jf exchange-oidc-token
Exchange an OIDC token ID from an OIDC provider for a valid JFrog access token. The command returns the access token and the username.
Synopsis
jf exchange-oidc-token <oidc-provider-name> <oidc-token-id> [options]Aliases: jf eot
Arguments
| Argument | Required | Description |
|---|---|---|
<oidc-provider-name> | Yes | Name of the OIDC provider |
<oidc-token-id> | Yes | OIDC token ID to exchange for an access token |
Options
| Flag | Short | Default | Description |
|---|---|---|---|
--url | — | — | JFrog Artifactory URL |
--oidc-token-id | — | — | OIDC token ID (alternative to positional argument) |
--oidc-audience | — | — | Audience for the OIDC token |
--oidc-provider-name | — | — | OIDC provider name (alternative to positional argument) |
--oidc-provider-type | — | GitHub | OIDC provider type: GitHub, Azure, or GenericOidc |
--application-key | — | — | JFrog Application Key |
--project | — | — | JFrog Artifactory project key |
--repository | — | — | Repository name to filter resource |
Environment Variables
| Variable | Description |
|---|---|
JFROG_CLI_OIDC_EXCHANGE_TOKEN_ID | OIDC token ID for automatic authentication |
Examples
Exchange an OIDC Token
jf eot <oidc-provider-name> <oidc-token-id> --url=<your-artifactory-url>You pass the provider name and token ID. The command returns a JFrog access token and username.
Use GitHub Provider Type
jf eot my-oidc-provider <token-id> --oidc-provider-type=GitHub --url=<your-url>Specify the provider type when it differs from the default.
When to Use
Use jf eot (exchange OIDC token) when your CI/CD platform supports OpenID Connect (OIDC) identity federation with JFrog. This is the recommended authentication method for:
- GitHub Actions: Uses GitHub's built-in OIDC provider to generate short-lived tokens
- Azure DevOps: Uses Azure AD as the OIDC provider
- Other OIDC providers: Any provider compatible with the GenericOidc type
OIDC eliminates the need to store long-lived access tokens as CI/CD secrets. Instead, the CI platform generates a short-lived identity token that the CLI exchanges for a JFrog access token.
Note: OIDC (OpenID Connect) is an identity protocol built on top of OAuth 2.0. Your JFrog Platform administrator must configure the OIDC integration before you can use this command. See Administration > Security > OpenID Connect in the Artifactory UI.
Updated about 1 month ago