Exchange an OIDC token for JFrog access
The jf exchange-oidc-token command (jf eot) swaps an OIDC token ID from your CI identity provider for a JFrog access token and username. It is intended for pipelines where short-lived OIDC credentials are issued inside the job.
Note
: This command is designed for CI/CD pipelines. OIDC tokens are short-lived credentials generated inside a CI job β they cannot be created locally.
Prerequisites
To use this command:
- Your JFrog Platform administrator must configure the OIDC integration. See Administration > Security > OpenID Connect in the Artifactory UI.
- Your CI/CD platform must support OpenID Connect (OIDC) identity federation (GitHub Actions, Azure DevOps, or a generic OIDC-compatible provider).
- The JFrog CLI must be installed and accessible in your CI/CD environment.
Synopsis
jf exchange-oidc-token <oidc-provider-name> <oidc-token-id> [--url=<artifactory-url>] [--oidc-provider-type=<type>]Where:
<oidc-provider-name>β Name of the OIDC provider configured in Artifactory.<oidc-token-id>β OIDC token ID to exchange (omit ifJFROG_CLI_OIDC_EXCHANGE_TOKEN_IDis set).<artifactory-url>β Optional. Artifactory base URL; defaults to the configured server if omitted.<type>β Optional. Provider implementation:GitHub(default),Azure, orGenericOidc.- You can add further flags from the Options table (
--oidc-audience,--application-key,--project,--repository, and others) as needed.
Aliases: jf eot
Arguments
| Argument | Required | Description |
|---|---|---|
<oidc-provider-name> | Yes | Name of the OIDC provider |
<oidc-token-id> | Yes | OIDC token ID to exchange for an access token |
Options
| Flag | Short | Default | Description |
|---|---|---|---|
--url | β | β | JFrog Artifactory URL (example: https://acme.jfrog.io/artifactory). If omitted, uses the default configured server (see jf config use). |
--oidc-audience | β | β | Audience for the OIDC token |
--oidc-provider-name | β | β | OIDC provider name. Must be used together with the <oidc-provider-name> positional argument; does not replace it. |
--oidc-token-id | β | β | OIDC token ID. Must be used together with the <oidc-token-id> positional argument; does not replace it. |
--oidc-provider-type | β | GitHub | OIDC provider type: GitHub, Azure, or GenericOidc |
--application-key | β | β | JFrog Application Key. Required when your JFrog Platform uses application-scoped OIDC configurations. |
--project | β | β | JFrog Artifactory project key |
--repository | β | β | Repository name to filter the OIDC resource scope |
Environment Variables
| Variable | Description |
|---|---|
JFROG_CLI_OIDC_EXCHANGE_TOKEN_ID | OIDC token ID. When set, the <oidc-token-id> positional argument can be omitted. |
Output
On success, the command prints the JFrog access token and the associated username:
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...",
"username": "[email protected]"
}Use the returned access_token with jf config add to store the credential for subsequent commands.
Examples
Exchange an OIDC Token
To exchange a provider token for a JFrog access token:
jf eot <oidc-provider-name> <oidc-token-id> --url=<artifactory-url>Where:
<oidc-provider-name>and<oidc-token-id>β Values from your OIDC setup and CI job.<artifactory-url>β For examplehttps://acme.jfrog.io/artifactory.
Example:
jf eot my-github-provider eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... --url=https://acme.jfrog.io/artifactoryThe command prints a JFrog access token and username (see Output).
Use a Non-Default Provider Type
To specify a non-GitHub OIDC provider type:
jf eot <oidc-provider-name> <oidc-token-id> --oidc-provider-type=<type> --url=<artifactory-url>Where:
<type>βGitHub,Azure, orGenericOidc.
Example:
jf eot my-oidc-provider eyJhbGciOiJIUzI1NiIs... --oidc-provider-type=Azure --url=https://acme.jfrog.io/artifactoryGitHub Actions Workflow
To exchange an OIDC token from GitHub Actions:
jobs:
build:
runs-on: ubuntu-latest
permissions:
id-token: write # required to generate an OIDC token
contents: read
steps:
- name: Get OIDC token
id: oidc
run: |
TOKEN=$(curl -sS "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" \
-H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" | jq -r .value)
echo "TOKEN=$TOKEN" >> "$GITHUB_OUTPUT"
- name: Exchange OIDC token for JFrog access token
run: |
jf eot my-github-oidc-provider "${{ steps.oidc.outputs.TOKEN }}" \
--url=https://<your-org>.jfrog.io/artifactory \
--oidc-provider-type=GitHubUse Environment Variable for Token ID
To pass the token ID via environment variable:
- Run:
export JFROG_CLI_OIDC_EXCHANGE_TOKEN_ID=<oidc-token-id>
jf eot <oidc-provider-name> --url=https://<artifactory-host>/artifactoryWhere:
<oidc-token-id>β OIDC token value for the current job.<oidc-provider-name>β Configured provider name.<artifactory-host>β Your JFrog hostname (for exampleacme.jfrog.io).
Example:
export JFROG_CLI_OIDC_EXCHANGE_TOKEN_ID=eyJhbGciOiJIUzI1NiIs...
jf eot my-oidc-provider --url=https://acme.jfrog.io/artifactoryWhen JFROG_CLI_OIDC_EXCHANGE_TOKEN_ID is set, the <oidc-token-id> positional argument can be omitted.
When to Use
Use jf eot (exchange OIDC token) when your CI/CD platform supports OpenID Connect (OIDC) identity federation with JFrog. This is the recommended authentication method for:
- GitHub Actions: Uses GitHub's built-in OIDC provider to generate short-lived tokens
- Azure DevOps: Uses Azure AD as the OIDC provider
- Other OIDC providers: Any provider compatible with the GenericOidc type
OIDC eliminates the need to store long-lived access tokens as CI/CD secrets. Instead, the CI platform generates a short-lived identity token that the CLI exchanges for a JFrog access token.
Note
: OIDC (OpenID Connect) is an identity protocol built on top of OAuth 2.0. See the Prerequisites section for setup requirements.
Troubleshooting
To fix common jf exchange-oidc-token errors:
| Error | Cause | Resolution |
|---|---|---|
server response: 401 Authentication is required | Invalid or expired OIDC token, or provider name mismatch | Verify the provider name matches the one configured in Artifactory. Ensure the OIDC token was generated in the current CI job and has not expired. |
server response: 404 Not Found | Incorrect --url value | Confirm the Artifactory URL is correct and reachable. |
unsupported oidc provider type: <value> | Invalid value for --oidc-provider-type | Use one of: GitHub, Azure, GenericOidc. |
Wrong number of arguments (0) | No positional arguments provided | The two positional arguments <oidc-provider-name> and <oidc-token-id> are required. The --oidc-provider-name and --oidc-token-id flags do not replace them. |
Updated about 1 month ago