooting

Scan failures due to token expiration

When using OIDC integration, you might encounter failures in Xray scans or JFrog Advanced Security scans due to token expiration. If this occurs, try extending the 'Token Expiration Time' in the 'Identity Mapping Configuration' phase to ensure the token remains valid until all scanners are triggered, which may vary depending on the project's size.