Update JFrog GitHub OIDC setup docs

EyalDelarea · EyalDelarea · commit 8c8514ca27aa · 2025-04-17T15:28:45.000+03:00
diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-jfrog.md
@@ -1,4 +1,3 @@
----
 title: Configuring OpenID Connect in JFrog
 shortTitle: OpenID Connect in JFrog
 intro: Use OpenID Connect within your workflows to authenticate with JFrog.
@@ -19,6 +18,8 @@ OpenID Connect (OIDC) allows your {% data variables.product.prodname_actions %}
 
 This guide gives an overview of how to configure JFrog to trust {% data variables.product.prodname_dotcom %}'s OIDC as a federated identity, and demonstrates how to use this configuration in a {% data variables.product.prodname_actions %} workflow.
 
+> **Note:** If you're using the [`jfrog/setup-jfrog-cli`](https://github.com/jfrog/setup-jfrog-cli) GitHub Action (v4.5.7+), OIDC authentication is fully supported out-of-the-box. You only need to configure your provider name and audience — no manual token exchange is necessary.
+
 For an example {% data variables.product.prodname_actions %} workflow, see [Sample {% data variables.product.prodname_actions %} Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/sample-github-actions-integration) in the JFrog documentation.
 
 For an example {% data variables.product.prodname_actions %} workflow using the JFrog CLI, see [`build-publish.yml`](https://github.com/jfrog/jfrog-github-oidc-example/blob/main/.github/workflows/build-publish.yml) in the `jfrog-github-oidc-example` repository.
@@ -52,59 +53,36 @@ To use OIDC with JFrog, establish a trust relationship between {% data variables
 
 ## Updating your {% data variables.product.prodname_actions %} workflow
 
-Once you establish a trust relationship between {% data variables.product.prodname_actions %} and the JFrog platform, you can update your {% data variables.product.prodname_actions %} workflow file.
-
-In your {% data variables.product.prodname_actions %} workflow file, ensure you are using the provider name and audience you configured in the JFrog Platform.
-
-The following example uses the placeholder `YOUR_PROVIDER_NAME`.
+### Example: Authenticating with JFrog using OIDC
 
 ```yaml
-- name: Fetch Access Token from Artifactory
-        id: fetch_access_token
-        env:
-          ID_TOKEN: ${{ steps.idtoken.outputs.id_token }}
-        run: |
-          ACCESS_TOKEN=$(curl \
-          -X POST \
-          -H "Content-type: application/json" \
-          https://example.jfrog.io/access/api/v1/oidc/token \
-          -d \
-          "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"$ID_TOKEN\", \"provider_name\": \"YOUR_PROVIDER_NAME\"}" | jq .access_token | tr -d '"')
-          echo ACCESS_TOKEN=$ACCESS_TOKEN >> $GITHUB_OUTPUT
-```
-
-The following example shows part of a {% data variables.product.prodname_actions %} workflow file using cURL.
-
-```yaml
-- name: Get ID Token (cURL method)
-        id: idtoken
-        run: |
-          ID_TOKEN=$(curl -sLS -H "User-Agent: actions/oidc-client" -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
-          "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
-          echo "ID_TOKEN=${ID_TOKEN}" >> $GITHUB_OUTPUT
-```
+permissions:
+  id-token: write
+  contents: read
 
-Alternatively, you can set the audience as an environment variable using the `env` context. For more information about the `env` context, see [AUTOTITLE](/actions/learn-github-actions/contexts#env-context).
-
-{% data reusables.actions.oidc-deployment-protection-rules %}
-
-```yaml
 jobs:
   build:
     runs-on: ubuntu-latest
-    env:
-      OIDC_AUDIENCE: 'YOUR_AUDIENCE'
+    steps:
+      - name: Setup JFrog CLI with OIDC
+        uses: jfrog/setup-jfrog-cli@v4
+        with:
+          oidc-provider-name: 'YOUR_PROVIDER_NAME'
+          oidc-audience: 'YOUR_AUDIENCE'
+
+      - name: Upload artifact
+        run: jf rt upload "dist/*.zip" my-repo/
 ```
 
-Then, in your workflow file, retrieve the value of the variables stored in the `env` context. The following example uses the `env` context to retrieve the OIDC audience.
+## Security Best Practices
 
-```yaml
-- name: Get ID Token (using env context)
-        uses: {% data reusables.actions.action-github-script %}
-        id: idtoken
-        with:
-          script: |
-            const coredemo = require('@actions/core');
-            let id_token = await coredemo.getIDToken(process.env.OIDC_AUDIENCE);
-            coredemo.setOutput('id_token', id_token);
+- Always use `permissions: id-token: write` in workflows that authenticate with JFrog.
+- Limit trust using specific claims like `repository`, `ref`, or `environment`.
+- Configure identity mappings in JFrog to restrict which workflows are allowed to authenticate.
+
+## Further Reading
+
+- [JFrog OpenID Connect Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/openid-connect-integration)
+- [GitHub Docs: About security hardening with OpenID Connect](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)
+- [JFrog CLI Docs: `exchange-oidc-token` command (manual usage)](https://jfrog.com/help/r/jfrog-cli-documentation/oidc-commands#exchange-oidc-token)
 ```
