Skip to content

OIDC Authentication regression #1377

Description

@KingBain

Describe the bug

This was mentioned in #901 and #938 and resolved in version frogbot v2.29.1, however I recently upgraded to v3.2.0 and the issue has returned. Confirmed the issue still exists in v3.3.0

Current behavior

When using github oidc based authentication frogbot fails to authenticate.

Frogbot
  /opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot scan-pull-request
  16:30:41 [Info] Frogbot version: 3.3.0
  16:30:41 [Info] Using API endpoint: https://api.github.com/
  Error: 3 [Error] failed to get config profile for url 'https://artifacts-artefacts.devops.cloud-nuage.canada.ca/': "server response: 403 Forbidden"
  Error: The process '/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot' failed with exit code 1

however this worked in previous versions

Frogbot
  /opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot scan-pull-request
  16:42:01 [Info] Frogbot version: 2.35.0
  16:42:02 [Info] Using API endpoint: https://api.github.com/
  16:42:02 [Info] Successfully downloaded frogbot-config.yml file from <KingBain/guest-inviter-service/main>
  16:42:02 [Info] Running Frogbot "scan-pull-request" command
  16:42:04 [Info] Scanning Pull Request #2 (from source branch: <KingBain/guest-inviter-service/renovate/net-dependencies> to target branch: <KingBain/guest-inviter-service/main>)
  16:42:04 [Info] -----------------------------------------------------------
  16:42:04 [Info] Getting resources (git repository: github.com/KingBain/guest-inviter-service.git, project: ssc-fsdh) active watches...
  16:42:04 [Info] Found 1 active watches in the following resources - git repository: github.com/KingBain/guest-inviter-service.git, project: ssc-fsdh
  16:42:06 [Info] Downloading source branch code...
  16:42:06 [Info] guest-inviter-service repository downloaded successfully. Starting with repository extraction...
  16:42:06 [Info] Extracted repository successfully
  16:42:07 [Info] guest-inviter-service repository downloaded successfully. Starting with repository extraction...
  16:42:07 [Info] Extracted repository successfully
  16:42:09 [Warn] Requested technology dotnet but not found any indicators/descriptors in detection.
  16:42:09 [Warn] Requested technology nuget but not found any indicators/descriptors in detection.
  16:42:09 [Info] Generating SBOM...
  16:42:09 [Info] Calculating NuGet dependencies...

Reproduction steps

Working config

---
name: GC SecureArtifacts Scan Pull Request

on:
  pull_request:
    branches:
      - main
    types:
      - opened
      - synchronize
      - reopened

permissions:
  contents: read
  pull-requests: write
  security-events: write
  id-token: write

env:
  JF_URL: https://artifacts-artefacts.devops.cloud-nuage.canada.ca
  JF_PROJECT: ssc-fsdh

jobs:
  scan-pull-request:
    name: Scan Pull Request
    runs-on: ubuntu-latest
    environment: frogbot
    steps:
      - name: Setup JFrog CLI with OIDC
        id: setup-jfrog-cli
        uses: jfrog/setup-jfrog-cli@deda456d982fc5e9a7a020b63eb0d2968aedd33e # v5.1.0
        env:
          JFROG_CLI_AVOID_NEW_VERSION_WARNING: "true"
        with:
          oidc-provider-name: github-oidc
          version: 2.91.0

      - name: Verify JFrog authentication
        shell: bash
        env:
          JF_ACCESS_TOKEN: ${{ steps.setup-jfrog-cli.outputs.oidc-token }}
        run: |
          set -euo pipefail

          echo "Checking JFrog CLI authentication..."
          jf rt ping

      - name: Run Frogbot
        uses: jfrog/frogbot@v2.35.0
        env:
          JF_ACCESS_TOKEN: ${{ steps.setup-jfrog-cli.outputs.oidc-token }}
          JF_USER: ${{ steps.setup-jfrog-cli.outputs.oidc-user }}

          JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          JF_GIT_PROVIDER: github
          JF_GIT_API_ENDPOINT: https://api.github.com
          JF_GIT_OWNER: ${{ github.repository_owner }}
          JF_GIT_REPO: ${{ github.event.repository.name }}
          JF_GIT_BASE_BRANCH: main
          JF_INSTALL_DEPS_CMD: "dotnet restore guest-inviter-service.sln"

Notworking config

---
name: GC SecureArtifacts Scan Pull Request

on:
  pull_request:
    branches:
      - main
    types:
      - opened
      - synchronize
      - reopened

permissions:
  contents: read
  pull-requests: write
  security-events: write
  id-token: write

env:
  JF_URL: https://artifacts-artefacts.devops.cloud-nuage.canada.ca
  JF_PROJECT: ssc-fsdh

jobs:
  scan-pull-request:
    name: Scan Pull Request
    runs-on: ubuntu-latest
    environment: frogbot
    steps:
      - name: Setup JFrog CLI with OIDC
        id: setup-jfrog-cli
        uses: jfrog/setup-jfrog-cli@deda456d982fc5e9a7a020b63eb0d2968aedd33e # v5.1.0
        env:
          JFROG_CLI_AVOID_NEW_VERSION_WARNING: "true"
        with:
          oidc-provider-name: github-oidc
          version: 2.91.0

      - name: Verify JFrog authentication
        shell: bash
        env:
          JF_ACCESS_TOKEN: ${{ steps.setup-jfrog-cli.outputs.oidc-token }}
        run: |
          set -euo pipefail

          echo "Checking JFrog CLI authentication..."
          jf rt ping

      - name: Run Frogbot
        uses: jfrog/frogbot@v3.2.1
        env:
          JF_ACCESS_TOKEN: ${{ steps.setup-jfrog-cli.outputs.oidc-token }}
          JF_USER: ${{ steps.setup-jfrog-cli.outputs.oidc-user }}

          JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          JF_GIT_PROVIDER: github
          JF_GIT_API_ENDPOINT: https://api.github.com
          JF_GIT_OWNER: ${{ github.repository_owner }}
          JF_GIT_REPO: ${{ github.event.repository.name }}
          JF_GIT_BASE_BRANCH: main
          JF_INSTALL_DEPS_CMD: "dotnet restore guest-inviter-service.sln"

Expected behavior

I expected frogbot to authenticate and scan the PR

JFrog Frogbot version

Multiple

Package manager info

nuget

Git provider

GitHub

JFrog Frogbot configuration yaml file

.frogbot/frogbot-config.yml

  • params:
    git:
    repoName: guest-inviter-service
    branches:
    - main
    aggregateFixes: true
    branchNameTemplate: "frogbot-${IMPACTED_PACKAGE}-${BRANCH_NAME_HASH}"
    commitMessageTemplate: "fix(deps): upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION}"
    pullRequestTitleTemplate: "[Frogbot] Fix vulnerable dependency: ${IMPACTED_PACKAGE}"

    scan:
    includeAllVulnerabilities: false
    failOnSecurityIssues: true
    fixableOnly: false
    minSeverity: High

    projects:
      - workingDirs:
          - "."
        installCommand: "dotnet restore guest-inviter-service.sln"
    

Operating system type and version

github runner

JFrog Xray version

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions