frogbot icon indicating copy to clipboard operation
frogbot copied to clipboard

Published 20 hours ago verified publisher icon jfrog

OIDC Support to Frogbot

Open AdiUbarale opened this issue 10 months ago • 2 comments

Hello Team, Do you have any plans to allow OIDC authentication for frogbot instead of using an access token? https://jfrog.com/blog/secure-access-development-jfrog-github-oidc/

Thanks, Adi

AdiUbarale avatar Apr 18 '24 08:04 AdiUbarale

Dear @AdiUbarale , Supporting OIDC is included in our strategic roadmap; however, it is not slated for implementation within the calendar year of 2024.

gailazar300 avatar Apr 30 '24 07:04 gailazar300

You can extract the token with a GitHub action step and then inject it into Frogbot, we’ve been doing that and works fine so far we have an action like this:

name: 'Artifactory Access Token'
description: 'Acquire access token for Artifactory'
inputs:
  artifactory_url:
    description: "Artifactory URL"
    required: false
    default: "https://<URL>"
  audience:
    description: "OIDC Audience"
    required: false
    default: "github"
  provider:
    description: "OIDC Provider name, usually the customer identifier"
    required: true
  repository:
    description: "Repository name"
    required: true
  github_token:
    description: "GitHub Token"
    required: true

outputs:
  token:
    description: "newly acquired access token"
    value: ${{ steps.access-token.outputs.token }}
  username:
    description: "username for matching the token"
    value: ${{ inputs.provider }}/${{ inputs.repository }}-ci

runs:
  using: "composite"
  steps:
    - name: Get Access Token
      shell: bash
      id: access-token
      run: |
        curl -sLS -XPUT -H "Accept: application/vnd.github+json" \
          -H "Authorization: Bearer ${{ inputs.github_token }}" \
          -H "X-GitHub-Api-Version: 2022-11-28" \
          https://api.github.com/repos/<ORG>/${{ inputs.repository }}/actions/oidc/customization/sub \
          -d '{"use_default":false,"include_claim_keys":["repo"]}'
        
        ID_TOKEN=$(curl -sLS -H "User-Agent: actions/oidc-client" -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
        "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=${{ inputs.audience }}" | jq -r .value)
        
        REQ=$(curl -sLS -XPOST "${{ inputs.ARTIFACTORY_URL }}/access/api/v1/oidc/token" -H "Content-type: application/json" \
          -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"$ID_TOKEN\", \"provider_name\": \"${{ inputs.provider }}\"}")
        ACCESS_TOKEN=$(echo $REQ | jq -r .access_token)
        echo ::debug::ID_TOKEN=$(echo $ID_TOKEN | base64)
        echo ::debug::ACCESS_TOKEN_REQUEST=$REQ
        echo ::debug::ACCESS_TOKEN=$(echo $ACCESS_TOKEN | base64)
        echo ::add-mask::$ACCESS_TOKEN
        echo "token=$ACCESS_TOKEN" >> $GITHUB_OUTPUT

used like this:

      - name: Get Access Token
        uses: <insert-repo>/.github/actions/artifactory-access-token@v2
        id: access-token
        with:
          provider: <insert>
          github_token: ${{ secrets.GITHUB_TOKEN }}
          repository: <insert>

      - uses: jfrog/frogbot@54d0cfedebdb11ded3af3069fd3c69ab6727509d  # v2.20.2
        env:
          JF_URL: https://artifactory.novus.legogroup.io
          JF_ACCESS_TOKEN: ${{ steps.access-token.outputs.token }}
          JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}

lukaspj avatar Apr 30 '24 10:04 lukaspj

Hello @AdiUbarale and @lukaspj Im happy to inform you that OIDC authentication for GitHub is available for Frogbot now! Please refer to our docs to learn more about it if needed: https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/setup-frogbot-using-github-actions Hope this feature serves you well :)

eranturgeman avatar May 30 '24 12:05 eranturgeman