Viewing the Profile
To display your profile page, click your login name on the top right-hand corner of the screen.
Unlocking Your Profile
- To edit your profile, in the menu above, select Edit Profile.
- To unlock your profile, you will need to enter your current password and click Unlock.
Once unlocked, you can modify all the elements of your user profile. - Be sure to click Save to save any changes to your profile.
Using external authentication
If you are using an external authentication server (such as OAuth SSO, or SAML SSO ), you can ask your administrator to give you access to your API key, and SSH public key without having to unlock your profile.
Changing Your Personal Settings
Personal settings include your Artifactory API Key, password and email address.
If the Can Update Profile field is enabled, you can update all of your profile details except for the password, since only an administrator can update the password.
Note that there may be cases in which you want to leave this option disabled to prevent users from updating their profile. For example, a departmental user with a single password shared between all department members.
You are not able to change your password if the system is configured to use external authentication such as LDAP. For example, if users from LDAP are not created internally (i.e. Administration | Security | LDAP | LDAP Settings and the Create Internal Users is disabled.
Identity Token
The user profile enables users to generate identity tokens. Any user can create a user identity token for themselves via the UI. Identity tokens are scoped tokens, which means that they provide limited and focused permissions, making them more secure and, therefore, preferable to API keys. In addition, when a user is deleted/disabled, their tokens are also revoked. For more information, see Access Tokens.
From Artifactory release 7.38.4, the Identity Token has been shortened to a short string, and also enables you to add an optional description to the token for easier management.
- To generate the token, click Generate an Identity Token.
This opens the Generate an Identity Token window.
- In the Add Description field, you can add an optional description for the new token, which will make it easier for you to identify the token.
- Click Next.
You will now see the new reference token displayed.
Click Copy (or the copy icon next to the token) to copy the token.
- Click Close to close the window.
The new token you generated appears with the description in the list of identity tokens:
Revoking the Identity Token
Currently identity tokens can only be revoked through the Revoke Token API.
Changing Your Email and Password
Once your profile is unlocked, Artifactory displays your password in an encrypted format that can be used whenever you need to provide your password in an environment that is not secure. For example, when making REST API calls over HTTP.
The encrypted password is initially masked, but you may click the View icon to view the encrypted password in clear-text. You may also click the Copy icon to copy the encrypted password to the clipboard.
To change your Artifactory password, enter your new password and verify it.
You can also modify your email address.
For more information about using secured passwords with your profile, please refer to Centrally Secure Passwords.
Password Reminder
If you forget your password, on the Artifactory Login dialog, select Forgot Password, and enter your username in the following dialog that is displayed.
When you click Submit, the system will send a message to the email address configured for your user account, with a link you can click on to reset your password.
SSH Key
Artifactory supports authentication via SSH for the Git LFS client and the JFrog CLI.
To be authenticated via SSH, you need to enter your SSH public key in the SSH Public Key (RSA) field.
Binding OAuth Accounts
Artifactory is integrated with OAuth allowing you to log in through your account with one of the configured OAuth providers. To do so, you need to bind your OAuth account to your Artifactory user by clicking Click to bind next to the corresponding OAuth provider. For more details, please refer to OAuth SSO Integration.
API Key
Artifactory allows authentication for REST API calls using your API key as an alternative to your username and password in two ways: either by using the X-JFrog-Art-API header with which you can specify an API key , or through basic authentication using your username and API key (instead of your password). For more details, refer to the Artifactory REST API.
To use your API key for authentication, it must be generated using Artifactory 4.4.3 or later. If generated prior to 4.4.3, you must regenerate your API key and use the new key as a password for basic authentication.
JFrog API Key Deprecation Process
With the release of Artifactory 7.47.10, JFrog introduced a new method that supports Platform administrators with the deprecation process of the API Key feature. With this new process, admins can identify Platform users who still use API Keys for their authentication, thus helping to migrate those users to alternative means of authentication. JFrog is officially beginning the countdown to fully discontinuing its support for this feature. While you can continue to use it in the meantime, at the end of Q3 2023, the API Key will reach its end-of-life.
Why is JFrog Deprecating API Keys?
JFrog introduced API Keys way back with JFrog Artifactory 4.4.3, providing users with a practical solution to easily create a secret, which could then be used to authenticate with JFrog Artifactory over REST or through clients (such as the JFrog CLI and various package manager clients).
Although they’re easy to create and use, API Keys have some characteristics that make them less secure:
- API Keys are retrievable – the keys are saved in the database and can be retrieved via REST API or the UI.
- API Keys don’t have lifecycle management features – since API Keys are not created with an expiry date, and, by default, never expire, the user or Artifactory admin must manually revoke them. A single user can have a single active API Key at any moment – which means a single key needs to be shared with multiple clients. If it is revoked, it is revoked for all clients.
- API Keys are not manageable – administrators can not monitor or manage a user’s API Keys.
As a result, JFrog decided to begin the process of deprecating the API Keys.
Deprecation Process
As announced in the Artifactory 7.38 release notes the API Key will be deprecated in the following stages for Self-hosted customers (Cloud customers will receive additional instructions):
- Artifactory version 7.47.10 includes the option to log users' authentication methods. This will allow administrators to view and warn users using API Keys regarding the upcoming deprecation. See next section for details.
- In a future version (scheduled for end of Q3, 2023), the option to block the usage/creation of API Keys will be enabled by default, with the option for admins to change it back to enable API Keys.
- In a later 2023 version, API Keys will be deprecated all together and the option to use them will no longer be available.
API Key User Collection
Artifactory version 7.47.10 includes the ability to collect information regarding how your users are logging in to the system (using REST API). Using this function, you can detect and notify all users/clients who are using an API Key authentication method that they need to change their authentication method.
The collection feature of the authentication method is enabled by default.
API Key User Collection for Cloud Customers
JFrog is creating a solution for our Cloud customers that will help you with the process of determining which of your users are accessing the system with an API Key (as part of the API Key usage deprecation). This solution will be shared with you via Release Notes, so you will not need to contact your account manager or Support for additional assistance.
Enabling User Collection for Self-hosted Customers
This is the command that is used to collect the API Key authentication method in the var/log/artifactory-access.log:
bash-4.4$ cat var/log/artifactory-access.log | grep "\\[ACCEPTED LOGIN\\].*\\[apiKey\\]$"
For example:
2022-11-03T10:26:00.944Z [64f8d13a96f81f10] [ACCEPTED LOGIN] for client : admin / 172.17.0.1. [apiKey] 2022-11-03T10:26:15.252Z [7beab97bfa421337] [ACCEPTED LOGIN] for client : admin / 172.17.0.1. [token]
Obtaining the Realm and Authentication Attempts
In cases where simply the username and authentication method is not enough information (for example, if you are trying to track where the API Key is being used), do the following:
- Go to this file
var/etc/artifactory/logback.xml. Add the following to the file:
<logger name="org.artifactory.security" level="debug" additivity="false"> <appender-ref ref="FILE"/> </logger>
- Then, search for the following in the
var/log/artifactory-service.log: "Trying to authenticate user:" For example: 'Trying to authenticate user: 'user1' via ldap.'
Collecting the Data
To collect the data:
- JFrog recommends allowing the system to "run" with the logs enabled for some time (recommended is 3 months).
Run a grep command on the logs you collected (or parse it with your tools) to get all the usernames who used API Keys in the last 3 months. For example:
bash-4.4$ cat var/log/artifactory-access.log | grep "\\[ACCEPTED LOGIN\\].*\\[apiKey\\]$" 2022-11-08T13:43:33.208Z [1c8a8e6db8a35b8e] [ACCEPTED LOGIN] for client : admin / 172.17.0.1. [apiKey] 2022-11-08T13:43:52.290Z [2d1cefa1c521a36 ] [ACCEPTED LOGIN] for client : admin / 172.17.0.1. [apiKey]
- Notify the users detected by the log that they need to change their application keys to Access Tokens or to another authentication method.
Working with API Keys (Until Deprecated)
Artifactory allows authentication for REST API calls using your API key as an alternative to your username and password in two ways: either by using the X-JFrog-Art-API header with which you can specify an API key , or through basic authentication using your username and API key (instead of your password).
Artifactory allows authentication for REST API calls using your API key as an alternative to your username and password in two ways: either by using the X-JFrog-Art-API header with which you can specify an API key , or through basic authentication using your username and API key (instead of your password). For more details, refer to the Artifactory REST API.
Artifactory version
To use your API key for authentication, it must be generated using Artifactory 4.4.3 or later. If generated prior to 4.4.3, you must regenerate your API key and use the new key as a password for basic authentication.
Creating an API Key
To create an API Key, once you have unlocked your profile, click the Generate button next to the API Key field.
Revoking or Regenerating an API Key
- Once an API Key is created, it is displayed, masked, in the corresponding field. Click the View icon to see the API Key in clear-text, or the Copy icon to copy the API Key to the clipboard.
- To revoke the current API Key, click Revoke API Key. Note that any REST API calls using the current API key for authentication will no longer be valid.
- You may revoke the current API Key and create a new one in a single action by clicking Regenerate. Any REST API calls using the current API key for authentication will no longer be valid, until you replace the API Key with the new one you just generated.
REST API
The following REST API endpoints are available with regard to API Keys; note that rom Artifactory release 7.49.3, these APIs being deprecated and replaced by the new SECURITY APIs.
Endpoint | Description |
|---|---|
Create API Key | Create an API key for the current user. |
Get API Key | Get the current user's own API key. |
Revoke API Key | Revokes the current user's API key. |
Revoke User API Key | Revokes the API key of another user (requires Admin privileges). |
Revoke All API Keys | Revokes all API keys currently defined in the system (requires Admin privileges). |
