When performing an internal to external token exchange, if the requested
IDP access token is expired, Keycloak performs a token refresh using the
originally obtained access token.
After the operation is complete, the original token response is discarded
and the new one is saved; unless the new one includes a refresh token, the
refresh token is then lost and subsequent token exchanges requiring an IDP
token refresh will fail.
This happens regularly with Google as an IDP, since the token refresh
response does not include a refresh token, which is only provided in the
original authorization code exchange.
I have a patch to OidcIdentityProvider which ensures that the original
refresh token is saved if a new one has not been provided during the token
refresh operation. Should I proceed and provide a PR?
Cheers.
*Francesco Degrassi*
Tech Lead
+39 329 4128 422 <+39+329+4128+422>
*OptionFactory <
http://www.optionfactory.net/>*