Skip to content

Commit

Permalink
Merge pull request #59 from jfrog/add-oidc-token-exchange
Browse files Browse the repository at this point in the history
Add OIDC token exchange with JFrog instance
  • Loading branch information
alexhung authored Apr 11, 2024
2 parents 4f60bb4 + 16b7a42 commit 2b44cca
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 1 deletion.
10 changes: 9 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,19 @@
## 1.23.0 (Apr 11, 2024)

IMPROVEMENTS:

* Add support for exchanging OIDC ID token for access token using JFrog OIDC configuration

PR: [#59](https://github.com/jfrog/terraform-provider-shared/pull/59)

## 1.22.4 (Apr 4, 2024)

IMPROVEMENTS:

* Enable Resty's debug logging when `TF_LOG` is set to `DEBUG` or `TRACE`.

Issue [#16](https://github.com/jfrog/terraform-provider-shared/issues/16)
PR: [#58](https://github.com/jfrog/terraform-provider-shared/pull/57)
PR: [#58](https://github.com/jfrog/terraform-provider-shared/pull/58)

## 1.22.3 (Apr 4, 2024)

Expand Down
48 changes: 48 additions & 0 deletions util/util.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,54 @@ func SendUsage(ctx context.Context, client *resty.Client, productId string, feat
}
}

type OIDCAccessTokenRequest struct {
GrantType string `json:"grant_type"`
SubjectTokenType string `json:"subject_token_type"`
SubjectToken string `json:"subject_token"`
ProviderName string `json:"provider_name"`
}

type OIDCAccessTokenResponse struct {
AccessToken string `json:"access_token"`
}

// OIDCTokenExchange use TFC_WORKLOAD_IDENTITY_TOKEN env var value to exchange for a access token using
// OIDC provider configured on JFrog platform
func OIDCTokenExchange(ctx context.Context, client *resty.Client, providerName string) (string, error) {
if client == nil {
return "", fmt.Errorf("client is nil")
}

tfcWorkloadIdentityToken := CheckEnvVars([]string{"TFC_WORKLOAD_IDENTITY_TOKEN"}, "")
if tfcWorkloadIdentityToken == "" || providerName == "" {
tflog.Info(ctx, "either TFC_WORKLOAD_IDENTITY_TOKEN or provider name is not set")
return "", nil
}

payload := OIDCAccessTokenRequest{
GrantType: "urn:ietf:params:oauth:grant-type:token-exchange",
SubjectTokenType: "urn:ietf:params:oauth:token-type:id_token",
SubjectToken: tfcWorkloadIdentityToken,
ProviderName: providerName,
}

var result OIDCAccessTokenResponse
response, err := client.R().
SetBody(payload).
SetResult(&result).
Post("/access/api/v1/oidc/token")

if err != nil {
return "", err
}

if response.IsError() {
return "", fmt.Errorf(response.String())
}

return result.AccessToken, nil
}

func CheckArtifactoryLicense(client *resty.Client, licenseTypesToCheck ...string) error {
if len(licenseTypesToCheck) == 0 {
return fmt.Errorf("licenseTypesToCheck is empty")
Expand Down

0 comments on commit 2b44cca

Please sign in to comment.