-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC Support to Frogbot #683
Comments
Dear @AdiUbarale , |
You can extract the token with a GitHub action step and then inject it into Frogbot, we’ve been doing that and works fine so far we have an action like this: name: 'Artifactory Access Token'
description: 'Acquire access token for Artifactory'
inputs:
artifactory_url:
description: "Artifactory URL"
required: false
default: "https://<URL>"
audience:
description: "OIDC Audience"
required: false
default: "github"
provider:
description: "OIDC Provider name, usually the customer identifier"
required: true
repository:
description: "Repository name"
required: true
github_token:
description: "GitHub Token"
required: true
outputs:
token:
description: "newly acquired access token"
value: ${{ steps.access-token.outputs.token }}
username:
description: "username for matching the token"
value: ${{ inputs.provider }}/${{ inputs.repository }}-ci
runs:
using: "composite"
steps:
- name: Get Access Token
shell: bash
id: access-token
run: |
curl -sLS -XPUT -H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ inputs.github_token }}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/<ORG>/${{ inputs.repository }}/actions/oidc/customization/sub \
-d '{"use_default":false,"include_claim_keys":["repo"]}'
ID_TOKEN=$(curl -sLS -H "User-Agent: actions/oidc-client" -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
"${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=${{ inputs.audience }}" | jq -r .value)
REQ=$(curl -sLS -XPOST "${{ inputs.ARTIFACTORY_URL }}/access/api/v1/oidc/token" -H "Content-type: application/json" \
-d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"$ID_TOKEN\", \"provider_name\": \"${{ inputs.provider }}\"}")
ACCESS_TOKEN=$(echo $REQ | jq -r .access_token)
echo ::debug::ID_TOKEN=$(echo $ID_TOKEN | base64)
echo ::debug::ACCESS_TOKEN_REQUEST=$REQ
echo ::debug::ACCESS_TOKEN=$(echo $ACCESS_TOKEN | base64)
echo ::add-mask::$ACCESS_TOKEN
echo "token=$ACCESS_TOKEN" >> $GITHUB_OUTPUT used like this: - name: Get Access Token
uses: <insert-repo>/.github/actions/artifactory-access-token@v2
id: access-token
with:
provider: <insert>
github_token: ${{ secrets.GITHUB_TOKEN }}
repository: <insert>
- uses: jfrog/frogbot@54d0cfedebdb11ded3af3069fd3c69ab6727509d # v2.20.2
env:
JF_URL: https://artifactory.novus.legogroup.io
JF_ACCESS_TOKEN: ${{ steps.access-token.outputs.token }}
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
Hello @AdiUbarale and @lukaspj |
Hello Team,
Do you have any plans to allow OIDC authentication for frogbot instead of using an access token?
https://jfrog.com/blog/secure-access-development-jfrog-github-oidc/
Thanks,
Adi
The text was updated successfully, but these errors were encountered: