Hi Nick, Let's try to revert this. We are always trying to do our best to help people as much as we can. The documentation [1] does not seem to be updated but there is a "Request refresh token" switch in the Google Identity Provider that when enabled makes an offline request (access_type=offline as a query param). Did you try it out? The related issue is https://issues.jboss.org/browse/KEYCLOAK-6614. Please, let me know if you have issues using it. Or maybe you are facing some other issue that is blocking you to use this functionality. [1] https://www.keycloak.org/docs/latest/server_admin/index.html#google Regards. Pedro Igor On Thu, Jul 25, 2019 at 3:35 PM Nick Powers <sshscp(a)gmail.com&gt; wrote: > I ran into an issue with Google IDP & Keycloak, where offline access > cannot > be requested and therefore refresh tokens cannot be received from Google. > > I then started researching to see if this problem have been previously > identified and resolved. Although I did find find many people identifying > the problem who were looking for an answer in both this mailing list and > in > the keycloak dev mailing list, there was no solutions in any of those > messages. These questions spanned 4 years, and yet Google IDP remains > broken. > > When the question is posed to the user group the messages are either not > answered at all or don't provide any solutions. In the Keycloak dev > mailing list it is discussed but in general they are dismissed, along the > line of "Why would you need to use offline access?" dismissing it as a > useless feature. This is a difficult answer to swallow if you need to use > Google offline access with Keycloak. Especially when all it would take is > to add "access_type=offline" to the Google auth UR. To be absolutely > clear > they devs could easily fix this, they just don't want to. > > So, if you have found this message, now or in the future, hoping to find a > way to obtain refresh tokens from Google using Keycloak all I can do is > try > and spare you any more time wasted on this pursuit. Keycloak does NOT > offline access for Google IDP and therefore you cannot receive refresh > tokens from Google with Keycloak, and chances are that it will NEVER > support it. > > I wish I was wrong but it doesn't appear that way. > > Good Luck! > > Nick > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user >

It worked! With that enabled, I was able to retrieve the Google refresh token using: GET /auth/realms/{realm}/broker/{provider_alias}/token Authorization: Bearer {keycloak_access_token} Thank you sooo much! Now I feel bad for getting pissy, but I had pretty much given up on Keycloak at that point. Please everyone ignore my original post. Although it is undocumented it works exactly as Pedro has described. Thanks again! Nick :) On Thu, Jul 25, 2019 at 3:43 PM Nick Powers <sshscp(a)gmail.com&gt; wrote: > Thanks for responding Pedro! I will try it with that enabled and see if > that helps. It does look promising! :) I'll update once I have tested it. > > Thanks again! :) > > Nick > > On Thu, Jul 25, 2019 at 3:30 PM Pedro Igor Silva <psilva(a)redhat.com&gt; > wrote: > >> Hi Nick, >> >> Let's try to revert this. We are always trying to do our best to help >> people as much as we can. >> >> The documentation [1] does not seem to be updated but there is a >> "Request refresh token" switch in the Google Identity Provider that when >> enabled makes an offline request (access_type=offline as a query param). >> >> Did you try it out? The related issue is >> https://issues.jboss.org/browse/KEYCLOAK-6614. >> >> Please, let me know if you have issues using it. Or maybe you are facing >> some other issue that is blocking you to use this functionality. >> >> [1] https://www.keycloak.org/docs/latest/server_admin/index.html#google >> >> Regards. >> Pedro Igor >> >> On Thu, Jul 25, 2019 at 3:35 PM Nick Powers <sshscp(a)gmail.com&gt; wrote: >> >>> I ran into an issue with Google IDP & Keycloak, where offline access >>> cannot >>> be requested and therefore refresh tokens cannot be received from >>> Google. >>> >>> I then started researching to see if this problem have been previously >>> identified and resolved. Although I did find find many people >>> identifying >>> the problem who were looking for an answer in both this mailing list >>> and in >>> the keycloak dev mailing list, there was no solutions in any of those >>> messages. These questions spanned 4 years, and yet Google IDP remains >>> broken. >>> >>> When the question is posed to the user group the messages are either not >>> answered at all or don't provide any solutions. In the Keycloak dev >>> mailing list it is discussed but in general they are dismissed, along >>> the >>> line of "Why would you need to use offline access?" dismissing it as a >>> useless feature. This is a difficult answer to swallow if you need to >>> use >>> Google offline access with Keycloak. Especially when all it would take >>> is >>> to add "access_type=offline" to the Google auth UR. To be absolutely >>> clear >>> they devs could easily fix this, they just don't want to. >>> >>> So, if you have found this message, now or in the future, hoping to >>> find a >>> way to obtain refresh tokens from Google using Keycloak all I can do is >>> try >>> and spare you any more time wasted on this pursuit. Keycloak does NOT >>> offline access for Google IDP and therefore you cannot receive refresh >>> tokens from Google with Keycloak, and chances are that it will NEVER >>> support it. >>> >>> I wish I was wrong but it doesn't appear that way. >>> >>> Good Luck! >>> >>> Nick >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>