From version 4.2, Artifactory is integrated with OAuth allowing you to delegate authentication requests to external providers and let users login to Artifactory using their accounts with those providers.
Currently, the provider types supported are Google, OpenID Connect, GitHub Enterprise, and Cloud Foundry UAA. You may define as many providers of each type as you need.
When OAuth is enabled in Artifactory, users may choose to sign in through any of the supported OAuth providers. To log in through a provider, simply click on the provider's button in the login screen.
You will be redirected to the login screen of the corresponding provider.
If you are already logged in to any of that provider's applications you will not need to log in again, but you may have to authorize Artifactory to access your account information, depending on the provider type.
To access OAuth integration settings, in the Admin module, select Security | OAuth SSO.
If checked, authentication with an OAuth provider is enabled and Artifactory will display all OAuth providers configured. If not checked, authentication is by Artifactory user/password.
Auto Create Artifactory Users
If checked, Artifactory will create an Artifactory user account for any new user logging in to Artifactory for the first time.
Specifies the provider through which different clients (such as NPM, for example) should authenticate their login to gain access to Artifactory.
Currently, only a GitHub Enterprise OAuth provider may be defined as the Default Provider.
If you already have an internal (not external realms such as LDAP, SAML...) account in Artifactory, in order to be able to login using any of your OAuth provider accounts, you need to bind your Artifactory account to the corresponding account.
To bind your account, go to your Profile page and enter your Artifactory password to unlock it.
Under OAuth User Binding, select Click to bind next to the OAuth provider you wish to bind to.
Creating OAuth Provider Accounts
In order to use OAuth authentication, you need to set up an account with each OAuth provider you wish to use in order to get the various parameters (such as Provider ID and Secret) you will need to set up OAuth integration in Artifactory.
GitHub OAuth Setup
Caution: Access to GitHub.com Accounts
Any GitHub.com account that has access to the Artifactory URL will be allowed to login, including accounts that are outside your GitHub.com organization scope. This does not apply to GitHub Enterprise.
To set up your OAuth account on GitHub, execute the following steps:
Create a new project. For example, "Artifactory OAuth".
Once the project is created, in the left navigation bar, select APIs & auth | Credentials.
Select the OAuth consent screen tab and configure the consent screen end users will see when logging in with the Google credentials.
Back in the Credentials tab, Click Add Credential and select OAuth 2.0 client ID
Under Create client ID, select Web application.
Enter a Name and set the Authorized redirect URIs For Artifactory on-prem: https://<server_host>/artifactory/api/oauth2/loginResponse For Artifactory SaaS: https://<server_name>.jfrog.io/<server_name>/api/oauth2/loginResponse
Click Create to generate your Client ID and Client Secret. Make a note of these; you will need them to configure OAuth authentication through Google on Artifactory.
Cloud Foundry UAA Setup
OAuth authentication with Cloud Foundry UAA is supported from Artifactory version 4.2.1.
To setup your OAuth authentication with Cloud Foundry UAA, fill in the fields as needed.
Using Secure OAuth
To use secure OAuth with a valid certificate from a CA trusted by Java, all you need to do us use a secure OAuth URL in your settings.
While OAuth provides access to Artifactory UI, it is also possible for OAuth users to generate an API key that can be used instead of a password for basic authentication or in a dedicated REST API header, this is very useful when working with different clients, e.g. docker, npm, maven, etc. or using Artifactory REST API.
In order to allow OAuth users access to an API key you will need to make sure that the "Auto Create Artifactory Users" and "Allow Created Users Access To Profile Page" check boxes are checked. This means that OAuth users are also saved in Artifactory database and can access their profile page in order to generate, retrieve and revoke their API key.
Using OAuth on High Availability Setup
The OAuth protocol requires the client to give permission to a specific application. Artifactory will redirect the user to the configured application URL and one permission is granted user will be navigated back.
The limitation on this process when working in High Availability setup is that the user must return to the same node, otherwise the authentication process will fail, in order to achieve this a sticky session configuration should include the /artifactory/api/oauth2/.