Cannot use Identity token as Password using JFrog CLI

[SharonSbo]

While trying to use identity token as password (i.e username + Identity Token) in the jf CLI, the response is 401.
The same command works fine when using API request.

To Reproduce

1. Login to Artifactory UI.
2. Create a new Identity Token through User Profile.
3. Copy the token and use it in the JFrog CLI configuration under password/API key.
4. Run the command jf rt ping --server-id <SERVER_NAME>
   The output:
   10:46:10 [🚨Error] Server response: 401 Unauthorized { "errors": [ { "status": 401, "message": "Bad credentials" } ] }

Expected behavior
The identity token will work as password using CLI.

Screenshots

Versions

• JFrog CLI version: tested on 2.21.3
• Artifactory Version: 7.41.6

[scott-hpe]

HPE is impacted by this issue.

[scott-hpe]

The same issue happens when using an applied-permissions/groups scoped token but the error is a little different. Below you can see I create a fresh token with a principal name of ci-sqa-team. This is a Transient user in Artifactory with a scoped applied-permissions/groups token.

When trying to configure this as a userid + password in jf cli tool it fails. However this token works fine when used in a basic curl command like curl -u "ci-sqa-team:$token" https://example.jfrog.io/artifactory/generic-local/readme.md

[~] jf rt cl /api/access/api/v1/tokens -XPOST \                                                                                           
        -d "username=ci-sqa-team" \
        -d "scope=applied-permissions/groups:readers,ci-sqa-team" \
        -d "description=CI Token for SQA"

{
  "token_id" : "7d665ae9-4413-4c92-9236-a84b4c917b54",
  "access_token" : "***",
  "expires_in" : 31536000,
  "scope" : "applied-permissions/groups:readers,ci-sqa-team",
  "token_type" : "Bearer"
}

[~] jf rt cl /api/access/api/v1/tokens/7d665ae9-4413-4c92-9236-a84b4c917b54                                                               
{
  "token_id" : "7d665ae9-4413-4c92-9236-a84b4c917b54",
  "subject" : "jfac@***/users/ci-sqa-team",
  "expiry" : 1690414855,
  "issued_at" : 1658878855,
  "issuer" : "jfac@***",
  "description" : "CI Token for SQA",
  "refreshable" : false
}

[~] jf c add example                                                                                                                         
JFrog platform URL [https://exampe.jfrog.io/]: 
JFrog access token (Leave blank for username and password/API key): 
JFrog username: ci-sqa-team
JFrog password or API key: 
Is the Artifactory reverse proxy configured to accept a client certificate? (y/n) [n]? 
19:42:27 [Error] The following error was received while trying to encrypt your password: Artifactory response: 404 Not Found
{
  "errors": [
    {
      "status": 404,
      "message": "The user: 'token:ci-sqa-team' not found"
    }
  ]
} 

[pem-imre]

This issue seems to affect the npm integration commands.

With jf v2.22.0 I get this output:

$ jf rt npmi
13:56:50 [🟠Warn] You are using a deprecated syntax of the command.
        The new command syntax is quite similar to the syntax used by the native npm client.
        All you need to do is to add 'jf' as a prefix to the command.
        For example:
        $ jf npm install ...
        The --build-name and --build-number options are still supported.
13:56:50 [🔵Info] Running npm install.
13:57:00 [🚨Error] received invalid access-token

[yahavi]

@SharonSbo @scott-hpe @pem-imre
Thanks for reporting this issue!
We are currently working on supporting identity tokens as passwords.

Workaround
Add --enc-password=false & --basic-auth-only flags to the jf c add or jf c edit commands:

jf c add <server-id> --enc-password=false --basic-auth-only

jf c edit <server-id> --enc-password=false --basic-auth-only

Root causes

1. After jf c add we send a GET request to /api/security/encryptedPassword. This request doesn't work with identity tokens. However, this rest API encrypts only raw text passwords and it is not needed for such tokens. Therefore it is safe to add the --enc-password=false flag as a workaround.
2. For improved security, the JFrog CLI uses an automatically-token-refreshment mechanism. AFAIK, creating a regular access token with an identity token is not supported. Therefore we suggest using the --basic-auth-only as a workaround.

We will keep you posted once a long-term solution is implemented.
We'll also appreciate any feedback about the workaround.

[yahavi]

@SharonSbo @scott-hpe @pem-imre
This issue should be fixed in JFrog Artifactory 7.42.0 on SaaS.
If you're using on-prem, the fix will be included in 7.43.0 which will be released soon.
We'd appreciate your feedback on that.