setup-jfrog-cli icon indicating copy to clipboard operation
setup-jfrog-cli copied to clipboard
verified publisher icon jfrog

JFrog CLI Issue with OIDC Token Expiry

Open krishnamanchikalapudi opened this issue 1 year ago • 1 comments

Describe the bug

When using an OIDC token configured to expire after 1 minute in a GitHub action to download Maven jars and build a Docker image, the download fails with a 401 error ("Token failed verification expired"). The token expires before the process completes, causing an incomplete download.

Current behavior

The token expires in 1 minute, and JFrog CLI does not automatically refresh it, leading to a 401 error and incomplete downloads. Refer GitHub Action job# https://github.com/krishnamanchikalapudi/spring-petclinic/actions/runs/11005259480/job/30557614565

Screenshot 2024-09-23 at 6 37 29 PM

Reproduction steps

  1. Configure GitHub Integration:
  • Set the OIDC token expiration duration to 1 minute in Artifactory's GitHub integration.
  1. Run Maven Build:
  • Use the configured OIDC token in a GitHub Action to initiate a Maven build that requires downloading dependencies from Artifactory.
  1. Build Docker Image:
  • As part of the same workflow, attempt to build a Docker image that pulls from the Maven artifacts. Observe Issue:

The token expires before the process completes, resulting in a 401 error (Token failed verification: expired) and incomplete artifact download.

Expected behavior

The JFrog CLI should refresh the token upon expiration to ensure that the download completes without requiring a long-duration token.

Setup JFrog CLI version

jfrog/setup-jfrog-cli@v4

JFrog CLI version

2.67.0

Workflow operating system type and version

ubuntu:latest

JFrog Artifactory version (if relevant)

No response

JFrog Xray version (if relevant)

No response

krishnamanchikalapudi avatar Sep 24 '24 01:09 krishnamanchikalapudi

Hey @krishnamanchikalapudi,

Thanks for raising this!

This behavior is actually by design rather than a bug. OIDC tokens are intended to be short-lived for security reasons, and at the moment, we don't support automatic token refresh in this context.

We recommend configuring the token with a validity period that's appropriate for the duration of your CI run. Once the run completes, the token will be revoked automatically.

Let us know if that works for your use case or if you have any further questions.

EyalDelarea avatar Apr 01 '25 15:04 EyalDelarea