Exchange an OIDC Token for JFrog Access
The jf exchange-oidc-token command (jf eot) exchanges an OpenID Connect (OIDC) token ID from your continuous integration (CI) identity provider for a JFrog access token and username. It is intended for pipelines where short-lived OIDC credentials are issued inside the job.
Note
This command is designed for continuous integration and delivery (CI/CD) pipelines. OIDC tokens are short-lived credentials generated inside a CI job. You cannot create them locally.
Prerequisites
To use this command:
- Your JFrog Platform administrator must configure the OIDC integration. See Administration > Security > OpenID Connect in the Artifactory UI.
- Your CI/CD platform must support OIDC identity federation (GitHub Actions, Azure DevOps, or a generic OIDC-compatible provider).
- The JFrog CLI must be installed and accessible in your CI/CD environment.
Synopsis
jf exchange-oidc-token <oidc-provider-name> [<oidc-token-id>] [--url=<platform-url>] [--oidc-provider-type=<type>]Where:
<oidc-provider-name>β Name of the OIDC provider configured in Artifactory (first positional; required). Pass the provider name as this argument; the--oidc-provider-nameflag is not used to supply it forjf exchange-oidc-token.<oidc-token-id>β OIDC token to exchange, usually as the second positional argument. It can be omitted if you pass the same value with--oidc-token-idor setJFROG_CLI_OIDC_EXCHANGE_TOKEN_ID.<platform-url>β Optional. JFrog Platform base URL. Defaults to the URL from the default server configuration (seejf config use) if omitted.<type>β Optional. Provider implementation:GitHub(default),Azure, orGenericOidc.- You can add further flags from the Options table (
--oidc-audience,--application-key,--project,--repository, and others) as needed.
Aliases: jf eot
Arguments
The following table lists command arguments.
| Argument | Required | Description |
|---|---|---|
<oidc-provider-name> | Yes | Name of the OIDC provider (first positional) |
<oidc-token-id> | No | Second positional, or use --oidc-token-id or JFROG_CLI_OIDC_EXCHANGE_TOKEN_ID |
Options
The following table lists command options.
| Flag | Short | Default | Description |
|---|---|---|---|
--url | β | β | JFrog Platform base URL (example: https://acme.jfrog.io/). If omitted, uses the default configured server (see jf config use). |
--oidc-audience | β | β | Audience for the OIDC token |
--oidc-token-id | β | β | Optional alternative to the second positional token argument (same as JFROG_CLI_OIDC_EXCHANGE_TOKEN_ID) |
--oidc-provider-type | β | GitHub | OIDC provider type: GitHub, Azure, or GenericOidc |
--application-key | β | β | JFrog Application Key. Required when the JFrog Platform uses application-scoped OIDC configurations. |
--project | β | β | JFrog Artifactory project key |
--repository | β | β | Repository name to filter the OIDC resource scope |
--format | β | json | Output format. Available from JFrog CLI 2.105.0. Accepts json or table. Defaults to json for backward compatibility. Passing --format alone returns Incorrect Usage: flag needs an argument: -format; passing an unsupported value (for example, --format=yaml) returns [π¨Error] only the following output formats are supported: json, table. |
Environment Variables
The following table lists the related environment variable.
| Variable | Description |
|---|---|
JFROG_CLI_OIDC_EXCHANGE_TOKEN_ID | OIDC token ID. When set, the <oidc-token-id> positional argument can be omitted. |
Output
On success, the command prints the JFrog access token and the associated username. Use --format to control the output format.
--format json (default)
--format json (default){
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...",
"username": "[email protected]",
"issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
"scope": "applied-permissions/user",
"token_type": "Bearer"
}--format table
--format tableFIELD VALUE
access_token eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...
username [email protected]
issued_token_type urn:ietf:params:oauth:token-type:access_token
scope applied-permissions/user
token_type BearerUse the returned access_token with jf config add to store the credential for subsequent commands.
Examples
Exchange an OIDC Token
To exchange a provider token for a JFrog access token:
jf eot <oidc-provider-name> <oidc-token-id> --url=<platform-url>Where:
<oidc-provider-name>and<oidc-token-id>β Values from your OIDC setup and CI job.<platform-url>β For examplehttps://acme.jfrog.io/.
Example:
jf eot my-github-provider eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... --url=https://acme.jfrog.io/The command prints a JFrog access token and username (see Output).
Use a Non-Default Provider Type
To specify a non-GitHub OIDC provider type:
jf eot <oidc-provider-name> <oidc-token-id> --oidc-provider-type=<type> --url=<platform-url>Where:
<type>βGitHub,Azure, orGenericOidc.
Example:
jf eot my-oidc-provider eyJhbGciOiJIUzI1NiIs... --oidc-provider-type=Azure --url=https://acme.jfrog.io/GitHub Actions Workflow
To exchange an OIDC token from GitHub Actions:
jobs:
build:
runs-on: ubuntu-latest
permissions:
id-token: write # required to generate an OIDC token
contents: read
steps:
- name: Get OIDC token
id: oidc
run: |
TOKEN=$(curl -sS "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" \
-H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" | jq -r .value)
echo "TOKEN=$TOKEN" >> "$GITHUB_OUTPUT"
- name: Exchange OIDC token for JFrog access token
run: |
jf eot my-github-oidc-provider "${{ steps.oidc.outputs.TOKEN }}" \
--url=https://<your-org>.jfrog.io/ \
--oidc-provider-type=GitHubUse Environment Variable for Token ID
To pass the token ID via environment variable:
- Run:
export JFROG_CLI_OIDC_EXCHANGE_TOKEN_ID=<oidc-token-id>
jf eot <oidc-provider-name> --url=https://<platform-host>/Where:
<oidc-token-id>β OIDC token value for the current job.<oidc-provider-name>β Configured provider name.<platform-host>β Your JFrog Platform host (for exampleacme.jfrog.io).
Example:
export JFROG_CLI_OIDC_EXCHANGE_TOKEN_ID=eyJhbGciOiJIUzI1NiIs...
jf eot my-oidc-provider --url=https://acme.jfrog.io/When JFROG_CLI_OIDC_EXCHANGE_TOKEN_ID is set, the <oidc-token-id> positional argument can be omitted.
When to Use
Use jf eot (exchange OIDC token) when your CI/CD platform supports OIDC identity federation with JFrog. This is the recommended authentication method for:
- GitHub Actions: Uses GitHub's built-in OIDC provider to generate short-lived tokens.
- Azure DevOps: Uses Azure AD as the OIDC provider.
- Other OIDC providers: Any provider compatible with the
GenericOidctype.
OIDC eliminates the need to store long-lived access tokens as CI/CD secrets. Instead, the CI platform generates a short-lived identity token that the CLI exchanges for a JFrog access token.
Note
OIDC is an identity protocol built on top of OAuth 2.0. For setup requirements, see Prerequisites.
Troubleshooting
To fix common jf exchange-oidc-token errors:
The following table lists common errors, causes, and resolutions.
| Error | Cause | Resolution |
|---|---|---|
server response: 401 Authentication is required | Invalid or expired OIDC token, or provider name mismatch | Verify the provider name matches the one configured in Artifactory. Ensure the OIDC token was generated in the current CI job and has not expired. |
server response: 404 Not Found | Incorrect --url value | Confirm the Artifactory URL is correct and reachable. |
unsupported oidc provider type: <value> | Invalid value for --oidc-provider-type | Use one of GitHub, Azure, or GenericOidc. |
Wrong number of arguments (0) | No positional arguments provided | At least <oidc-provider-name> is required (first positional). The token can be the second positional, or --oidc-token-id, or JFROG_CLI_OIDC_EXCHANGE_TOKEN_ID. |