[keycloak-dev] Google ID Broken & Devs do not care

Nick Powers sshscp at gmail.com
Thu Jul 25 14:07:50 EDT 2019 

I have wasted so much time deploying Keycloak to only learn in the end that
it doesn't support Google offline access and thus cannot retrieve Google
refresh tokens.  I am not alone, there are many messages in both the
Keycloak user and dev mailing lists discussing the lack of offline access
for Google IDP on Keycloak.

When this comes up in the user mailing list the messages are generally not
responded to.  Which makes sense since there is not a working solution to
receive Google refresh tokens using Keycloak's Google IDP solution.  It is
broken and thus the users cannot provide a solution.

When this comes up in this (the dev) mailing list, it is again ignored or
it is debated but end up with the same sentiment, that offline access /
refresh tokens from Google IDP is not a worthwhile feature.  I found many
messages in the dev mailing list, spanning from 4 years ago to current
identifying this issue and yet it remains unfixed.  All it would take is to
add "access_type=offline" to the Google auth URL and yet still it is
broken, they just don't care enough to do even that simple task.  They
think that it is silly that anyone would need a Google refresh token.

I found the code segment that related to Google offline access in Keycloak
and there was a comment that identified an email address of the person who
wrote that section of code.  It was a Red Hat email, from regular user on
this mailing list.  I reached out to him and his response was that he had
no time to respond to my query and that Red Hat does not support Keycloak.
Maybe don't put your email into code you don't want to get queries on? So,
if Red Hat is not supporting their own project, in any regard, and the devs
have no intention of fixing this bug the assumption is that Google IDP will
never be fixed.

If you landed on this message, now or in the future, in hopes of finding a
solution to get Google refresh tokens from Keycloak IDP all I can do is try
to save you some time and say that Google IDP on Keycloak is currently
broken in that regards and if the past is any indication the devs have no
intention of fixing the code to allow that access.

If any devs on this list disagree with this message then please let me know
what I have missed and point me in the direction of a solution for this
issue....... I didn't think so.

:(

More information about the keycloak-dev mailing list