Artifactory OAuth Maven 403

Question

TLDR:

Maven with Artifactory's generated settings.xml file consistently produces 403s.

Background:

We are attempting to set up the cloud pro version of Artifactory. Our primary use case is as a maven repository; we are using Google as an OAuth provider. Besides setting up the OAuth, initializing the default maven repos, and setting up a group with deployment permissions, we have made no other changes.

Access via the UI works fine; I am able to upload JARs with no issues. It is only using the Maven CLI with the settings.xml that we encounter these issues.

Details:

• We have a permission targeting all repositories and granting all privileges to the "devs" group; each relevant user is then added to this group.
• Possibly relevant security configuration -- Allow Anonymous Access is unchecked, Hide Existence of Unauthorized Resources is checked, and Password Encryption Policy is Supported.
• For each user, Disable Internal Password is checked and Can Update Profile is checked.

Because it's unclear to me what the encrypted password is in settings.xml given the use of OAuth, one of the routes I have tried is

1. permitting internal passwords in addition
2. regenerating the settings.xml (unlocking with the internal password)
3. using that settings.xml

However, in this case, as with plain OAuth, a simple mvn clean produces: (https://XXXXXX.jfrog.io/XXXXXXX/libs-snapshot): Not authorized , ReasonPhrase: Unauthorized.

How have we misconfigured artifactory?

Answer 1

There is a bug in Artifactory's settings.xml generation when using the "Mirror Any" setting wherein the ids it assigns in the "mirror" section are not associated with any credentials.

The issue is being tracked here, but in the meantime, manually adding credentials in the mirror section (i.e. replacing the <url> section with <url>https://[username]:[apikey]@[url]</url>), or removing the mirror section altogether gets around this issue.