JFrog CLI Issue with OIDC Token Expiry #220
Labels
bug
Something isn't working
Comments
|
Thanks for raising this! This behavior is actually by design rather than a bug. OIDC tokens are intended to be short-lived for security reasons, and at the moment, we don't support automatic token refresh in this context. We recommend configuring the token with a validity period that's appropriate for the duration of your CI run. Once the run completes, the token will be revoked automatically. Let us know if that works for your use case or if you have any further questions. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Describe the bug
When using an OIDC token configured to expire after 1 minute in a GitHub action to download Maven jars and build a Docker image, the download fails with a 401 error ("Token failed verification expired"). The token expires before the process completes, causing an incomplete download.
Current behavior
The token expires in 1 minute, and JFrog CLI does not automatically refresh it, leading to a 401 error and incomplete downloads. Refer GitHub Action job# https://github.com/krishnamanchikalapudi/spring-petclinic/actions/runs/11005259480/job/30557614565
Reproduction steps
Observe Issue:
The token expires before the process completes, resulting in a 401 error (Token failed verification: expired) and incomplete artifact download.
Expected behavior
The JFrog CLI should refresh the token upon expiration to ensure that the download completes without requiring a long-duration token.
Setup JFrog CLI version
jfrog/setup-jfrog-cli@v4
JFrog CLI version
2.67.0
Workflow operating system type and version
ubuntu:latest
JFrog Artifactory version (if relevant)
No response
JFrog Xray version (if relevant)
No response
The text was updated successfully, but these errors were encountered: