7:34 p.m.
It worked! With that enabled, I was able to retrieve the Google refresh
token using:
GET /auth/realms/{realm}/broker/{provider_alias}/token
Authorization: Bearer {keycloak_access_token}
Thank you sooo much! Now I feel bad for getting pissy, but I had pretty
much given up on Keycloak at that point. Please everyone ignore my
original post. Although it is undocumented it works exactly as Pedro has
described.
Thanks again!
Nick :)
On Thu, Jul 25, 2019 at 3:43 PM Nick Powers <sshscp(a)gmail.com> wrote:
Thanks for responding Pedro! I will try it with that enabled and see
if
that helps. It does look promising! :) I'll update once I have tested it.
Thanks again! :)
Nick
On Thu, Jul 25, 2019 at 3:30 PM Pedro Igor Silva <psilva(a)redhat.com>
wrote:
> Hi Nick,
>
> Let's try to revert this. We are always trying to do our best to help
> people as much as we can.
>
> The documentation [1] does not seem to be updated but there is a "Request
> refresh token" switch in the Google Identity Provider that when enabled
> makes an offline request (access_type=offline as a query param).
>
> Did you try it out? The related issue is
> https://issues.jboss.org/browse/KEYCLOAK-6614.
>
> Please, let me know if you have issues using it. Or maybe you are facing
> some other issue that is blocking you to use this functionality.
>
> [1] https://www.keycloak.org/docs/latest/server_admin/index.html#google
>
> Regards.
> Pedro Igor
>
> On Thu, Jul 25, 2019 at 3:35 PM Nick Powers <sshscp(a)gmail.com> wrote:
>
>> I ran into an issue with Google IDP & Keycloak, where offline access
>> cannot
>> be requested and therefore refresh tokens cannot be received from Google.
>>
>> I then started researching to see if this problem have been previously
>> identified and resolved. Although I did find find many people
>> identifying
>> the problem who were looking for an answer in both this mailing list and
>> in
>> the keycloak dev mailing list, there was no solutions in any of those
>> messages. These questions spanned 4 years, and yet Google IDP remains
>> broken.
>>
>> When the question is posed to the user group the messages are either not
>> answered at all or don't provide any solutions. In the Keycloak dev
>> mailing list it is discussed but in general they are dismissed, along the
>> line of "Why would you need to use offline access?" dismissing it as a
>> useless feature. This is a difficult answer to swallow if you need to
>> use
>> Google offline access with Keycloak. Especially when all it would take
>> is
>> to add "access_type=offline" to the Google auth UR. To be absolutely
>> clear
>> they devs could easily fix this, they just don't want to.
>>
>> So, if you have found this message, now or in the future, hoping to find
>> a
>> way to obtain refresh tokens from Google using Keycloak all I can do is
>> try
>> and spare you any more time wasted on this pursuit. Keycloak does NOT
>> offline access for Google IDP and therefore you cannot receive refresh
>> tokens from Google with Keycloak, and chances are that it will NEVER
>> support it.
>>
>> I wish I was wrong but it doesn't appear that way.
>>
>> Good Luck!
>>
>> Nick
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>