I'm not convinced about this approach for two reasons: it's not very
user-friendly and secondly it's not correct to request an offline token
unless you really need one.
Google doesn't use refresh tokens for regular sessions, but rather give you
a fairly long expiration token. As it's lacking the refresh token it means
you need to refresh the token with a redirect. This can be done with a
hidden iframe. So the correct approach here is to have the app refresh the
token by re-auth to KC with a redirect (which can be in a hidden iframe).
This will do it in a proper way without using offline tokens.
On Tue, 12 Mar 2019 at 14:32, Marek Posolda <mposolda(a)redhat.com> wrote:
Hi,
I already saw some request(s) in the past with regards to the
GoogleIdentityProvider not provide same level of fine-grained
configuration as the OIDC Identity provider. I think that generally it
will be nice to remove this limitation(s) and hence allow some custom
configurations to be done on the GoogleIdentityProvider as well.
So IMO the best would be the option (b) - just add the option to support
forwarded parameters. This will probably allow best flexibility and
hopefully the usability will be also fine.
Marek
On 12/03/2019 11:19, Francesco Degrassi wrote:
> Hello,
> we're testing Keycloak with Google as a social identity provider and
using
> the token exchange functionality to get access to the IDP access token.
> I noticed that Google requires the access_type parameter to be set to
> "offline" in the call to the authorization endpoint to release a refresh
> token, but there is no easy way to do this in Keycloak; configuring a
> generic OIDC identity provider allows me to configure access_type as a
> forwarded parameter, but no such option exists using
GoogleIdentityProvider.
>
> I have a patch that (a) modifies GoogleIdentityProviderConfig and
overrides
> getForwardedParameters() to add "access_type" to the returned values.
>
> Other options I considered include (b) changing the UI to allow to
> configure the forwareded parameters for GoogleIdentityProvider (since it
> extends OidcIdentityProvider) or (c) add a boolean configuration option
to
> GoogleIdentityProviderConfig to allow/disallow forwarding the parameter
or
> (d) add a boolean configuration option to GoogleIdentityProviderConfig to
> set "access_type" to "offline" if checked.
>
> Which would be the preferred route? Would a pull request be accepted?
> Cheers.
>
> *Francesco Degrassi*
> Tech Lead
> +39 329 4128 422 <+39+329+4128+422>
> *OptionFactory <
http://www.optionfactory.net/>*
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev