Artifactory access token

Artifactory access token DEFAULT

How to Use Access Tokens to Discover the Groups to Which Users Belong

Muhammed Kashif
2021-09-14 13:59

ARTIFACTORY: How to Use Access Tokens to Discover the Groups to Which Users Belong

Generally, you’ll create access tokens for one of two reasons:

  • to refine the authentication credentials of your users

  • in-the-moment necessity

From time to time, you might need to view access token details for particular users (e.g., to discover how many groups a given user is assigned to). For this purpose, you can make use of JSON Web Tokens (JWTs), which allow you to generate, decode, and verify web tokens, as follows:
User-added image
Equally handy is the JWT-CLI, which is “an npm CLI program for decoding JSON Web Tokens (JWTs) and the Unix timestamps within their bowels.”

Published: June 22, 2020
Last updated: Jan. 14, 2021

Sours: https://jfrog.com/knowledge-base/how-to-use-access-tokens-to-discover-the-groups-to-which-users-belong/

Access Tokens


Cross-Instance Authentication

Access tokens support cross-instance authentication through a "circle of trust" established by sharing a public certificate among all participating instances. It is up to the Service administrator to make sure that all participating instances are equipped with the certificates. This means that any instance can generate a token to be used with any other instance within the circle of trust. When a Service instance receives a REST API call authenticated by a signed token, it will use the root certificate that includes the public key to verify that its issuer is in the circle of trust. Even while running, the system is aware of any new certificates that have been added or removed.  

Limitations

Access will check for a token's revocation based on the parameter set in the access.config.file. 
If a token was created on a different server and is checked for revocability, it will be considered revoked, since it is not in the checked database (unless using Access Federation). 
Therefore, by default, only non-revokable tokens (tokens with expiry) can be used for authentication on a different instance from the one that created it.

By default, only the issuing instance can refresh a token. For synchornizing tokens across services, see access federation.

Cross instance authentication

Establishing a Circle of Trust

To establish a "circle of trust" between JFrog services, you need to exchange public certificates between the services.
To exchange the certificates, you need to copy a service’s root certificate to another service’s  folder.

The service's root certificate can be acquired in the following ways:

Providing a Custom CA Certificate to Access

You can provide a custom CA certificate and matching private key, to be used by Access, for signing the TLS certificates used by all the different JFrog Platform nodes.

Your custom CA certificate must meet the following prerequisites:

  • The private key must use the RSA algorithm
  • The private key must be at least 1024-bit
  • The certificate must match the provided private key
  • The certificate must be valid for the next 7 days at least
  • The certificate must be marked with a CA basic constraint
  • SAN should not be set
  • Key usage extension should be marked CRITICAL
  • Key usage  extension should be enabled
  • Key usage  extension should be enabled

To load a custom CA certificate and matching private key:

  1. Createandfiles and place them under .
  2. Restart Artifactory.

The will disappear from the target's trusted folder and will be placed in the Artifactory database. 

Trust can be created between multiple services. you need to make sure that all participating instances in the circle of trust are equipped with the relevant public keys (root certificate). Note that a trust can be unidirectional or bidirectional. The services watch a directory of trusted public keys and reloads the keys when it needs to verify a token.

Renaming the source service’s certificate

Since trust can be created between multiple services, you should rename each source service’s certificate with a meaningful name. For example, if one service named “us-east” should be trusted by another service named “us-west”, then from us-east, should be copied to $JFROG_HOME/artifactory/var/etc/access/keys/trusted/us-east.crt on us-west.


Certificates in HA

Keypair propagation in an existing HA cluster

When using certificates in High Availability clusters, the private.key and root.key are propagated automatically and are updated between the cluster nodes.


Using Tokens

There are several ways you can use access tokens for authentication.

Basic Authentication

An access token can be used instead of a password for basic authentication. This may be useful when you need a client (such as certain dependency managers) that only supports basic authentication to access Artifactory. In this case, it is important to access Artifactory using the same user name provided when creating the token (with ).

For example, to use an access token as a password to ping JFrog Platform URL, you could use:

curl -u<USERNAME>:<TOKEN> http://JFROG_PLATFORM_URL/router/api/v1/system/ping

Authorization Headers

An access token can be used as a bearer token in authorization headers. This is especially useful for authenticating CI servers with Artifactory instead of using credentials, since you don't need to have a user defined in Artifactory if the group provided in is configured in that Artifactory instance. As a result, there is no need to manage fictitious users for your different automation tools that need access to Artifactory. 

For example, to use an access token as a bearer token to ping Artifactory you could use:

curl -H"Authorization: Bearer <TOKEN>" http://JFROG_PLATFORM_URL/router/api/v1/system/ping

Support Authentication for Non-Existing Users

One of the big advantages of access tokens is the fact that you don't have to create a user in Artifactory to use them. When creating a token, you can specify a user name that does not exist, and Artifactory will create a transient user that will only exist as long as the token is valid. This can be useful when providing access to different tools such as a CI server coordinating a build without having to manage fake user accounts. This method is also more secure since you can assign a new token for each "job" that the external tool runs.

Artifactory Administrator Only

Note that this feature is only available for Artifactory administrator since non-admin users can only create tokens with themselves as the Subject.


Generating Expirable Tokens

By default, expirable tokens cannot be revoked, but this can be configured

When creating a token, if the token expiry is set to a value smaller than the parameter specified in the Access YAML Configuration the token will be non-revocable.

By default, the value of the parameter is set to 21600, which means that any token with expiry specified cannot be revoked until it expires naturally.

You can limit the validity period of a token by setting the expiry time when generating a token. If set, the token will be valid until the expiration time will pass. 
You can also set a token to be non-expirable by setting the expiry to zero, in which case it will be valid indefinitely until actively revoked. 

This value is set by using the "expires_in=<VALUE_IN_SECONDS>" param when generating the token (see example in REST API section below). If not used the default value will be 3600 meaning your token will be valid for one hour.

Artifactory Administrator Only

Only an Artifactory administrator can change the validity period of a token to any value.

Non-admin users, can only set the token validity period to a value that is equal or less than the maximum allowed value. This can be specified by setting the parameter in the  file (default: 3600).

Note: The n parameter cannot be set to a value higher than the parameter value.

Generating Refreshable Tokens

As mentioned above, you can limit the validity period of an token by setting its expiry time. To allow extending access privileges of a token once it has expired, you can provide a refresh token which will generate a new token with the same privileges as the original one. This takes token management out of the hands of its issuer and delegates it to the user who received the token.

Who can refresh?

Only the instance (or HA cluster) that issued a refreshable token can actually refresh it.

Limitation

The integration of SCIM ensures that an external user who has created a token will not be able to refresh the token if they have been removed from the external authentication server.

However, if your organization has not enabled SCIM, an external user who has created a token will still be able to refresh it even they have been removed; therefore, it is recommended to implement SCIM in your system.


Generating Admin Tokens

Available from Artifactory version 7.4.

In general, the scope for a token is defined by specifying the groups into which the token is included, however, an Artifactory administrator can also create a token with admin privileges. This can be useful for JFrog Mission Control and JFrog Xray since both of these complementary applications require admin permissions to work seamlessly with Artifactory. With this capability, when Mission Control or Xray connect to an instance of Artifactory, they can create an admin tokens and use that for authentication instead of using basic authentication with a username and password.

To create an admin token, from the administration module, go to  | | .

The services that appear in the screen are only those services that you added.



Viewing and Revoking Tokens

Any token created with expiry greater than the parameter can be revoked using the Revoke Token REST API endpoint or in the Access Tokens page in the UI. Note that you can only revoke a token on the instance (or cluster) that issued it unless that instance is part of an Access Federation setup (which requires an Enterprise+ license).

A token with an expiry specified will lapse automatically upon reaching its expiry period.

A token that is not expirable (i.e. it was created with its parameter set to 0) must be actively revoked to terminate its usage.

To revoke an access token:

  1. From the Administration module, select Identity and Access | Access Tokens.
  2. From the list, select an access token and click Revoke.

REST API

All management of access tokens is done via REST API through the endpoints described below.

Get Root Certificate

Receive public root certificate for the server

For details, refer to the JFrog Artifactory REST API documentation for Get Root Certificate

Create Token

Creates an access token. 

For details, refer to the JFrog Artifactory REST API documentation for Create Token.

Refresh Token

Refresh an access token to extend its validity. If only the access token and the refresh token are provided (and no other parameters), this pair is used for authentication. If username or any other parameter is provided, then the request must be authenticated by a token that grants admin permissions.

For details, refer to the JFrog Artifactory REST API documentation for Refresh Token.

Revoke Token

Revoke an access token 

For details, refer to the JFrog Artifactory REST API documentation for Revoke Token.

Get Service ID

Provides the service ID of an Artifactory instance or cluster

For details, refer to the JFrog Artifactory REST API documentation for Get Service ID.

Sours: https://www.jfrog.com/confluence/display/JFROG/Access+Tokens
  1. Comal county appraisal
  2. Winnsboro family practice
  3. Node send
  4. 1965 in country music
  5. Ustraveldocs haiti

ACCESS – Access token created using the Create Token REST API cannot be used for events REST API, how to overcome this?

Muhammed Kashif
2021-06-22 06:29

Note: This article is valid until the Artifactory version 7.12.x

Access tokens created using the Create Token REST API from and above the Artiafctory v7.9 cannot be used for Event-based REST API calls.
So to overcome the issue,

1. Use the Access token for Event-based REST API calls, you can create the Admin Access token from the UI.

2. Sometimes, it becomes a use-case to generate the Access token using the REST API for Event-based REST API calls for automation for users who belong to admin groups, and the only possible way to use the access token to be used for Event-based REST API is to generate the Access token from Create Token REST API, then generate the access admin token and then generate the events token. Below are the steps

  • Create the token using the Create token REST API as below,
curl -uadmin:password -XPOST "http://myart/artifactory/api/security/token" -d "username=testuser" -d "scope=member-of-groups:admingroup"
  • Get the Artifactory service_id using the Get Service_Id REST API,
curl -uadmin:password -XGET "http://myart/artifactory/api/system/service_id" output: [email protected]
  • Create an Access admin token using the below REST API passing the highlighted part from step 2's output. This step will generate the access token that can be used for events REST API.
curl -H "Authorization: Bearer <token>" -XPOST "http:/myart/artifactory/api/security/access/admin/token" -H "Content-Type: application/json" -d '{ "service_id" : "[email protected]" }'
  • Create the Access token using the below curl command which will give access to the Event-based REST API,
curl -H "Authorization: Bearer <token from step 3>" -XPOST http://myart/access/api/v1/oauth/token -d 'username=testuser' -d 'scope=applied-permissions/admin' -d '[email protected]*' -d 'refreshable=true' -d 'grant_type=client_credentials'
  • Used the below events REST API using the token from step 4 and it will work as expected,
curl -H "Authorization: Bearer <token from step 4>" -XGET "http://myart/event/api/v1/subscriptions"
Sours: https://jfrog.com/knowledge-base/access-token-created-using-the-create-token-rest-api-cannot-be-used-for-events-rest-api-how-to-overcome-this/
OAuth and OpenID Connect for Microservices

How to generate an access token? [Video]

Ohad Levy
2021-02-04 09:21

In this video we will go through the methods of generating an Artifactory access token. We will generate a token via both UI and Rest API methods. Next we will use the token to resolve an item from Artifactory

 

Video Transcription

Hello everyone. My name is Ohad and I’m from JFrog Support. Today I’m going to show you a quick video on how to generate access tokens. So once you’re logged into Artifactory, you can go to the administration tab, you press right here. Then we’re going to choose the identity and access. Then access tokens. Via the UI, we only have the option to generate admin tokens. So this will create an admin token with the admin permission levels. So once you press generate admin token, you will be shown this window. And here we have the option to choose never expired or set token expiry. I’m going to choose a token that never expires for this example. I’m going to press generate, and this is the token value. Please note that once you close this window, you will never be able to see this token value.

So make sure you save it. I’m going to copy to clipboard and then close. And you can see the token right here. Next we’re going to generate the token, will be at the rest API. So this is the command curl, the username, the password, it’s a post request. The end point is API security token. And here, the username is the name for the token. Variable is admin. Next, we will see its test. As I said, via the UI only have the option to create admin token level. Via the rest, you can choose to give a scope of a group in Artifactory. So in my Artifactory, I have a group called readers and it’s permission level is only to read files from Artifactory. So for example, I won’t be able when using this token to deploy any password to Artifactory. Next, I set the expiry to zero, as we did in the UI. I’m going to press enter. And this is my token. I’m going to copy it.

Save it. And next we’re going to try and resolve the file from Artifactory without any credentials. It’s going to fail. And then we’re going to use the same comment with the token and see that we’re able to fetch the file. So this is the command I already deployed the file name, text test to a generic repository called generic local. And if I try to fetch it, I see that authentic action is required. So, here I’m going to set an environment variable called token, and I’m going to input the token about here. And next, I’m going to use this command, which has the token applied in it. So it’s curl minus age, authorization, bearer, token And the same endpoint as before, generate local text test. You want to press enter. And we can see the content of this file. Thank you for watching. Let me know if you have any questions, leave any comments you have. Have a great day.

Sours: https://jfrog.com/knowledge-base/how-to-generate-an-access-token-video/

Token artifactory access

What are Access and refresh tokens in Artifactory ?

Nimer Bsoul
2021-08-10 09:29

Access Tokens

An access token can be used as an alternative your basic, username and password means of authentication. And access tokens are much more versatile.

You can think of access tokens as being somewhat akin to those electronic keys you get when you check-in to a hotel. It's immutable, which means it can't be changed after it's been created, and after it's expired or has been revoked, it can’t be used again.

On any given access token, you can set a variety of claims. This gives you granular control over who does and doesn't have access to your system. These claims include:

  • What can be accessed with the token (scope)
  • How long the token will be valid (expires-by)
  • Which servers can accept the token (audience)

It's highly recommended to set token claims such that they permit the least access required by the clients who are using them.

Refresh Tokens

A refresh token is a special kind of token that can be used to obtain a renewed access tokens. You can use a refresh token to request a new access token until the refresh token is invalid (expired/revoked etc.).

Note: When you use a refresh token, you do not extend your original access token, but get a brand new access token. This new access token can have its own new refresh token as well.

Refresh tokens must be stored securely by an application because they essentially allow a user to remain authenticated forever.

There are two exceptions:

  1. If the access token is given the scope “member-of-groups:*” for example, then the permissions are evaluated when the token is used. This means that after the token has been created, the user’s permissions might change and therefore it would affect the token’s permissions.
  2. A given refresh token will not necessarily have the same permissions as the old token for which you are requesting renewal.

The Refresh Token REST API will accept new claims but will therefore create a new string of a token with the refresh token used and as a result, the old token will be irrelevant and cannot be reused.

If a refresh token is missing or lost the user won’t be able to generate a new token with the desired permissions. In such situations, the token will need to be created again from scratch and it will be impossible to modify or change the existing access tokens without the refresh token .

Sours: https://jfrog.com/knowledge-base/what-are-access-and-refresh-tokens-in-artifactory/
OAuth 2.0 access tokens explained

Cross-Instance Authentication

Access tokens support cross-instance authentication through a "circle of trust" established by sharing a public certificate among all participating instances. It is up to the Service administrator to make sure that all participating instances are equipped with the certificates. This means that any instance can generate a token to be used with any other instance within the circle of trust. When a Service instance receives a REST API call authenticated by a signed token, it will use the root certificate that includes the public key to verify that its issuer is in the circle of trust. Even while running, Access is aware of any new certificates that have been added or removed.  

Limitations

Access will check for a token's revocation based on the parameter set in the access.config.file.
If a token was created on a different server and is checked for revocability, it will be considered revoked, since it is not in the checked database. Therefore, by default, only non-revokable tokens (tokens with expiry) can be used for authentication on a different instance from the one that created it.

Only the issuing instance can refresh a token.

Cross instance authentication

Setting the Private Key and Root Certificate

It is up to the Service administrator to make sure that all participating instances are equipped with the public key (root certificate).

Access watches a directory of trusted public keys with nio WatchService and reloads the keys when it needs to verify a token.

All you need to do is to place the keys under $ACCESS_HOME Only a token that is expirable and r/etc/keys/trusted

Access home layout (new entries are in bold):

[$ACCESS_HOME]

|
+-- etc/
   +-- keys/
       |-- root.crt
       |-- private.key
       +-- trusted/
           |-- [name].crt
           |-- [name2].crt
           |-- [name3].crt
           +-- ...

Artifactory HA

For Artifactory HA installations, root certificates should to be placed under in each node of a cluster.

Keypair propagation in an existing HA cluster

With High Availability clusters the private.key and root.key are propagated automatically and are updated per what it is the saved on the cluster shared database.

The steps should be made primary node, which will also print the following log entry in its

Publish changes to another access peer [http://<artifactoryNode>:<port>/access] successfully

Using Tokens

There are several ways you can use access tokens for authentication.

Basic Authentication

An access token can be used instead of a password for basic authentication. This may be useful when you need a client (such as certain dependency managers) that only supports basic authentication to access Artifactory. In this case, it is important to access Artifactory using the same user name provided when creating the token (with ).

For example, to use an access token as a password to ping Artifactory you could use:

curl -u<USERNAME>:<TOKEN> http://ARTIFACTORY_URL/api/system/ping

An access token can be used as a bearer token in authorization headers. This is especially useful for authenticating CI servers with Artifactory instead of using credentials, since you don't need to have a user defined in Artifactory if the group provided in is configured in that Artifactory instance. As a result, there is no need to manage fictitious users for your different automation tools that need access to Artifactory. 

For example, to use an access token as a bearer token to ping Artifactory you could use:

curl -H "Authorization: Bearer <TOKEN>" http://ARTIFACTORY_URL/api/system/ping

Support Authentication for Non-Existing Users

One of the big advantages of access tokens is the fact that you don't have to create a user in Artifactory to use them. When creating a token, you can specify a user name that does not exist, and Artifactory will create a transient user that will only exist as long as the token is valid. This can be useful when providing access to different tools such as a CI server coordinating a build without having to manage fake user accounts. This method is also more secure since you can assign a new token for each "job" that the external tool runs.

Artifactory Administrator Only

Note that this feature is only available for Artifactory administrator since non-admin users can only create tokens with themselves as the Subject.


Generating Expirable Tokens

By default, expirable tokens cannot be revoked, but this can be configured

When creating a token, if the token expiry is set to a value smaller than the parameter specified in the configuration file the token will be non-revocable.

By default, the value of the parameter is set to -1 which means that any token with expiry specified cannot be revoked until it expires naturally.

You can limit the validity period of a token by setting the expiry time when generating a token. If set, the token will be valid until the expiration time will pass. 
You can also set a token to be non-expirable by setting the expiry to zero, in which case it will be valid indefinitely until actively revoked. 

This value is set by using the "expires_in=<VALUE_IN_SECONDS>" param when generating the token (see example in REST API section below). If not used the default value will be 3600 meaning your token will be valid for one hour.

Artifactory Administrator Only

Note that from version 6.5, only an Artifactory administrator can change the validity period of a token to any value.

Non-admin users, can only set the token validity period to a value that is equal or less than the maximum allowed value. This can be specified by setting the parameter in the file (default: 3600).

Generating Refreshable Tokens

As mentioned above, you can limit the validity period of an token by setting its expiry time. To allow extending access privileges of a token once it has expired, you can provide a refresh token which will generate a new token with the same privileges as the original one. This takes token management out of the hands of its issuer and delegates it to the user who received the token.

Who can refresh?

Only the instance (or HA cluster) that issued a refreshable token can actually refresh it.

Limitation

 An external user who has created a token will still be able to refresh it even if he has been removed from the external authentication server.


Generating Admin Tokens

In general, the scope for a token is defined by specifying the groups into which the token is included, however, an Artifactory administrator can also create a token with admin privileges. This can be useful for JFrog Mission Control and JFrog Xray since both of these complementary applications require admin permissions to work seamlessly with Artifactory. With this capability, when Mission Control or Xray connect to an instance of Artifactory, they can create an admin tokens and use that for authentication instead of using basic authentication with a username and password.


Revoking Tokens

Any token created with expiry greater than the parameter can be revoked using the Revoke Token REST API endpoint. Note that you can only revoke a token on the instance (or cluster) that issued it unless that instance is part of an Access Federation setup (which requires an Enterprise+ license).

A token with an expiry specified will lapse automatically upon reaching its expiry period.

A token that is not expirable (i.e. it was created with its parameter set to 0) must be actively revoked to terminate its usage.


REST API

All management of access tokens is done via REST API through the endpoints described below.

Create Token

Creates an access token. 

For details, refer to the JFrog Artifactory REST API documentation for Create Token.

Refresh Token

Refresh an access token to extend its validity. If only the access token and the refresh token are provided (and no other parameters), this pair is used for authentication. If username or any other parameter is provided, then the request must be authenticated by a token that grants admin permissions.

For details, refer to the JFrog Artifactory REST API documentation for Refresh Token.  

Revoke Token

Revoke an access token 

For details, refer to the JFrog Artifactory REST API documentation for Revoke Token.  

Get Service ID

Provides the service ID of an Artifactory instance or cluster

For details, refer to the JFrog Artifactory REST API documentation for Get Service ID.  

Sours: https://www.jfrog.com/confluence/display/ACC1X/Access+Tokens

You will also like:

Artifactory REST API authentication types usage

Basic Authentication - this is the least safe method from the three as it forces the user to keep the credentials, sometime in a clear text format (you should use encrypted passwords to avoid this). The main reason for supporting it are tools which does not support any other authentication means. Since Artifactory supports many different package types and a variety of clients, it has to support some technologies which still use basic authentication.

API Key - API keys offers an improvement over basic authentication as they can be revoked in case they are compromised. However, they do not have an expiry mechanism. Another limitation of API Keys is that they are attached to a user, which makes them less attractive to automation. Another limitation is that they are not designed to be shared between multiple instances of Artifactory.

Access Token - Access tokens offers many advantages: not bound to user and can serve CI jobs for example, offer time based access control, can be revoked, scoped, can be shared between multiple Artifactory instances.

answered Apr 5 '20 at 14:16

Dror BereznitskyDror Bereznitsky

19.2k33 gold badges4444 silver badges5555 bronze badges

Sours: https://stackoverflow.com/questions/61025399/artifactory-rest-api-authentication-types-usage


1931 1932 1933 1934 1935